• Introduction To Comodo Cloud Antivirus
  • System Requirements
  • Installation
  • Start Comodo Cloud Antivirus
    • The Main Interface
    • The Widget
    • The System Tray Icon
  • Lucky You Statistics
  • Understand CCAV Alerts
• Scan And Clean Your Computer
  • Run A Quick Scan
  • Run A Full Computer Scan
  • Run A Certificate Scan
  • Run A Custom Scan
    • Scan A Folder
    • Scan A File
  • Process Infected Files
  • Manage Detected Threats
  • View Valkyrie Analysis Results
• The Sandbox
  • Run An Application Or Browser In The Sandbox
  • Manage Sandboxed Items
    • Review Files
• View CCAV Logs
  • Antivirus Logs
  • Executed Application Logs (Sandbox Logs)
  • Setting Changes Logs
  • Scan Actions Logs
• View And Manage Quarantined Items
• CCAV Settings
  • General Settings
    • Customize User Interface
    • Configure Program Updates
  • Antivirus Settings
    • Antivirus Settings
    • Exclusions
  • Sandbox Settings
    • Sandbox Settings
    • Sandbox Rules
    • Protected Files/Folders
    • Track Files Created In The Sandbox
  • File Rating Settings
    • File Rating Settings
    • Trusted Applications
    • Submitted Applications
    • Trusted Vendors
  • Advanced Protection Settings
    • Browser Settings Protection
    • Miscellaneous Protection Settings
• Get Live Support
• Viruscope - Feature Spotlight
• Comodo Internet Security Essentials
  • Understand Alerts And Configure Exceptions
• Comodo Support And About Information
• Appendix 1 - How To Tutorials
  • Enable / Disable AV, Sandbox And Game Mode
  • Run An Antivirus Scan On Selected Items
  • Block Incoming / Outgoing Internet Connection To Sandboxed Applications
  • Add Exclusions By Allowing Internet Connection To Sandboxed Applications
  • Enable/ Disable Realtime Scan
  • Run A Virus Scan On Your Computer
  • Run An Application Or Browser In The Sandbox
  • Run A Certificate Scan On Your Computer
  • Configure Antivirus Exclusions
  • View Lucky You Statistics
  • Switch Off Automatic Antivirus And Software Updates
  • Enable/ Disable Browser Settings Protection
  • Evaluate The Behavior Of Unknown Files In The Sandbox
  • Detect Potentially Unwanted Applications (PUA)
  • Delete Quarantined Items
  • Restore A Quarantined Item
  • Submit As False Positive
  • Configure Proxy And Host Settings
  • Enable/ Disable Sandbox Indicator
  • Enable / Disable Viruscope
  • Track File Created In The Sandbox
  • Respond To Alerts
  • View CCAV Logs
  • Get Instant Support
  • Uninstall CCAV
  • Add Exclusions To Contained Folders And Files
  • Give Contained Applications Write Access To Local Folders
  • Quickly Create An Execution Rule For A Program
• About Comodo Security Solutions

Viruscope - Feature Spotlight

Comodo Cloud Antivirus (CCAV) provides unrivaled protection against new malware by automatically running unknown files inside a sandbox. Unknown files are those that are neither definitely bad (blacklisted malware) nor definitely good (whitelisted).

• If the file is harmless it will run as normal within the sandbox, meaning you will not notice any difference when using it.

• If the file turns out to be malicious, it will not have been able to cause damage because it was denied access to your data and the underlying operating system.

But what do we do to evaluate the behavior of unknown files in the sandbox? Enter Viruscope.

Viruscope is a behavior analysis technology built into Comodo Cloud Antivirus that monitors the activities of sandboxed processes and installers and alerts you if they take actions that could threaten your security.

You will see an alert if Viruscope discovers a sandboxed process or an installer/updater is behaving in a suspicious manner:

• If you are not sure of the authenticity of the parent application indicated in the 'Location' field, you can move it to quarantine by clicking 'Clean'.

• If it is an application you trust, you can allow the process to run by clicking 'Ignore'.

• To view the activities of process, click the 'Show Activities' link at the bottom right of the alert:

Viruscope identifies zero-day malware by using a sophisticated set of behavior 'Recognizers', each of which can detect actions typical of a malicious application.

What are behavior recognizers?

Viruscope behavior recognizers detect suspicious activities in multiple functional areas. Recognizers monitor the following activity events:

File activities:

• Create/Modify/Rename/Delete file.

• Set file attributes.

• Set file time to past.

Registry activities:

• Create/Rename/Delete registry key.

• Set/Delete registry key value.

Process activities:

• Create/Terminate process.

• Load file image.

• Other process activities.

Technically, the core Viruscope technology contains the following items:

• Tree of all active processes. This tree includes all processes-tracked or not.

• Queue of activities. IO threads receive activities from a target application and pushes them to a queue. These activities are then processed sequentially by a worker thread.

• Per-process activity list. Each process has a list of activities which belong to it. A Viruscope worker thread audits all activities executed by a running process and adds them to the activity list for this particular process.
  

It will use these items to execute the following tasks:

• After queuing the activities of each process, the worker thread will sequentially send each one to the behavior recognizers for analysis.

• A recognizer may traverse the entire process tree and activity list created by Viruscope.

• A recognizer may build its own process tree (the default recognizer uses this technique) and/or queue of activities (the default recognizer doesn't use a cache of activities)

This flowchart describes the activity inspection process of a sample Viruscope recognizer:

Viruscope is another key layer of security in the CCAV arsenal, taking our protection beyond that found in any other antivirus product. Our real-time virus monitor protects you against known threats, while auto-sandboxing protects you against unknown threats. With Viruscope on top, you also get proactive warnings about brand new malware.