Comodo employs a wide variety of techniques to detect and identify unknown files, ranging from a simple signature based system to emulators and unpackers. This holistic approach provides both detection and protection from malware.

Comodo Valkyrie is a cloud based verdict driven platform that provides static, dynamic and as needed, expert human analysis for submitted files of unknown and zero day files. The Valkyrie verdict system analyzes over 200 million file queries per day and more than 300 million unknown files each year through tightly integrated Comodo solutions and our active global community of threat researchers.

Different from traditional signature based malware detection techniques Valkyrie conducts several analysis using run-time behavior and hundreds of features from a file and based on analysis results can warn users against malwares undetected by classic Anti-Virus products.

Valkyrie platform provides detector API for users to design and implement their own detection methods in the form of a Valkyrie detector. Users then can deploy their detectors on Valkyrie Platform for testing. In this way, they can also compare the results of their detection methods with each other and Valkyrie detection methods

Static Analysis

Automatic static analysis allows detection of malicious files that might not be recognized by legacy techniques such as antivirus engines and blacklists. For example, malware writers frequently ‘pack’ or compress their malware to obfuscate it and escape analysis. Valkyrie static analysis supports over 450 unpackers ensuring these evasive tactics fail.

Comodo Valkyrie extracts and analyzes static detector data on submitted PE files and determines a verdict. Static analysis detectors include: binary level analysis, included libraries, system calls embedded in the code, extractable links, unpackers, string analysis and many more detectors that determine a trust verdict.

Automatic static analysis is done by using only binary features of the file such as format of the file, format anomalies, and sections in the file, contents of sections, location of sections and section anomalies. Static analysis can be applied to any type of file, such as 32/64 bit executable Windows files, pdf files, Office documents, html files, and stand-alone script files, e.g. bat, py, js.

Static analysis is a fast method and able to process large numbers of files in a shorter time than the behavioral approach of dynamic analysis, but dynamic analysis plays a critical role in catching what static analysis misses.

Dynamic Analysis:
Behavioral Monitoring

Dynamic analysis detects malicious files that might be unrecognized by legacy techniques. Dynamic analysis runs and monitors the behaviors of a file to catch malicious files that cannot be detected by static analysis methods. Dynamic analysis takes longer than static analysis but it is a critical part of detection.

Automatic dynamic an analysis is done by inspecting the run-time behavior of a file such as if it is attempting to create, delete or modify files, registry values, processes, memory locations or other specific operating system entities and network connections. Dynamic analysis can be applied to different file types such 32/64 bit executable Windows files, pdf files, Office documents and html files that include executable scripts and stand-alone script files, e.g. bat, py, js.

Comodo Valkyrie sandbox based dynamic analysis is performed on the submitted PE file. Automatic dynamic analysis includes both behavioral and environmental analysis of unknown files exhibiting any of the following: ‘anti-VM’ evasion, VM escape attempts, sleep commands intended to wait out analysis, system modifications to the registry, file system pollution, system API calls and returns, and many more techniques that contribute to determine a trust verdict (good or bad).

Dynamic Machine Learning:
AI Engineered Detection

Machine learning training techniques combine algorithms and hundreds of static features extracted from files. Huge sets of malicious and clean files are used in machine learning models and refreshed with new files regularly. Machine learning based models, ensure a high degree of accuracy and reduce the management overhead typically associated with exploit validation and response.

Static machine learning models know what a clean file should look like. They can detect potential new malware for analysis such as zero-day malicious files that have features that are not explicitly known and are not likely to be detected by legacy methods. In addition, machine learning models trained on specific malware types help improve the accuracy of automatic techniques.

Broader machine learning models—as practiced by Comodo—focus on statistical correlations and trends to identify exploit campaigns and more. Comodo’s dynamic machine learning technique uses hundreds of features extracted from the run-time behavior of a file with the combination of algorithms yielding the best results.

Comodo Valkyrie integrates machine learning throughout its automated verdict system. Research and analysis drives the development of ‘big data’ algorithms and methodologies that increase verdict coverage and accuracy. Hundreds of thousands of malicious and clean files are used in training dynamic machine learning models and they are improved with new files regularly. Like the static machine learning technique, the advantage of dynamic machine learning comes from its high probability to spot zero-day malicious files.

Comodo focuses on machine learning based models designed to accurately identify the rise and fall of exploit campaigns. We also study trending analyses of exploit submissions by Comodo’s global installed base and community of independent researchers. This helps us identify campaign attack surface, breadth, geography, industry and other useful metadata to profile and respond to advanced threats.

How we detect at the endpoint

Comodo takes a holistic approach to endpoint security that spans simple signature-based detection of known malware to application whitelisting to advanced detection and response tools at the local level and in the cloud. Comodo’s endpoint security continuum also includes application and network access controls, a host intrusion prevention firewall (HIPS) and patent-pending Secure Auto Containment™ for usability while preventing infection from unknown malware.

For more information please visit project’s website from here The manuals and sample sets are at the Here is What You Get section.

Embedded Detectors for Analysis

Detectors are a standard function of Valkyrie analysis methods and require no configuration or effort by customers. Comodo’s embedded detectors are custom script-based detection methods that may be uploaded to Valkyrie to be used and included in a final verdicts.

Precise Detectors

Precise detectors target specific malware features with high rates of precision to help detect malicious files and minimize false positives. Precise detectors apply heuristic methods to check data patterns in a file. These might include specific opcode sequences, unexpected opcode existences and frequencies, unexpected sections, section contents, imported resources and packing methods etc.

Static Detectors

Comodo uses static analysis detectors include: binary level analysis, included libraries, system calls embedded in the code, extractable links, unpackers, string analysis and many more detectors that determine a trust verdict.

Behavioral Analysis/Inspection

Behavioral analysis is used for intrusion detection—concentrating on detecting the characteristics of malware during execution. Behavioral analysis is limited to detection only when the file is performing malware actions.

Data Mining

Data mining is one of the latest techniques to detect malware. Data mining looks for a prescribed set of program features to determine if the program is malicious or not.


Emulation offers a solution to the codependency of the hardware and software on a given machine. Should the hardware fail, all is not lost, emulation offers continued access to the digital objects that were on the host. Emulation imitates a certain computer platform or program on another platform or program. In this manner, it is possible to view documents or run programs on a computer not designed to do so.