Comodo anti-virus?

[Brian Cryer]

I've recently come across Comodo Anti-virus, and would welcome the opinions
of those in the know whether they would be happy to recommend it or whether
I should pass on it. I ask because I run a server at home which currently
has claimwin installed on it, but that doesn't provide an on-access scanner.

TIA.

 

[Jeanette]

I've recently come across Comodo Anti-virus, and would welcome the opinions
of those in the know whether they would be happy to recommend it or whether
I should pass on it. I ask because I run a server at home which currently
has claimwin installed on it, but that doesn't provide an on-access scanner.

TIA.

I tried it and didn't like it. When it scan it does not ask what to
do, it either quarantines or deletes the file.

I like the option of checking the file first for a false positive
but I could find no option to allow me to do this.

 

[VanguardLH]

in message

I've recently come across Comodo Anti-virus, and would welcome the
opinions of those in the know whether they would be happy to
recommend it or whether I should pass on it. I ask because I run a
server at home which currently has claimwin installed on it, but
that doesn't provide an on-access scanner.

Well, obviously it is BETA. Even Comodo says *not* to use it as your
primary AV program. They deliberately have left it in beta status to
eliminate having it analyzed at various independent testing agencies
(av-comparatives.org and VirusBulletin).

It's whitelist of known good programs (with a hash to identify them
from other same-named files) has been mostly a community effort. That
is, the users submit the unknown files to Comodo to have them checked
that they are okay to be included in the whitelist that is part of
their updates. The idea is to eliminate some of the prompting from
the HIPS (host intrusion protection system) part of their AV program.
It is a fairly good HIPS in that it also checks not only what program
is allowed to run in memory but also what caller loaded it into
memory.

It is a pig on resources. Last I recall, it consumed 155MB just for
their AV program. Part of that is because they load 2 instances of
the same process. Part of the reason is to ensure that they watch
each other and restart the other if it gets killed, but software can
run faster than a user trying to kill processes to kill both so the
bouncing-ball method isn't reliable for keeping up an AV program.
Supposedly there is some efficiency use of the 2 instances to prevent
lockouts on files or to facilitate faster scanning. Comodo has never
made clear why *they* think 2 instances are needed.

The last testing on Comodo's AV program was for its 1.x version (the
latest still-beta version is 2.0). It did so poorly that it never
made it into the comparatives table and instead got relegated into a
whitepaper where, as I recall, its on-demand scan coverage was a
miserable 38%. Their signature database wasn't very large at that
time and Comodo seems to rely too much on community submissions for
the whitelist. I don't remember if the program, once installed, tells
you how many viral signatures are in its database or gives you a list
of which viruses it can detect (and perhaps grouping them by
polymorphism which vaporizes when the pest gets loaded into memory).

I have been interested in using Comodo's AV product because of its
inclusion of HIPS which matches up nicely with their use of HIPS in
their firewall product. Too much a resource pig, too much unknown
regarding its coverage (no one tests it, and "works for me" is
worthless drivel), and they've been in beta way too long which seems a
ruse to prevent it from being tested and compared against other
competing freebie AV products.

I tested it within a VM using VMware Server (free). That way, it
doesn't pollute my environment. I was impressed with its HIPS. I
wasn't impressed with its AV function unless more information is
forthcoming about its coverage. Also, go read their forums. It is
beta and is causing problems for some users. Too many companies, like
Comodo, think "beta" means the product should still be under
development. Wrong! Beta means that version should be almost
identical to the released version, with little changes and certainly
no major changes, and is it provide a larger base of hosts to check
for compatibility, not to flesh out and heal functionality. That is
has been beta status for so long bodes ill for the product. Either it
is crappy and unstable code or Comodo lost their resources to finish
the product.

I tried it. I reverted the VM (i.e., wiped it back to its base state)
to get rid of it. I'm still waiting until it is no longer in beta
status AND until it gets tested by av-comparatives.org and VB.

 

[VanguardLH]

I tried it and didn't like it. When it scan it does not ask what to
do, it either quarantines or deletes the file.

I like the option of checking the file first for a false positive
but I could find no option to allow me to do this.

Another reason why I dumped it. From what Comodo explained to me, the
file gets quarantined and then submitted (automatically or manually)
to get analyzed by them. They decide whether or not to include it in
their whitelist. That means there is a delay before that file is
okayed or ignored by their product. I asked because of PUPs (Probably
Unwanted Programs), like Nirsoft's utilities, that many anti-virus
programs will alert on. I know what these programs are and want them
but Comodo's AV doesn't give me a user-defined PUPs or whitelist to
have these files ignored.

I did trial Avast AntiVir but found its ignore list only lets the user
specify the path and filename to the file. That's stupid. Any
malware could slide in under the same path and usurp the same filename
(i.e., it could overwrite the file) but Avast would ignore that
now-infected file. They do not save a hash of the file to ensure they
are ignoring THAT particular file that I specified, not another that
later overwrote it. I could not get info from Comodo if their
whitelist is a hashed list or not. Since they have no PUP or ignore
list, they obviously don't have to provide and record a hash for it
(which should also be encrypted to prevent malware from getting that
list and/or modifying the stored hash value).

I like the HIPS function in Comodo's AV product but it should firstly
be an AV program, not a HIPS program. I don't trust their AV function
and I can get other HIPS programs.

 

[Brian Cryer]

in message


Well, obviously it is BETA. Even Comodo says *not* to use it as your
primary AV program. They deliberately have left it in beta status to
eliminate having it analyzed at various independent testing agencies
(av-comparatives.org and VirusBulletin).

I had assumed that being beta it was relatively new. Clearly that isn't the
case from your comments. Thank you.

I just had a look on their forum, and there is a comment posted there that
Comodo isn't going to release a public non-beta version before V3. Seems a
bid odd ... but it does tie up with your comment that they want to leave it
as beta to avoid it being tested by independent testing agencies.

It's whitelist of known good programs (with a hash to identify them from
other same-named files) has been mostly a community effort. That is, the
users submit the unknown files to Comodo to have them checked that they
are okay to be included in the whitelist that is part of their updates.
The idea is to eliminate some of the prompting from the HIPS (host
intrusion protection system) part of their AV program. It is a fairly good
HIPS in that it also checks not only what program is allowed to run in
memory but also what caller loaded it into memory.

It is a pig on resources. Last I recall, it consumed 155MB just for their
AV program. Part of that is because they load 2 instances of the same
process. Part of the reason is to ensure that they watch each other and
restart the other if it gets killed, but software can run faster than a
user trying to kill processes to kill both so the bouncing-ball method
isn't reliable for keeping up an AV program. Supposedly there is some
efficiency use of the 2 instances to prevent lockouts on files or to
facilitate faster scanning. Comodo has never made clear why *they* think
2 instances are needed.

I've installed it on an old box to have a look. Certainly it has at least
two processes running. Memory usage doesn't seem excessive, but I'll keep an
eye on it - I know memory usage can creep up over time.

The last testing on Comodo's AV program was for its 1.x version (the
latest still-beta version is 2.0). It did so poorly that it never made it
into the comparatives table and instead got relegated into a whitepaper
where, as I recall, its on-demand scan coverage was a miserable 38%.
Their signature database wasn't very large at that time and Comodo seems
to rely too much on community submissions for the whitelist. I don't
remember if the program, once installed, tells you how many viral
signatures are in its database or gives you a list of which viruses it can
detect (and perhaps grouping them by polymorphism which vaporizes when the
pest gets loaded into memory).

38% isn't very good! According to the virus list in the application, they
are up to "262,665". The McAfee anti-virus I have on my desktop claims
"334,023" threats. So the implication is that they are still a long way
behind.

I have been interested in using Comodo's AV product because of its
inclusion of HIPS which matches up nicely with their use of HIPS in their
firewall product. Too much a resource pig, too much unknown regarding its
coverage (no one tests it, and "works for me" is worthless drivel), and
they've been in beta way too long which seems a ruse to prevent it from
being tested and compared against other competing freebie AV products.

To be honest, I'm not even sure what HIPS is.

I tested it within a VM using VMware Server (free). That way, it doesn't
pollute my environment. I was impressed with its HIPS. I wasn't
impressed with its AV function unless more information is forthcoming
about its coverage. Also, go read their forums. It is beta and is
causing problems for some users. Too many companies, like Comodo, think
"beta" means the product should still be under development. Wrong! Beta
means that version should be almost identical to the released version,
with little changes and certainly no major changes, and is it provide a
larger base of hosts to check for compatibility, not to flesh out and heal
functionality. That is has been beta status for so long bodes ill for the
product. Either it is crappy and unstable code or Comodo lost their
resources to finish the product.

I tried it. I reverted the VM (i.e., wiped it back to its base state) to
get rid of it. I'm still waiting until it is no longer in beta status AND
until it gets tested by av-comparatives.org and VB.

Thank you for your comments. Very useful.

 

[VanguardLH]

in message

...

I had assumed that being beta it was relatively new. Clearly that
isn't the case from your comments. Thank you.

Beta should only last a couple months. Alpha might last for many,
many months but when beta then there should be little difference
between it and the released version. Unfortunately Microsoft (with
their "preview" versions of Windows) and Gmail (that has been beta for
years) have so bastardized the meaning of beta that other vendors,
like Comodo, are following suit.

I've installed it on an old box to have a look. Certainly it has at
least two processes running. Memory usage doesn't seem excessive,
but I'll keep an eye on it - I know memory usage can creep up over
time.

I only recalled the total memory size which is real AND virtual
memory. Most users never bother to add the VM Size column to Task
Manager's Process panel to see what is the total consumption of memory
whether it be in RAM or in pagefile space on the hard disk.

38% isn't very good! According to the virus list in the application,
they are up to "262,665". The McAfee anti-virus I have on my desktop
claims "334,023" threats. So the implication is that they are still
a long way behind.

The total count of signatures is misleading. Comodo's anti-virus
incorporates HIPS which regulates what can and cannot load into
memory. Nothing runs unless it gets into [real] memory. Polymorphism
vaporizes when a program is loaded into memory, so all those AV
products that don't regulate memory loads have to include signatures
for all polymorphic variations of viruses. Comodo only has to see
what the resultant signature is after the program loads into memory,
so a smaller signature count is not necessarily bad. The problem is
that Comodo keeps its 2.x version in beta status and seems determined
to keep it that way which means av-comparatives.org and VB will not
bother to test it for coverage. If Comodo keeps behaving this way,
they could end up with an excellent AV product that no one will use
because there have been no independent verification that it really is
an excellent product.

To be honest, I'm not even sure what HIPS is.

http://en.wikipedia.org/wiki/Intrusion-prevention_system

 

[andreas.clementi]

Just for your info: AV-Comparatives did test Comodo in past. I think
it was March 2007. Please see on the website (Comparatives, scroll
down to special tests).

 

[Brian Cryer]

Just for your info: AV-Comparatives did test Comodo in past. I think
it was March 2007. Please see on the website (Comparatives, scroll
down to special tests).

Yes, February 2007 -
http://www.av-comparatives.org/seiten/ergebnisse/2ndgrouptest.pdf. They
tested Comodo Antivirus 1.1 Beta. (Has it ever not been a beta?)

In all the tests listed in that PDF, Comodo came last. They gave it a total
detection rate of 27%, the next lowest was 50%, so not very impressive. They
do include the comment that the "new version 2 (beta) detects in total about
42%", but it may be reasonable to assume that that figure has improved by
now especially since I'm given to believe that Comodo are concentrating
effort into improving detection rates.

Their conclusion was (quote): "Comodo AV should not be used as primary AV"

I'm still hoping that Comodo will eventually become a serious challenger to
the well known names, but it isn't there yet. I'm going to leave it on the
old box that I've installed it on (its switched off most of the time
anyway), but will continue for now with Mcafee at work and AVG at home.

 

[VanguardLH]

Just for your info: AV-Comparatives did test Comodo in past. I think
it was March 2007. Please see on the website (Comparatives, scroll
down to special tests).

Yes, for version 1.0. It's now up to 2.0 and still beta.
av-comparatives.org and VB have yet to test version 2.0 probably
because Comodo keeps it at a beta status.