in message
I've recently come across Comodo Anti-virus, and would welcome the
opinions of those in the know whether they would be happy to
recommend it or whether I should pass on it. I ask because I run a
server at home which currently has claimwin installed on it, but
that doesn't provide an on-access scanner.
Well, obviously it is BETA. Even Comodo says *not* to use it as your
primary AV program. They deliberately have left it in beta status to
eliminate having it analyzed at various independent testing agencies
(av-comparatives.org and VirusBulletin).
It's whitelist of known good programs (with a hash to identify them
from other same-named files) has been mostly a community effort. That
is, the users submit the unknown files to Comodo to have them checked
that they are okay to be included in the whitelist that is part of
their updates. The idea is to eliminate some of the prompting from
the HIPS (host intrusion protection system) part of their AV program.
It is a fairly good HIPS in that it also checks not only what program
is allowed to run in memory but also what caller loaded it into
memory.
It is a pig on resources. Last I recall, it consumed 155MB just for
their AV program. Part of that is because they load 2 instances of
the same process. Part of the reason is to ensure that they watch
each other and restart the other if it gets killed, but software can
run faster than a user trying to kill processes to kill both so the
bouncing-ball method isn't reliable for keeping up an AV program.
Supposedly there is some efficiency use of the 2 instances to prevent
lockouts on files or to facilitate faster scanning. Comodo has never
made clear why *they* think 2 instances are needed.
The last testing on Comodo's AV program was for its 1.x version (the
latest still-beta version is 2.0). It did so poorly that it never
made it into the comparatives table and instead got relegated into a
whitepaper where, as I recall, its on-demand scan coverage was a
miserable 38%. Their signature database wasn't very large at that
time and Comodo seems to rely too much on community submissions for
the whitelist. I don't remember if the program, once installed, tells
you how many viral signatures are in its database or gives you a list
of which viruses it can detect (and perhaps grouping them by
polymorphism which vaporizes when the pest gets loaded into memory).
I have been interested in using Comodo's AV product because of its
inclusion of HIPS which matches up nicely with their use of HIPS in
their firewall product. Too much a resource pig, too much unknown
regarding its coverage (no one tests it, and "works for me" is
worthless drivel), and they've been in beta way too long which seems a
ruse to prevent it from being tested and compared against other
competing freebie AV products.
I tested it within a VM using VMware Server (free). That way, it
doesn't pollute my environment. I was impressed with its HIPS. I
wasn't impressed with its AV function unless more information is
forthcoming about its coverage. Also, go read their forums. It is
beta and is causing problems for some users. Too many companies, like
Comodo, think "beta" means the product should still be under
development. Wrong! Beta means that version should be almost
identical to the released version, with little changes and certainly
no major changes, and is it provide a larger base of hosts to check
for compatibility, not to flesh out and heal functionality. That is
has been beta status for so long bodes ill for the product. Either it
is crappy and unstable code or Comodo lost their resources to finish
the product.
I tried it. I reverted the VM (i.e., wiped it back to its base state)
to get rid of it. I'm still waiting until it is no longer in beta
status AND until it gets tested by av-comparatives.org and VB.
