Author Topic: CIS misses some samples often, a reinstall fixes it  (Read 23062 times)

Offline SivaSuresh

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 1328
  • Avert the danger that has not yet come
Re: CIS misses some samples often, a reinstall fixes it
« Reply #15 on: November 15, 2011, 12:39:33 PM »
Specific samples are all this is about. So while talking about such issues we need details. And we need a reproduction.

If you are able to reproduce this behavior with a CURRENT sample, pls immeidately contact with me and send me the sample.

I can not reproduce what you are saying with the links you gave.


[at] Egemen

I could reproduce this issue by scanning with an old database and then again doing a scan with the latest bases. (I think I could explain it in detail in my previous post)

To be more specific, it happens with most of the samples, not at all sample specific in my opinion.

I am using CIS 5.8 x64 on Win7 x64 latest release and the issue was there from the beginning of CIS 5.8 first beta.

Note: Can you please answer the questions in my previous post ?

I had this problem with a piece of malware that was trusted, don't worry, it wasn't a high risk.

I kept rescanning it for a few days, waiting for it to be detected, but it wasn't. Then I cleared the trusted files list and rescanned and it was detected right away.

[at]SivaSuresh
Were those samples you are referring to trusted at one time by Comodo?

Not by TVL, not manually added by me, but they are some how getting in to the list when we do a manual scan of the samples before they are actually detected by CAV.
with love Siva Suresh
|| Windows8 x64 | CIS 6 | Waterfox | Comodo Dragon x86 | Thunderbird | CCleaner | Evernote | PStart | SuperCopier | Dropbox | TeamViewer | Screenshot Captor ||
|| AMD Phenom II x4 955B | ASUS M4A88TD | 8GB DDR3 RAM | 240GB Sandisk SSD  || 3TB SATA II HDD 6Gb/s

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3314
Re: CIS misses some samples often, a reinstall fixes it
« Reply #16 on: November 15, 2011, 12:53:33 PM »
I already answered your question: Trusted files are trusted files. They are never going to be reported as malware. Trust is not only for D+ but for firewall, AV and sandbox as well.

Exclusions are files that are skipped.

The sample you are referring is detected as malware and i dont see behavior like you said right now. However lets make sure we have the same settings

1 - Are you using all default settings? Have you changed anything?Have you changed D+ to clean PC mode or anything? Tell me all the changes you did.
2 - How am I going to reproduce this issue?Please tell me step by step as if you are recording video.


If you dont add these files manually, then there is ONLY 1 way these files to get to trsuted files,

1 - Cloud marks this sample as safe(Which is not a case of you sent the corrent sample)
2 - This file is dropped by a trusted installer(Well we will see if this is the case if you can explain how we can reproduce this issue exactly)



If you provide these, i can see what this is about.


Offline SivaSuresh

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 1328
  • Avert the danger that has not yet come
Re: CIS misses some samples often, a reinstall fixes it
« Reply #17 on: November 15, 2011, 01:37:45 PM »
I already answered your question: Trusted files are trusted files. They are never going to be reported as malware. Trust is not only for D+ but for firewall, AV and sandbox as well.

Exclusions are files that are skipped.

The sample you are referring is detected as malware and i dont see behavior like you said right now. However lets make sure we have the same settings

1 - Are you using all default settings? Have you changed anything?Have you changed D+ to clean PC mode or anything? Tell me all the changes you did.
2 - How am I going to reproduce this issue?Please tell me step by step as if you are recording video.


If you dont add these files manually, then there is ONLY 1 way these files to get to trsuted files,

1 - Cloud marks this sample as safe(Which is not a case of you sent the corrent sample)
2 - This file is dropped by a trusted installer(Well we will see if this is the case if you can explain how we can reproduce this issue exactly)

If you provide these, i can see what this is about.

First of all, thanks for the confirmation.

1. Now I stand corrected and understand that Naren was right about this. The trusted files are not being scanned for malware. Although I am not comfortable with this fact, it is how it is.

2. No they are not dropped by any trusted source. Actually I found those samples using killswitch in an infected system, copied them through pendrive to a local folder on my desktop.

I did not make any big changes except changing CIS from Internet security to Proactive security. In D+ settings "create rules for safe applications" is checked on.

3. I think I have explained the process to reproduce the issue in very detailed manner in my previous post. In case you did not get it clearly,

a. Scan the folder with CAV with an older bases.cav which does not identify the samples.
b. Now, scan the same folder with CAV with a newer bases.cav which has definitions added for these samples.
c. CAV reports the files as undected, you will be surprised to see those samples in "Trusted files" list.
d. Clear all the trusted files list, scan again, you can see that they are detected now, with the same bases.cav.

The issue is not 100% reproducible but I can say it is 85% reproducible, since it happened to me with 25 samples just exception of 3 samples out of 28 samples I tested for last one month. To remind you again, this is only happening on my machine with CIS x64 installed, I could not reproduce it even for once on my laptop with CIS x86 installed.

Hope this helps.

with love Siva Suresh
|| Windows8 x64 | CIS 6 | Waterfox | Comodo Dragon x86 | Thunderbird | CCleaner | Evernote | PStart | SuperCopier | Dropbox | TeamViewer | Screenshot Captor ||
|| AMD Phenom II x4 955B | ASUS M4A88TD | 8GB DDR3 RAM | 240GB Sandisk SSD  || 3TB SATA II HDD 6Gb/s

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3314
Re: CIS misses some samples often, a reinstall fixes it
« Reply #18 on: November 15, 2011, 01:43:18 PM »
Sure. Older bases.cav: Can you please give me base versions that reproduces this problem? For exmaple, which old base version have you used?

First of all, thanks for the confirmation.

1. Now I stand corrected and understand that Naren was right about this. The trusted files are not being scanned for malware. Although I am not comfortable with this fact, it is how it is.

2. No they are not dropped by any trusted source. Actually I found those samples using killswitch in an infected system, copied them through pendrive to a local folder on my desktop.

I did not make any big changes except changing CIS from Internet security to Proactive security. In D+ settings "create rules for safe applications" is checked on.

3. I think I have explained the process to reproduce the issue in very detailed manner in my previous post. In case you did not get it clearly,

a. Scan the folder with CAV with an older bases.cav which does not identify the samples.
b. Now, scan the same folder with CAV with a newer bases.cav which has definitions added for these samples.
c. CAV reports the files as undected, you will be surprised to see those samples in "Trusted files" list.
d. Clear all the trusted files list, scan again, you can see that they are detected now, with the same bases.cav.

The issue is not 100% reproducible but I can say it is 85% reproducible, since it happened to me with 25 samples just exception of 3 samples out of 28 samples I tested for last one month. To remind you again, this is only happening on my machine with CIS x64 installed, I could not reproduce it even for once on my laptop with CIS x86 installed.

Hope this helps.



Offline SivaSuresh

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 1328
  • Avert the danger that has not yet come
Re: CIS misses some samples often, a reinstall fixes it
« Reply #19 on: November 15, 2011, 01:44:24 PM »
Sure. Older bases.cav: Can you please give me base versions that reproduces this problem? For exmaple, which old base version have you used?

4 days old...for this sample.
with love Siva Suresh
|| Windows8 x64 | CIS 6 | Waterfox | Comodo Dragon x86 | Thunderbird | CCleaner | Evernote | PStart | SuperCopier | Dropbox | TeamViewer | Screenshot Captor ||
|| AMD Phenom II x4 955B | ASUS M4A88TD | 8GB DDR3 RAM | 240GB Sandisk SSD  || 3TB SATA II HDD 6Gb/s

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3314
Re: CIS misses some samples often, a reinstall fixes it
« Reply #20 on: November 15, 2011, 01:46:53 PM »
4 days old...for this sample.
Can you give me exact base versions as seen in More->About?

Offline SivaSuresh

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 1328
  • Avert the danger that has not yet come
Re: CIS misses some samples often, a reinstall fixes it
« Reply #21 on: November 15, 2011, 02:05:20 PM »
Can you give me exact base versions as seen in More->About?

Sure, but then I have to restart my PC twice, I can not do it right now. I will give you tomorrow if you insist. But for me, any version 4 days old, which does not detect this samples seems OK, since I myself picked a random old bases.cav, not any specific one to reproduce this here.

 !ot!
By the way, can we expect the offline database update on the fly mode, without restarting windows and entering safe mode...at least in the coming versions...something like import database option in CCE 2.1...

It saves my time most of the times, would also allow me to install CIS to those who do not have Internet connection.
with love Siva Suresh
|| Windows8 x64 | CIS 6 | Waterfox | Comodo Dragon x86 | Thunderbird | CCleaner | Evernote | PStart | SuperCopier | Dropbox | TeamViewer | Screenshot Captor ||
|| AMD Phenom II x4 955B | ASUS M4A88TD | 8GB DDR3 RAM | 240GB Sandisk SSD  || 3TB SATA II HDD 6Gb/s

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3314
Re: CIS misses some samples often, a reinstall fixes it
« Reply #22 on: November 15, 2011, 02:19:08 PM »
If it happens, please check your Defenese+ logs and Antivirus logs. What do those logs say about this?

Do you see any Scanned online and found safe type logs for this file when it happens?

Also how do you scan? Right click? By crreating a scan profile? With cloud enabled?
Sure, but then I have to restart my PC twice, I can not do it right now. I will give you tomorrow if you insist. But for me, any version 4 days old, which does not detect this samples seems OK, since I myself picked a random old bases.cav, not any specific one to reproduce this here.

 !ot!
By the way, can we expect the offline database update on the fly mode, without restarting windows and entering safe mode...at least in the coming versions...something like import database option in CCE 2.1...

It saves my time most of the times, would also allow me to install CIS to those who do not have Internet connection.

Offline SivaSuresh

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 1328
  • Avert the danger that has not yet come
Re: CIS misses some samples often, a reinstall fixes it
« Reply #23 on: November 15, 2011, 02:21:04 PM »
If it happens, please check your Defenese+ logs and Antivirus logs. What do those logs say about this?

Do you see any Scanned online and found safe type logs for this file when it happens?

Also how do you scan? Right click? By crreating a scan profile? With cloud enabled?
1. Just nothing in AV logs or D+ logs.
2. No no scanned online kind of report.
3. Yes, I do right click scan, cloud enabled.
with love Siva Suresh
|| Windows8 x64 | CIS 6 | Waterfox | Comodo Dragon x86 | Thunderbird | CCleaner | Evernote | PStart | SuperCopier | Dropbox | TeamViewer | Screenshot Captor ||
|| AMD Phenom II x4 955B | ASUS M4A88TD | 8GB DDR3 RAM | 240GB Sandisk SSD  || 3TB SATA II HDD 6Gb/s

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3314
Re: CIS misses some samples often, a reinstall fixes it
« Reply #24 on: November 15, 2011, 02:58:34 PM »
1. Just nothing in AV logs or D+ logs.
2. No no scanned online kind of report.
3. Yes, I do right click scan, cloud enabled.

By cloud enabled, i meant "Enable cloud scanning" option in manual scanning settings. Was it enabled?

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3314
Re: CIS misses some samples often, a reinstall fixes it
« Reply #25 on: November 15, 2011, 03:05:10 PM »
Also can you please send me
C:\Program Files\COMODO\COMODO Internet Security\database\trusted.db file when this happens before deleting the sample from the trsuted list. LEt me see the source of it.

Offline SivaSuresh

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 1328
  • Avert the danger that has not yet come
Re: CIS misses some samples often, a reinstall fixes it
« Reply #26 on: November 15, 2011, 04:09:08 PM »
Also can you please send me
C:\Program Files\COMODO\COMODO Internet Security\database\trusted.db file when this happens before deleting the sample from the trsuted list. LEt me see the source of it.

I will have to finish my work now. I will then restart, try to reproduce the issue and send you the trusted.db. By the way, I enable cloud scanning in realtime, manual, scheduled scans.
with love Siva Suresh
|| Windows8 x64 | CIS 6 | Waterfox | Comodo Dragon x86 | Thunderbird | CCleaner | Evernote | PStart | SuperCopier | Dropbox | TeamViewer | Screenshot Captor ||
|| AMD Phenom II x4 955B | ASUS M4A88TD | 8GB DDR3 RAM | 240GB Sandisk SSD  || 3TB SATA II HDD 6Gb/s

Offline naren

  • Comodo's Hero
  • *****
  • Posts: 4376
Re: CIS misses some samples often, a reinstall fixes it
« Reply #27 on: November 16, 2011, 03:34:58 AM »
Naren,

Everytime you have a problem, even with downloading the bases, i am checking it out and explaining. Despite this fact, you are still making up stuff such as what you wrote above.

Now instead of fabricating scenarios, simply provide the sample and explain what you think it is wrong. Check the forum and you will see how we immediately fix critical issues.

A reply to my post app. after 2 months. What should I say? Ok I start with thanxx.

I dont have time to waste making up stuff or fabricating scenarios for CAV.

Just as you asked me to check the forum & see how immediately you guys fix the issues, I too can ask you to check the forum & see the probs I have submitted, explained & provided malware samples wherever needed.

As for this prob I dont think you need specific samples. Things have been explained clearly here how to reproduce the issue with maximum chances. And I dont think its a malware specific prob but some kind of bug in CIS.

Thanxx
Naren

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3314
Re: CIS misses some samples often, a reinstall fixes it
« Reply #28 on: November 16, 2011, 11:27:01 AM »
I will have to finish my work now. I will then restart, try to reproduce the issue and send you the trusted.db. By the way, I enable cloud scanning in realtime, manual, scheduled scans.

Ok any update on this? trusted.db file is very important for me to identify how the file found its way there.

Offline SivaSuresh

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 1328
  • Avert the danger that has not yet come
Re: CIS misses some samples often, a reinstall fixes it
« Reply #29 on: November 16, 2011, 12:29:51 PM »
Ok any update on this? trusted.db file is very important for me to identify how the file found its way there.

I sent you two PMs adding the screenshots and trusted.db. Hope it helps.

Besides, I will keep the old DB for a while, trusted.db too, so that I can send you any other info needed.

Please tell me when you are done, so that I will clear my list.
with love Siva Suresh
|| Windows8 x64 | CIS 6 | Waterfox | Comodo Dragon x86 | Thunderbird | CCleaner | Evernote | PStart | SuperCopier | Dropbox | TeamViewer | Screenshot Captor ||
|| AMD Phenom II x4 955B | ASUS M4A88TD | 8GB DDR3 RAM | 240GB Sandisk SSD  || 3TB SATA II HDD 6Gb/s

 

Seo4Smf 2.0 © SmfMod.Com | Smf Destek