CIS misses some samples often, a reinstall fixes it

[Guest]

[SivaSuresh]

Specific samples are all this is about. So while talking about such issues we need details. And we need a reproduction.

If you are able to reproduce this behavior with a CURRENT sample, pls immeidately contact with me and send me the sample.

I can not reproduce what you are saying with the links you gave.

[at] Egemen

I could reproduce this issue by scanning with an old database and then again doing a scan with the latest bases. (I think I could explain it in detail in my previous post)

To be more specific, it happens with most of the samples, not at all sample specific in my opinion.

I am using CIS 5.8 x64 on Win7 x64 latest release and the issue was there from the beginning of CIS 5.8 first beta.

Note: Can you please answer the questions in my previous post ?

I had this problem with a piece of malware that was trusted, don't worry, it wasn't a high risk.

I kept rescanning it for a few days, waiting for it to be detected, but it wasn't. Then I cleared the trusted files list and rescanned and it was detected right away.

[at]SivaSuresh
Were those samples you are referring to trusted at one time by Comodo?

Not by TVL, not manually added by me, but they are some how getting in to the list when we do a manual scan of the samples before they are actually detected by CAV.

[egemen]

I already answered your question: Trusted files are trusted files. They are never going to be reported as malware. Trust is not only for D+ but for firewall, AV and sandbox as well.

Exclusions are files that are skipped.

The sample you are referring is detected as malware and i dont see behavior like you said right now. However lets make sure we have the same settings

1 - Are you using all default settings? Have you changed anything?Have you changed D+ to clean PC mode or anything? Tell me all the changes you did.
2 - How am I going to reproduce this issue?Please tell me step by step as if you are recording video.


If you dont add these files manually, then there is ONLY 1 way these files to get to trsuted files,

1 - Cloud marks this sample as safe(Which is not a case of you sent the corrent sample)
2 - This file is dropped by a trusted installer(Well we will see if this is the case if you can explain how we can reproduce this issue exactly)



If you provide these, i can see what this is about.

[SivaSuresh]

I already answered your question: Trusted files are trusted files. They are never going to be reported as malware. Trust is not only for D+ but for firewall, AV and sandbox as well.

Exclusions are files that are skipped.

The sample you are referring is detected as malware and i dont see behavior like you said right now. However lets make sure we have the same settings

1 - Are you using all default settings? Have you changed anything?Have you changed D+ to clean PC mode or anything? Tell me all the changes you did.
2 - How am I going to reproduce this issue?Please tell me step by step as if you are recording video.


If you dont add these files manually, then there is ONLY 1 way these files to get to trsuted files,

1 - Cloud marks this sample as safe(Which is not a case of you sent the corrent sample)
2 - This file is dropped by a trusted installer(Well we will see if this is the case if you can explain how we can reproduce this issue exactly)

If you provide these, i can see what this is about.

First of all, thanks for the confirmation.

1. Now I stand corrected and understand that Naren was right about this. The trusted files are not being scanned for malware. Although I am not comfortable with this fact, it is how it is.

2. No they are not dropped by any trusted source. Actually I found those samples using killswitch in an infected system, copied them through pendrive to a local folder on my desktop.

I did not make any big changes except changing CIS from Internet security to Proactive security. In D+ settings "create rules for safe applications" is checked on.

3. I think I have explained the process to reproduce the issue in very detailed manner in my previous post. In case you did not get it clearly,

a. Scan the folder with CAV with an older bases.cav which does not identify the samples.
b. Now, scan the same folder with CAV with a newer bases.cav which has definitions added for these samples.
c. CAV reports the files as undected, you will be surprised to see those samples in "Trusted files" list.
d. Clear all the trusted files list, scan again, you can see that they are detected now, with the same bases.cav.

The issue is not 100% reproducible but I can say it is 85% reproducible, since it happened to me with 25 samples just exception of 3 samples out of 28 samples I tested for last one month. To remind you again, this is only happening on my machine with CIS x64 installed, I could not reproduce it even for once on my laptop with CIS x86 installed.

Hope this helps.

[egemen]

Sure. Older bases.cav: Can you please give me base versions that reproduces this problem? For exmaple, which old base version have you used?

First of all, thanks for the confirmation.

1. Now I stand corrected and understand that Naren was right about this. The trusted files are not being scanned for malware. Although I am not comfortable with this fact, it is how it is.

2. No they are not dropped by any trusted source. Actually I found those samples using killswitch in an infected system, copied them through pendrive to a local folder on my desktop.

I did not make any big changes except changing CIS from Internet security to Proactive security. In D+ settings "create rules for safe applications" is checked on.

3. I think I have explained the process to reproduce the issue in very detailed manner in my previous post. In case you did not get it clearly,

a. Scan the folder with CAV with an older bases.cav which does not identify the samples.
b. Now, scan the same folder with CAV with a newer bases.cav which has definitions added for these samples.
c. CAV reports the files as undected, you will be surprised to see those samples in "Trusted files" list.
d. Clear all the trusted files list, scan again, you can see that they are detected now, with the same bases.cav.

The issue is not 100% reproducible but I can say it is 85% reproducible, since it happened to me with 25 samples just exception of 3 samples out of 28 samples I tested for last one month. To remind you again, this is only happening on my machine with CIS x64 installed, I could not reproduce it even for once on my laptop with CIS x86 installed.

Hope this helps.

[SivaSuresh]

Sure. Older bases.cav: Can you please give me base versions that reproduces this problem? For exmaple, which old base version have you used?

4 days old...for this sample.

[egemen]

4 days old...for this sample.

Can you give me exact base versions as seen in More->About?

[SivaSuresh]

Can you give me exact base versions as seen in More->About?

Sure, but then I have to restart my PC twice, I can not do it right now. I will give you tomorrow if you insist. But for me, any version 4 days old, which does not detect this samples seems OK, since I myself picked a random old bases.cav, not any specific one to reproduce this here.

 
By the way, can we expect the offline database update on the fly mode, without restarting windows and entering safe mode...at least in the coming versions...something like import database option in CCE 2.1...

It saves my time most of the times, would also allow me to install CIS to those who do not have Internet connection.

[egemen]

If it happens, please check your Defenese+ logs and Antivirus logs. What do those logs say about this?

Do you see any Scanned online and found safe type logs for this file when it happens?

Also how do you scan? Right click? By crreating a scan profile? With cloud enabled?

Sure, but then I have to restart my PC twice, I can not do it right now. I will give you tomorrow if you insist. But for me, any version 4 days old, which does not detect this samples seems OK, since I myself picked a random old bases.cav, not any specific one to reproduce this here.

 
By the way, can we expect the offline database update on the fly mode, without restarting windows and entering safe mode...at least in the coming versions...something like import database option in CCE 2.1...

It saves my time most of the times, would also allow me to install CIS to those who do not have Internet connection.

[SivaSuresh]

If it happens, please check your Defenese+ logs and Antivirus logs. What do those logs say about this?

Do you see any Scanned online and found safe type logs for this file when it happens?

Also how do you scan? Right click? By crreating a scan profile? With cloud enabled?

1. Just nothing in AV logs or D+ logs.
2. No no scanned online kind of report.
3. Yes, I do right click scan, cloud enabled.

[egemen]

1. Just nothing in AV logs or D+ logs.
2. No no scanned online kind of report.
3. Yes, I do right click scan, cloud enabled.

By cloud enabled, i meant "Enable cloud scanning" option in manual scanning settings. Was it enabled?

[egemen]

Also can you please send me
C:\Program Files\COMODO\COMODO Internet Security\database\trusted.db file when this happens before deleting the sample from the trsuted list. LEt me see the source of it.

[SivaSuresh]

Also can you please send me
C:\Program Files\COMODO\COMODO Internet Security\database\trusted.db file when this happens before deleting the sample from the trsuted list. LEt me see the source of it.

I will have to finish my work now. I will then restart, try to reproduce the issue and send you the trusted.db. By the way, I enable cloud scanning in realtime, manual, scheduled scans.

[naren]

Naren,

Everytime you have a problem, even with downloading the bases, i am checking it out and explaining. Despite this fact, you are still making up stuff such as what you wrote above.

Now instead of fabricating scenarios, simply provide the sample and explain what you think it is wrong. Check the forum and you will see how we immediately fix critical issues.

A reply to my post app. after 2 months. What should I say? Ok I start with thanxx.

I dont have time to waste making up stuff or fabricating scenarios for CAV.

Just as you asked me to check the forum & see how immediately you guys fix the issues, I too can ask you to check the forum & see the probs I have submitted, explained & provided malware samples wherever needed.

As for this prob I dont think you need specific samples. Things have been explained clearly here how to reproduce the issue with maximum chances. And I dont think its a malware specific prob but some kind of bug in CIS.

Thanxx
Naren

[egemen]

I will have to finish my work now. I will then restart, try to reproduce the issue and send you the trusted.db. By the way, I enable cloud scanning in realtime, manual, scheduled scans.

Ok any update on this? trusted.db file is very important for me to identify how the file found its way there.

[SivaSuresh]

Ok any update on this? trusted.db file is very important for me to identify how the file found its way there.

I sent you two PMs adding the screenshots and trusted.db. Hope it helps.

Besides, I will keep the old DB for a while, trusted.db too, so that I can send you any other info needed.

Please tell me when you are done, so that I will clear my list.

[Tags:]