Comodo Internet Security

2009-05-01

John Hawes

Virus Bulletin, UK
Editor: Helen Martin

Abstract

Comodo's Internet Security suite leaves an overall favourable impression on the VB test team.


Comodo has long been something of a mystery to me. Best known for its very highly regarded firewall products and more high-level security solutions, the company has also built up a considerable reputation and following for its anti-virus offering, but has yet to take part in VB’s certification tests and is not well represented in other independent tests either. Among the small group of anti-virus products never to have joined in a VB100 comparative review, Comodo has by far the most vocal supporters. We receive more queries about the product’s non-appearance in our tests, and requests for information on its performance, than for any other product.

On receipt of the first of the many inquiries about the firm a number of years ago, I checked out its various websites and made contact, discovering that the company’s product was being made available free of charge as a long-term beta project – which was considered unsuitable for testing at that stage. The beta phase went on for quite some time, with a string of ancillary products emerging alongside the initial anti-virus, and continued to build up reputation and interest. With a full product range properly released several versions ago and now well established, it seemed high time for the VB test team to take a quick look at the company’s current flagship product, the Internet Security suite.

Web presence and support

Comodo’s online presence has a very slick and professional look and feel, with the company’s wide range of security-related tools and solutions mostly presented in separate microsites, making the main www.comodo.com perhaps a little more product-oriented than the sites of many security vendors. The range of desktop security solutions is presented in the main body of the front page, but the pull-down ‘Products’ list focuses almost entirely on a wider selection of business-oriented security solutions – secure messaging and web access, code and website signing, VPN, backup and compliance solutions, and much else besides.

While the standard likes of company news and general security information are present, it is the product range that takes centre stage, with the company’s marketing strategy for its desktop anti-malware and firewall products immediately obvious. The strategy of making basic versions of the products freely available for home use, while charging for the more multi-layered, well-supported ‘pro’ and corporate versions, is one which has proved highly successful for many vendors. Here, just about every product in the range is offered as a free, standalone edition, and even a suite is made available without charge. This strategy is not simply a marketing tool, however – as anti-malware increasingly makes use of distributed global knowledgebases, with users contributing information on safe applications and behaviours, strong market penetration and a broad user base have become increasingly important aspects of the protection provided by a product. Many users will be baffled by popup alerts that provide highly technical information about an application or activity and which require the user to make some decision as to what course of action should be taken. This problem is mitigated by the provision of ‘herd’ information on the alert: the opinions of the collective are provided as an aid to decision making. The issue of whether the opinions of the collective can be trusted remains a thorny one, but at least such systems provide some assistance.

The user community performs another function in the form of the support provided by online forums. Comodo hosts some bustling and well-administered forums and FAQs, providing a wealth of information and assistance on the full range of products, and the company’s users – expert and otherwise – are similarly well represented on several other popular security forums.

For those choosing to pay for a more advanced product, the level of support offered is one of the most important decision-making factors – and here lies one of the most distinctive selling points of Comodo’s flagship line. A complete support package is available as an upgrade to the standard subscription, with the support provided directly to the user’s PC via a proprietary remote access system. This allows the firm’s techs to get in and fix issues with their customers’ systems without the need for complex and difficult explanations to inexpert users over the phone or email. Indeed, the copy of the product we were provided with for review came with the offer to have it remotely installed and configured by an expert. The support offering extends far beyond the basics of setting up the product and dealing with the problems caused by it or any malware it fails to detect – it also seems to cover just about any PC-related issue the customer may have, from installing software to setting up printers. This is not something I am aware of many other vendors providing, and it makes for a pretty impressive unique selling point for Comodo. Unfortunately there was insufficient time to test the service with any complex issues, and since much of our interest lay in checking out the performance of the anti-malware engine, we opted to do our own installations in the VB lab.

Installation and configuration

The set-up process runs along fairly standard lines. The first item of note is that the product is included as a complete download, rather than one of the tiny download-and-install systems that seem to be growing in popularity with vendors these days, and appears to be updated fairly regularly. This pleased me, as working in the security industry and thus being somewhat paranoid, I always like to have security software installed, running and reasonably up to date on any new system before I think about connecting it to the Internet– which is not always possible with some solutions.

The initial stage of the installer presents a rather clunky self-extracting dialog, which hovers in the background throughout the install process, but the installation GUI itself is much more slick and attractive. It runs through the standard stages of EULA, choice of install location and space requirements (the product needs a minimum of 123 MB of hard drive space – not too much of a strain for any modern system), and then some further options on which components to install – the suite can be used as just the firewall, just the AV, or both (which is the default setting). Next comes the option to contribute to the ‘Threatcast’ community collaboration system, with ample information provided on how this works and what kind of data might be shared. A final component is offered in the form of a browser toolbar in collaboration with the Ask search engine. This offers to reset the default browser search to Ask and the homepage to Comodo. Both of these are active by default, which I’m not too keen on, but this seems to be pretty standard with toolbars. After a few further steps of finalizing, connecting to the community system and activation, a reboot is required to finish things off.

The main interface of the product is pretty impressive: it is quite attractive and well laid-out, uncluttered and clear. Status information is provided on various aspects of the product, the anti-malware and firewall systems, in simple terms with easy links to run scans or lock down the firewall. Further data on active processes and connections is also included.

More information and options for the various components are accessed via separate pages for the anti-malware, firewall and ‘Defense+’ HIPS systems, with a ‘miscellaneous’ tab providing the likes of interface password and language options, updating, suspect file submission, access to online forums, and help. Each of the main areas provides a good range of controls for the given module, and each is accompanied by clear and simple explanations of the options available. Of these, the anti-malware is likely to be the most straightforward for the majority of users, with the controls for the firewall and HIPS systems likely to need a little more effort for the average inexpert user to comprehend, while some of the options provided in the advanced areas are likely to be unsuitable for any but the keenest users. Help is generally available however, and with a little application and research all of these options can be used to improve and enhance the level of security provided.

As with all security products, the ‘set and forget’ approach is only as good as the default settings. Here they seem pretty sensible across the board, but to get the most out of any product the user needs to invest some time to study and understand the threats they face and how they can best be mitigated – something we encourage all users to do.

Malware detection and system protection

Having familiarized ourselves with the layout of the product we got down to our principal area of interest: the detection capabilities of the anti-malware engine. Having confirmed that the on-access component was fully operational and having disabled the warning popups (which would have seriously impeded on-access tests), we ran the product through most of the standard VB100 tests using the same systems and test sets as used in the most recent comparative (see VB, April 2009, p.15). As the product had not been frozen on the correct deadline for that test, this would not provide results that could be compared scientifically against those of the large field of entrants last month, but we hoped it would at least provide a general overview of the product’s abilities.

The first hurdle here was determining the exact date of the product as downloaded. On installation an attempt was made to update, and indeed the update status claimed that the product had been updated on the day of the install. As we were running the product on a machine in a sealed-off part of the VB test lab, with no access to the Internet, this was somewhat baffling. To get around this, we also took the updates from an Internet-connected system and used them in a second run through the tests, this time using updates confirmed to be almost exactly a month more recent than those required for the original test that used these sets.

The first things we looked at were scanning speed and false positive rates, running the product through our full standard clean sets. This proved very impressive, with a few suspicious alerts on unusual packers but no full false positives at all – a remarkable achievement given the problems our test sets have been known to cause products in the past, and given that this was the first time the sets had been checked with this scanner. Scanning speeds were pretty good too, perhaps not quite at the very top of the field but comparing favourably with most of the products included in the last comparative test. This proved true in both on-access and on-demand modes, demonstrating on-access overheads that were well within acceptable levels. Indeed, at no point throughout the testing did we observe any untoward slowdown on our systems, even when running under heavy strain.

Moving on to the malware detection side of things, we ran through the complete set of test samples used in the last VB100, and here things were perhaps not quite so impressive. In some sets detection rates were fairly high, coming in at around 95% on the older set of worms and bots and also on the WildList set (although here we would expect nothing less than 100% in a top-quality product). The trojans set, containing samples first seen a few months prior to the test, was reasonably well covered at a level on a par with much of the mid-field in the last comparative, but the more recent RAP sets were not so well handled. It was in the polymorphic sets that the most worrying performance was seen however, where there was very little coverage at all. With the test sets including numerous variants of the nasty and complex W32/Virut family, none of which were detected, this is clearly an area that should be improved.

Another issue that quickly became clear was one of instability. Several times during our attempts to get through the tests the product experienced problems, crashing on a fairly regular basis. This seemed to occur only during on-demand scanning, and while the on-demand scanner generally refused to initiate any further actions until a reboot, in most situations it seemed that the on-access protection remained active. Only on one occasion did the product become fully nonoperational. All of these problems occurred during intensive scanning of large numbers of infected samples. They appeared not to be directly related to any specific sample, as on subsequent occasions the same sets were scanned without difficulty. The pattern of crashes hinted at there being some issues related to the handling of large numbers of detections in a short period, perhaps not helped by the product’s impressive speedy scanning rate over infected items. The problems thus seem unlikely to affect the real-world user, but nevertheless we will provide full details to the developers to ensure nothing more serious underlies our experiences.

Not all is doom and gloom however, as the basic static detection is not the only protection feature available. The HIPS system, dubbed ‘Defense+’, combined with the outbound portion of the firewall, offers an extra layer of defence, and trying this out against some of the samples that the on-access anti-malware component had allowed to run provided much more encouraging results.

Running numerous items against the product’s filters and hooks, it seemed that nothing we could throw at it would be allowed to operate completely uninhibited. Most of the more serious malicious activities, such as doctoring or creating registry entries, dropping files in system folders or drive roots, initiating network connections, injecting code into memory or running processes and so on, were blocked or at least alerted on. While popup alerts are not always the most useful tool, with many users likely to grow frustrated by them and simply click ‘OK’ regardless of the message text, they do at least provide some protection against malicious activities, and hopefully users are growing more alert to the dangers of malware. The popups are also supported by the opinions of the community system which, in most cases, seemed to advise taking the most sensible course of action.

Of course, not every activity of the malware was entirely prevented. While most clearly unwanted behaviours were easily brushed aside, files were not stopped from being dropped into unprotected areas, and some apparently less significant tweaks were allowed to be made to the registry and other settings. This is less than ideal, and users may want to run occasional checks with additional software to clean up any potentially dangerous remnants – which is a good policy with any anti-malware solution. The product range also has a strong reputation for post-infection cleanup, which unfortunately we did not have time to investigate in any depth; we hope to develop additional metrics to measure such things in the near future.

Other functionality

The firewall is one of Comodo’s main strengths – it is one of the most highly regarded on the market, and from a quick run through seems to perform excellently. The basic set-up is fairly rigorous, and configuration is available both at a basic level and in depth. Simple sliders provide various levels of paranoia, from fairly lax and trusting to complete lockdown, and the default provides a happy medium with not too many alerts and popups. The advanced configuration options provide a wealth of fine-tuning, presented with clarity and simplicity, but as is generally the case with such things, a minimum level of understanding is required to ensure the right changes are implemented properly. A few options proved rather difficult to locate, but generally the layout made good sense and after some familiarization nothing we could have wished for was lacking.

The same is true of the HIPS system, which provides a similarly intensive level of configuration in a pleasingly similar style, making for good continuity across the two modules. The addition and fine-tuning of filters focusing on particular areas of the system or registry, particular file types, specific applications and even developers is laid out in a highly usable manner, in the same way that the firewall provides fine-tuning of filters of network zones, connections, ports, and applications. While some members of the test team would have liked to have seen some additional areas monitored by default, most of the standard settings seemed pretty thorough, and the level of control easy to adjust via another paranoia slider.

Another component of the suite is the optional toolbar which, along with some standard items from Ask, includes Comodo’s ‘SafeSurf’ technology, designed to monitor memory for buffer overflow attacks and similar web-based threats. Not being big fans of toolbars in general, and being rather short of time, we didn’t investigate this thoroughly, but it seemed to offer some useful protection (although we noted that some of the associated data-gathering and other toolbar tactics have come in for some criticism from various online commentators).

One final module which deserves a mention is a process viewer, which displays all running processes along with some brief details and provides the option to terminate anything that is unwanted. This is another tool that will be of most use to the well-initiated, but again it is presented in a clear and simple style with good usability.

Conclusions

Having approached Comodo’s product as an almost completely unknown entity, the overall impression it has left after an all-too-brief acquaintance is a favourable one. The design is both visually appealing and easy to navigate – which is not always an easy combination to pull off. The multi-layered protection seems to provide a pretty decent standard of security with the default settings and offers a really quite excellent depth of configuration. The user community backing it all up is clearly highly active and committed, which are vital components in any herd-based system. The additional support offering, covering a vast range of computer support needs, is just about unique.

Although we encountered a few issues with the anti-malware scanners, including some less than excellent detection rates, these should improve as the company becomes more established, gets more involved in testing and improves relations with the rest of the industry. The stability issues we encountered in our intensive tests were also fairly minor, and unlikely to affect most real-world users. The only other downside to the product is a fairly large number of popups, particularly during the initial stages of use. Although these will generally be assisted by the group consensus data, they do require some decision-making from the user. They can also be tweaked and configured to be more automated and less intrusive, but again, the users will have to apply themselves to ensure the appropriate settings for their situation.

As we have commented many times before, to get the most out of any security product, users have to make some effort to learn how their computers work and what effect their decisions will have. Perhaps those who are not willing to do so should not expect to operate with complete impunity in an online world riddled with criminals and con men; for those who understand both the threats and how to defend against them, this product provides the full range of control necessary to provide a highly secure environment.

Technical details

Comodo Internet Security 3.8 was variously tested on:

  • AMD Athlon64 3800+ dual core, 1 GB RAM, running Microsoft Windows XP Professional SP3 and Windows Vista x64 SP1.

  • Intel Atom 1.6 GHz netbook, 256 MB RAM, running Microsoft Windows XP Professional SP3.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.