Comodo Antivirus For Servers

• Introduction To Comodo Antivirus For Servers
  • Key Features
  • Supported Servers
  • Installation
  • Starting Comodo Antivirus For Servers
  • The Main Interface
    • The Home Screen
    • The Tasks Interface
    • The Widget
    • The System Tray Icon
    • Instant Assistance
  • Understanding Security Alerts
• General Tasks - Introduction
  • Scan And Clean Your Server
    • Run A Quick Scan
    • Run A Full Server Scan
    • Run A Rating Scan
    • Run A Custom Scan
      • Scan A Folder
      • Scan A File
      • Create, Schedule And Run A Custom Scan
  • Instantly Scan Files And Folders
  • Processing Infected Files
  • Manage Virus Database And Program Updates
  • View CAVS Logs
    • Antivirus Logs
      • Filtering Antivirus Logs
    • Defense+ Logs
      • Filtering Defense+ Logs
    • Alerts Logs
      • Filtering Alerts Displayed Logs
    • Tasks
      • Filtering Tasks Launched Logs
    • Configuration Changes
      • Filtering Configuration Changes Logs
  • Manage Quarantined Items
• Sandbox Tasks – Introduction
  • Run An Application In The Sandbox
  • Reset The Sandbox
  • View Active Process List
• Advanced Tasks - Introduction
  • Create A Rescue Disk
    • Downloading And Burning Comodo Rescue Disk
  • Submit Files
  • Identify And Kill Unsafe Running Processes
  • Remove Deeply Hidden Malware
  • Manage CAVS Tasks
• Advanced Settings
  • General Settings
    • Customize User Interface
    • Configure Program And Virus Database Updates
    • Log Settings
    • Manage CAVS Configurations
      • Comodo Preset Configurations
      • Importing/Exporting And Managing Personal Configurations
  • Security Settings
    • Antivirus Settings
      • Real-time Scanner Settings
      • Scan Profiles
      • Exclusions
    • Defense+ Settings
      • HIPS Behavior Settings
      • Active HIPS Rules
      • HIPS Rule Sets
      • Protected Objects
        • Protected Files
        • Blocked Files
        • Protected Registry Keys
        • Protected COM Interfaces
        • Protected Data Folders
      • HIPS Groups
        • Registry Groups
        • COM Groups
      • Sandbox
        • The Sandbox - An Overview
        • Unknown Files: The Scanning Processes
      • Configure The Sandbox
      • Configuring Rules For Auto-Sandbox
    • Manage File Rating
      • File Rating Settings
      • File Groups
      • File List
      • Submitted Files
      • Trusted Vendors List
• Appendix 1 - CAVS How To... Tutorials
  • Enable / Disable AV And Auto-Sandbox Easily
  • Setting Up The HIPS For Maximum Security And Usability
  • Create Rules For Auto-Sandboxing Applications
  • Running An Instant Antivirus Scan On Selected Items
  • Creating An Antivirus Scanning Schedule
  • Run Untrusted Programs In The Sandbox
  • Run Browsers Inside Sandbox
  • Restoring Incorrectly Quarantined Item(s)
  • Submitting Quarantined Items To Comodo For Analysis
  • Blocking Any Downloads Of A Specific File Type
  • Disable Auto-Sandboxing On A Per-application Basis
  • Switch Off Automatic Antivirus And Software Updates
• Appendix 2 - Glossary Of Common Terms
• About Comodo Security Solutions

Unknown Files: The Scanning Processes

• When an executable is first run it passes through the following CAVS security inspections:

• Antivirus scan

• HIPS Heuristic check

• Buffer Overflow check

• If the processes above determine that the file is malware then the user is alerted and the file is quarantined or deleted

• An application can become recognized as 'safe' by Comodo Antivirus for Servers (and therefore not auto-sandboxed or scanned in the cloud) in the following ways:

• Because it is on the local Comodo White List of known safe applications

• Because the user has rated the file as 'Trusted' in the File List

• By the user granting the installer elevated privileges (CAVS detects if an executable requires administrative privileges. If it does, it asks the user. If they choose to trust, CAVS regards the installer and all files generated by the installer as safe)

• Additionally, a file is not auto-sandboxed or sent for analysis in the cloud if it is defined as an Installer or Updater in HIPS Ruleset (See Active HIPS Rules for more details)

Files and processes that pass the security inspections above but are not yet recognized as 'safe' (white-listed) are 'Unrecognized' files. In order to try to establish whether a file is safe or not, CAVS will first consult Comodo's File Look-Up Server (FLS) to check the very latest signature databases:

• A digital hash of the unrecognized process or file is created.

• These hashes are uploaded to the FLS to check whether the signature of the file is present on the latest databases. This database contains the latest, global black list of the signatures of all known malware and a white list of the signatures of the 'safe' files.

• First, our servers check these hashes against the latest available black-list

• If the hash is discovered on this blacklist then it is malware

• The result is sent back to the local installation of CAVS

• If the hash is not on the latest black-list, it's signature is checked against the latest white-list

• If the hash is discovered on this white-list then it is trusted

• The result is sent back to local installation of CAVS

• The local white-list is updated

• The FLS checks detailed above are near instantaneous.

• If the hash is not on the latest black-list or white-list then it remains as 'unrecognized'.

• Unrecognized files are simultaneously uploaded to Comodo's Instant Malware Analysis servers for further checks:

• Firstly, the files undergo another antivirus scan on our servers.

• If the scan discovers the file to be malicious (for example, heuristics discover it is a brand new variant) then it is designated as malware. This result is sent back to the local installation of CAVS and the local and global black-list is updated.

• If the scan does not detect that the file is malicious then it passes onto the next stage of inspection - behavior monitoring.

• The behavior analysis system is a cloud based service that is used to help determine whether a file exhibits malicious behavior. Once submitted to the system, the unknown executable will be automatically run in a virtual environment and all actions that it takes will be monitored. For example, processes spawned, files and registry key modifications, host state changes and network activity will be recorded.

• If these behaviors are found to be malicious then the signature of the executable is automatically added to the antivirus black list.

• If no malicious behavior is recorded then the file is placed into 'Unrecognized Files' and will be submitted to our technicians for further checks. Note: Behavior Analysis can identify malicious files and add to the global black list, but it cannot declare that a file is 'safe'. The status of 'safe' can only be given to a file after more in-depth checks by our technicians.

• In either case, the result is reported back to your CAVS installation in approximately 15 minutes. If the executable was not found to be malicious then it will be run in the auto-sandbox. It will simultaneously be added to the 'Unrecognized Files' list and uploaded to our technicians for analysis. If it is discovered to be a threat then CAVS will show an AV alert to the user. From this alert the user can opt to quarantine, clean (delete) or disinfect the malicious file. This new threat will be automatically added to the global black list database and therefore benefit all CAVS users.