CIS misses some samples often, a reinstall fixes it

[Guest]

[SivaSuresh]

I have made a new topic just explaining this. And, I have added a poll too to offer two check boxes separating executable and non executable archives scanning.

https://forums.comodo.com/wishlist-cis/separate-archive-scan-and-sfxruntime-packers-scans-t79672.0.html;msg571018#msg571018

[naren]

I found the answer. All those detected files are actually self extracting archives/runtime packers as I can understand from the " | " symbol in the report. Since I disabled archive scanning in my CIS, they are not getting detected.

But, why are .exe files not scanned, if they are sfx files or runtime packers, they should not be excluded from from scanning when I uncheck "archive scanning".

I only want to exclude .zip, .rar, .7z etc from scanning as they are not executables and the scanning takes up too much of resources unnecessarily, but I certainly do not want to exclude .exe files (either SFX archives or runtime packers) from scanning.

May be we need a re thinking of this policy.

Anyway, thanks for the concern.

GR8 you found the answer.

[SivaSuresh]

Hey guys... I am back with the same problem...

Two samples that I was trying to scan would show up as clean on my system, while when I scan them on Virustotal, Comodo detects them online. I tried to scan on another system (CIS 32 bit), they are detected.

I have not noticed any Def+ logs too... By the way I am using the latest CIS x64 build.

I will send the samples if anybody can test on another x64 system...

[SivaSuresh]

Hey guys... I am back with the same problem...

Two samples that I was trying to scan would show up as clean on my system, while when I scan them on Virustotal, Comodo detects them online. I tried to scan on another system (CIS 32 bit), they are detected.

I have not noticed any Def+ logs too... By the way I am using the latest CIS x64 build.

I will send the samples if anybody can test on another x64 system...

I have cleared all my "Trusted files" (A really long list indeed ) to get it to work. Anyway, after clearing the Trusted files list, the samples are now detected.

Again, I do not understand how these malware samples are getting in to trusted list every time (they are not signed surely). I thought this problem was solved in 5.9 release...

[Ronny]

Please drop Egemen a PM on this.
Do you have any idea with what 'tools/software' you have touched these files?

[SivaSuresh]

Please drop Egemen a PM on this.
Do you have any idea with what 'tools/software' you have touched these files?

I have copied those samples from an external drive to my desktop. Besides, I have zipped them using 7zip and unzipped again too. so probably, explorer.exe and 7zfm.exe are the only two sw touching those files.

I think that both these are trusted.

I already waited for three days for someone to respond, but, Since now I cleared my trusted files list, I have to wait the issue reoccurs, so that I call EGEMEN for direct help.

[naren]

Siva,

The samples are detected on 32 bits but not on 64 bits, right?

The samples are not detected on 64 bits with both manual & realtime?

Send me the samples I will try it on 64 bits later & post here the results.

I will try on win 7 64.

What 64 bits you are on?

And do you mean while extracting those samples they get into trusted files?

[SivaSuresh]

Siva,

The samples are detected on 32 bits but not on 64 bits, right?

The samples are not detected on 64 bits with both manual & realtime?

Send me the samples I will try it on 64 bits later & post here the results.

I will try on win 7 64.

What 64 bits you are on?

And do you mean while extracting those samples they get into trusted files?

I am using Win7 x64.
I do not know when and how they are added to "Trusted files" list, I am investigating in to it.

[naren]

I am using Win7 x64.
I do not know when and how they are added to "Trusted files" list, I am investigating in to it.

So they are added to trusted lists somehow, right?

[EricJH]

May be malware gets installed by a trusted installer and will then end up in the TSV list.

[SivaSuresh]

May be malware gets installed by a trusted installer and will then end up in the TSV list.

They are not installed, they are not in memory.

When ever I encounter a suspicious file in any of  my friends computers, I will copy those samples and keep them in a folder on my desktop for verification and confirmation. So, if any thing happens, it must happen during copy process or in zip/unzip process only.

[EricJH]

They are not installed, they are not in memory.

When ever I encounter a suspicious file in any of  my friends computers, I will copy those samples and keep them in a folder on my desktop for verification and confirmation. So, if any thing happens, it must happen during copy process or in zip/unzip process only.

Can you try the following. Remove one of thes file from the Trusted Files list then see if copying and/or zipping/unzipping it gets it on the list reproducibly.

Do you happen to have given your zip program the Installer/Updater policy?

[SivaSuresh]

Can you try the following. Remove one of thes file from the Trusted Files list then see if copying and/or zipping/unzipping it gets it on the list reproducibly.

Do you happen to have given your zip program the Installer/Updater policy?

No program is added as Installer/Updater by me, no program other than those greyed defaults are there in the list too.

I tried to reproduce it after clearing the Trusted files list, but had no success. When ever I copy or unzip the files, they are detected by CAV scan now, although not always by Real time scanner (I don't know why ?)

[Ronny]

, although not always by Real time scanner (I don't know why ?)

Those are probably packed, if the .exe extracts and tries to write the real malware .exe to disk real-time should kick-in.

[SivaSuresh]

Those are probably packed, if the .exe extracts and tries to write the real malware .exe to disk real-time should kick-in.

I do not think so...

Since, they are sometimes detected as soon as they are extracted, sometimes only detected during a manual scan.

[Tags:]