CIMA (Comodo Instant Malware Analysis) New Version out 12 Jan 2009

[Guest]

[Eljo]

This means that the Heuristics detection finds it suspicious that the file has a "double extension"

normally the file would be .tmp or .exe not .tmp.exe as extension so based on this fact only it flags it as suspicious because this trick is used for malware to trick users to "run" it, but i assume you have set Heuristics detecion to High for this kind of alerts correct?

No idea I did not touch the Heuristics settings

[Ronny]

Can you please check the AV settings for Real-Time and Manual scan see how Heuristics is set?

Groet,
Ronny

[Eljo]

Can you please check the AV settings for Real-Time and Manual scan see how Heuristics is set?

Groet,
Ronny

Hi Ronny, all tabs are LOW.

[Ronny]

I think you can safely conclude it's a False Alert. It's just the heuristics engine complaining about the double extension...

[SiberLynx]

Hi Guys,

... This means that the Heuristics detection finds it suspicious that the file has a "double extension"...

Leaving aside the fact that I'm not using Comodo's AV, I may say that none of the antivirus / antimalware solutions should flag anything based on any file names.

That is less than funny.

Yes, there could be worms in files like <look at this picture>.jpg.com , we all know that...

But we have this “multi-extensions” feature and we have rights to use it.

Some programs are dynamically generating executables. The double/ triple extension could be a part of the process... (I am using that in some coding)

Would Comodo trigger the detection when on rename simple text file and call it “textFile.txt.exe”??? … in such situation probably even file type will not be analyzed???
Why not? Is that's what's going on?  WoW!!!

Neither signature nor heuristics analysis should not look at the names and make conclusions based on that.
The code is analyzed either based on fingerprints for the first plus “algorithmic guessing” is added to that for the latter.
The Behaviour  Blockers are analyzing the code without signatures based on the code's actions  and the potential outcome of such actions.

What  file names have to do with any type of such analysis?

...I think you can safely conclude it's a False Alert. It's just the heuristics engine complaining about the double extension...

That should not be the case.
Neither False Positives nor Real detections should be made based on any names

Cheers!

[OmeletGuy]

Hi Guys,

Leaving aside the fact that I'm not using Comodo's AV, I may say that none of the antivirus / antimalware solutions should flag anything based on any file names.

That is less than funny.

Yes, there could be worms in files like <look at this picture>.jpg.com , we all know that...

But we have this “multi-extensions” feature and we have rights to use it.

Some programs are dynamically generating executables. The double/ triple extension could be a part of the process... (I am using that in some coding)

Would Comodo trigger the detection when on rename simple text file and call it “textFile.txt.exe” … in such situation probably even file type will not be analyzed???
Why not? Is that's what's going on?  WoW!!!

Neither signature nor heuristics analysis should not look at the names and make conclusions based on that.
The code is analyzed either based on fingerprints for the first plus “algorithmic guessing” is added to that for the latter.
The Behaviour  Blockers are analyzing the code without signatures based on the code's actions  and the potential outcome of such actions.

What  file names have to do with any type of such analysis?
That should not be the case.
Neither False Positives nor Real detections should be made based on any names

Cheers!

Its not based on the file name, I have tested that, Its based on the code in the file, If the code has 2 extensions it get the name Heur.Dual.Extensions.


Now get back to topic please, or make a thread for this.

[SiberLynx]

Its not based on the file name, I have tested that, Its based on the code in the file, If the code has 2 extensions it get the name Heur.Dual.Extensions.
Now get back to topic please, or make a thread for this.

Hi OmeletGuy,

Can you please clarify what do you mean by getting back on topic?
The question was about the detection and the answer by Ronny was about the file name double-extension

In addition I've seen the similar question(s) somewhere else in the forum

Can you please tell what do you mean by "the code has 2 extensions"?

I am really interested since I am kinda writing programs for a long time ...
probably I am missing something about the "double/triple extension code"  

My regards

[OmeletGuy]

By get back on topic, i mean your taking about CIS in the CIMA thread.


Actually i cant real tell you much about that (don't know much about it ) All I know is that a exe that has Dual Extensions can execute something on one system and something else on a different system. Thats why its so dangerous.

Thats as much as i know, but i maybe wrong. 

PM Umesh asking what Dual Extensions is, he will know exactly.

[SiberLynx]

By get back on topic, i mean your taking about CIS in the CIMA thread.
Actually i cant real tell you much about that (don't know much about it ) All I know is that a exe that has Dual Extensions can execute something on one system and something else on a different system. Thats why its so dangerous.
Thats as much as i know, but i maybe wrong.  
PM Umesh asking what Dual Extensions is, he will know exactly.

Thanks for reply OmeletGuy ,

I don't need to PM Umesh regarding this  since I know that for sure:

That must not be the issue of being detected by Heuristics!

If you tested that, please PM me the code you mentioned and I know how to test that.
(you can add a few words about the method of your test - that will be appreciated, but not really necessary)

Not that there is no such thing as "double-extension code" and I know how to write programs (please do not get me wrong - that is not a conformational talking) - that is a real big issue I can see here

As for the other sources I mentioned earlier

«Harmful file flagged based on doule extension»:
https://forums.comodo.com/empty-t9143.0.html
Heur.Dual.Extensions :
https://forums.comodo.com/empty-t45006.0.html
https://forums.comodo.com/empty-t42911.0.html
https://forums.comodo.com/empty-t42148.0.html
https://forums.comodo.com/empty-t42313.0.html

…. and so on... That is definitely wrong – that must not happen ever.

The usual answer is:

Dual extensions are usually used by malware to disguise as genuine files. There is generic detection

That is not an answer at all!!!

Yes, you are right "Dual Extensions can execute something" as you said ... and I posted the most common example above ... so what?!

The names does not matter in relation with AV heuristics analisys
The name of the detections does not matter much as well ... as we know....
Call it anything - like: "You.Are.Screwed" - it means as much as "Trojan.Agent.Backdoor.Opened.In.Your.BackYard.And.Horse.Is.In.Your.FrontYard.Eating.Grass"
 
Again none of the security should do that as result of the  “Heuristics analysis” !!!!
It could be different additional service based on file names only, but not a Heuristics … excuse me...

Cheers!

[OmeletGuy]

Thanks for reply OmeletGuy ,

I don't need to PM Umesh regarding this  since I know that for sure:

That must not be the issue of being detecting by Heuristics!

If you tested that, please PM me the code you mentioned and I know how to test that.
(you can add a few words about the method of your test - that will be appreciated, but not really necessary)

Not that there is no such thing as "double-extension code" and I know how to write programs (please do not get me wrong - that is not a conformational talking) - that is a real big issue I can see here

As for the other sources I mentioned earlier

«Harmful file flagged based on doule extension»:
https://forums.comodo.com/empty-t9143.0.html
Heur.Dual.Extensions :
https://forums.comodo.com/empty-t45006.0.html
https://forums.comodo.com/empty-t42911.0.html
https://forums.comodo.com/empty-t42148.0.html
https://forums.comodo.com/empty-t42313.0.html

…. and so on... That is definitely wrong – that must not happen ever.

The usual answer is:
That is not an answer at all!!!

Yes, you are right "Dual Extensions can execute something" as you said ... and I posted the most common example above ... so what?!

The names does not matter in relation with AV heuristics analisys
The name of the detections does not matter much as well ... as we know....
Call it anything - like: "You.Are.Screwed" - it means as much as "Trojan.Agent.Backdoor.Opened.In.Your.BackYard.And.Horse.Is.In.Your.FrontYard.Eating.Grass"
 
Again none of the security should do that as result of the  “Heuristics analysis” !!!!
It could be different additional service based on file names only, but not a Heuristics … excuse me...

Cheers!

My test was to prove that detection isnt based on the name of the file, so pick any exe and add .tmp.exe or exe.tmp to the end of it.

Thats all i did, and got no detection for it, so its not name based, therefore it must be something in the code.

[JoWa]

I renamed pidgin-portable.exe to pidgin-portable.tmp.exe and scanned it: Heur.Dual.Extensions.

[SiberLynx]

I renamed pidgin-portable.exe to pidgin-portable.tmp.exe and scanned it: Heur.Dual.Extensions.

Thanks JoWa,

"Good" stuff ... Yeah!

... I am working with Pidgin Portable ...
I was talking to Guys like half an hour ago, cause they are on ICQ and I don't use it

That's what I was saying above about renaming files like that ...  and my "guess" even not using Comodo's AV was correct

... Would Comodo trigger the detection when on rename simple text file and call it “textFile.txt.exe”  … in such situation probably even file type will not be analyzed??? Why not? Is that's what's going on?  WoW!!!

This thing if a pure laughter ... - do we need Heuristics for that ?
What kind of "Heuristics" is that?

Cheers!

=======

My test was to prove that detection isnt based on the name of the file, so pick any exe and add .tmp.exe or exe.tmp to the end of it.
Thats all i did, and got no detection for it, so its not name based, therefore it must be something in the code.

Sorry man,

That is a contradiction to your previous sayings - you said that you tested the code(!) that somehow has "double-extension"

and that what "puzzled" me (not)
Now you are stating something different and that is just about the "names"

and JoWa got the opposite result

I have to refrain myself from writing more ... but I hope that you understand that the issue is serious and we must not allow ourselves.... such a "freedom of speech" when answering questions to less experienced users...

 ... oh!! well...  enough said

Cheers!

[JoWa]

Would Comodo trigger the detection when on rename simple text file and call it “textFile.txt.exe”???

No. (I renamed a text file and scanned it.)

[SiberLynx]

No. (I renamed a text file and scanned it.)

Thanks JoWa,

I'm glad to hear that ... much better than with Pidgin 

but still not good enough ... if you know what I mean 

Cheers!

[Tags:]