Is a separate anti virus program necessary for W8

Jim Cockfield wrote:

There are as many as 70,000 new (unique) malware samples being seen every single day now.

Legit sites are compromised often anymore, thanks to vulnerabilities found that allow sql injection attacks, etc.

You even see adverts on legit sites that have malware in them from time to time.

Downloads from legit sites are compromised on a regular basis, too. I've even seen more than one report about downloads for Linux on legit sites being compromised.

It happens (no Operating System is totally secure), and criminals have found ways to compromise legitimate web sites many times in the past.

No AV scanner is going to catch everything (again, thanks to so much new malware coming out that none of the AV scanners can keep up with it). Heck, it may take many months before some malware is detected by security researchers it's so "stealthy". Just look at some of the articles about root kits that remained undetected for a *very* long time.

Once a PC is compromised, scanners may have a very hard time detecting some malware if you boot into an already infected PC, because it's loading early enough that it can provide false results to scanners looking at what's running in memory, file hashes for OS related drivers, etc.

So, it's better to block anything suspicious from installing and running to begin with.

That's where some of the Comodo products come in, since they will block any program that's not white listed yet from executing unless you OK it. Ditto for letting software do anything suspicious.

Their scan engine for detecting malware may not be perfect (and *none* of them are, as products are not going to recognize many brand new malware strains). But because you can leave it setup with Default Deny Protection, nothing is going to be able to execute without your OK first. Ditto for a program that you let install if it tries to do anything suspicious (it will require your OK for that behavior).

If you look at some of the older tests of it from sites like av-test.org, even though it's scanning engine wasn't perfect in detecting some software as malware, it didn't let it execute.

For example, this is the last time I saw them participate in tests there, and it blocked 100% of the malware samples they used in the section on "Blocking of malware on or post execution - Dynamic Detection Testing" (where the industry average was only 62% at the time), even though the scan engine didn't detect all of it.

http://www.av-test.org/no_cache/en/tests/test-reports/?tx_avtestreports_pi1[report_no]=110987

Their technology in that area has improved a lot since then, too.

Basically, Comodo products use a White List containing file hashes for millions of programs, and if a program is not White Listed, it's not going to execute. Even if you give it your OK to Execute, the next time it tries to do anything suspicious (for example, modify a registry entry), it will block that behavior, requiring you to OK it (with a check box to remember your answer). They call that "Default Deny Protection' (DPP).

As previously mentioned, if Joe's Exif Reader is trying to modify registry entries or do anything suspicous, I'm going to want to know about it and block that behavior by default, even if *every* AV scanner around says the program tests as clean.

That's because *none* of them may recognize a brand new malware strain. Heck, most of the malware writers probably check to make sure their product is undetected by the major AV scanners before releasing it. So, it's a game of "catch up", where there is usually going to be some delay between when a new malware strain is released and when the AV scanners know how to detect it.

So, I want something that prevents an infection by Zero Day (previously unknown) malware. That's where Comodo comes in.

I've been using their Firewall product for quite a while now, even though I also used Avira AntiVir Premium (because their scanning engine is very good).

BTW, Comodo's Firewall software is free, and it's a lot more than just a Firewall, since it blocks anything from executing on your PC (network related or not), or doing anything suspicious, unless the program is white listed and/or you OK the program's behavior.

http://www.comodo.com/home/internet-security/firewall.php

Here's a post in a recent thread where I discussed it:

http://forums.dpreview.com/forums/post/50532860

You'll also see me mention it in other threads (even though I was also using Avira), to reduce the possibility of something "slipping through the cracks". For example, see this post discussing the layered approach I use, and you'll see me mentioning why I use Comodo's Firewall setup using Default Deny Protection.

http://forums.dpreview.com/forums/post/50388208

I'd give up all of the other products before I'd stop using Comodo, as it's a good way to prevent infection from previously unknown malware (and that's where many products may let something slip through, as none of them may be able to recognize brand new malware strains).

Do you really need the more advanced products with scanning engines, etc.? That's up to you. But, personally, at a minimum, I'd use the free Comodo Firewall software and set it up so that nothing can execute or do anything suspicious without your OK

Now, I'll probably go ahead and purchase their more advanced protection, too; as they have some pretty nifty features in some of the newer products, and I run into a lot of malware because I often check links posted by others in forums; and it would probably save time in detecting some of it without the need to submit linked to programs to http://www.virustotal.com first.

--
JimC
------