Result = "undetected" - what does this mean?

[Guest]

[mouse1]

Many thanks

Mouse

[mouse1]

BUMP

[Eric Cryptid]

BUMP

Just got the same for c:\program files\launch manager\WisSvcCtrl.exe

CIS detected file as "TrojWare.Win32.TrojanProxy.Horst~A[at]25568489

When analysis of file on VirusTotal - Comodo was only one to detect it as suspicious

http://www.virustotal.com/analisis/5272216b439c663ae1dfb0c0069d88ecc3a5633740dfc719fb87bfe6157c2de5-1247331036

Whereas CAMAS detected it as "Undetected"

http://camas.comodo.com/cgi-bin/submit?file=5272216b439c663ae1dfb0c0069d88ecc3a5633740dfc719fb87bfe6157c2de5

Presumably Undetected means that it was a Missed Sample or it's presuming that CIS didn't detect it since your submitting the file?

E

[mouse1]

Yes this is puzzling. What is a missed sample?

I've now had 5-6 viruses flagged (probably incorrectly) by CIS. In each case CAMAS has said 'undetected', and given other results that suggest that CAMAS could not fully access the processes involved.

Before testing with CAMAS I have typically 'excluded' the files in CIS to prevent CIS popping up when CAMAS tries to access the files. However I wonder whether what is happening is that CAMAS is trying to access files or resources related to them which CIS is controlling?

Seems to me that this - checking CIS - is a key way people are going to want to use CAMS, so it would be good to ubnderstand what is happening.

Many thanks

Mouse

[keXek]

I think it means that malware can bypass CAMAS with (simple) injecting into other processes

P.S i'm about malware in 3d post.

P.P.S And this is cmd.exe, signed by microsoft corp. http://camas.comodo.com/cgi-bin/submit?file=c45a09fa5d6f9e58bc46e26bd1bfe9777fd7a513f692f5e6602bc751da8b4a7e It seems "undected" means that file isnt suspicious or malware, IMHO

[mouse1]

Somehow I think we ought to know...

Could Melih or someone working on CIMA clarify please?

Many thanks in anticipation

Mouse

[Eric Cryptid]

I've posted in Malware Research Group so hopefully someone will shed some more light on things.

E

[umesh]

Hi,
When CAMAS gives verdict as 'undetected' it means, it didn't find any malware behavior upon it's execution as shown in complete report.

Both CAMAS URLs mentioned in this post give execution report where you can see nothing is suspicious as per report and therefore verdict is undetected.


Thanks
-umesh

[mouse1]

Thanks that's great.

Could it maybe say instead 'No malware behaviour detected, based on analysis above'?

Also wondered what 'process is active' meant. Does it mean 'Cannot do much analysis because the process is currently running on your computer?' When it says this it seems not to give much information. Alternatively maybe no info means 'have run this test and it passed'?

Many thanks in anticipation

Mouse

[umesh]

Hi Mouse,

Could it maybe say instead 'No malware behaviour detected, based on analysis above'?

Yes, that's actually undetected means. We will change to this.

Also wondered what 'process is active' meant. Does it mean 'Cannot do much analysis because the process is currently running on your computer?' When it says this it seems not to give much information. Alternatively maybe no info means 'have run this test and it passed'?

CIMA has pre-defined period till which analyzes a file, a process may remain active till the end of this period or may have exited.

Thanks
-umesh

[knk2006]

No stop here for a moment guyz .. that doesn't mean that the file is not a malware .. take this analysis for example ..

http://camas.comodo.com/cgi-bin/submit?file=e28140f5208e5131369a2cfb70bc1c52c7029737642f2b242c34b6f37738ddf2

it says undetected ..However .. because i know what this file does ..i can surly say it's a trojan Downloader ...

  ... in conclusion , be careful ...

[mouse1]

Hi Mouse,Yes, that's actually undetected means. We will change to this.CIMA has pre-defined period till which analyzes a file, a process may remain active till the end of this period or may have exited.

Thanks
-umesh

Re 'undetected', thanks that's great & very clear. Re other posters comment I think 'based on the analysis above' is a sufficient qualification. (I guess at the level of precision that CIMA operates - its what is downloded, not the downloder that's the malware?).

Sorry to be dense but still don't understand the explanation regarding active processes - what process exits (or does not) and what is the significance of it exiting (or not?). Hope you can help I'm not a malware expert unfortunately.

Many thanks in anticipation. Really realising the value of CIMA now I am coming to understand it! Just need a bit better explanation for mere mortals :-)

Mouse

[umesh]

Hi mouse1,

Re 'undetected', thanks that's great & very clear. Re other posters comment I think 'based on the analysis above' is a sufficient qualification. (I guess at the level of precision that CIMA operates - its what is downloded, not the downloder that's the malware?).

Sorry to be dense but still don't understand the explanation regarding active processes - what process exits (or does not) and what is the significance of it exiting (or not?). Hope you can help I'm not a malware expert unfortunately.

Many thanks in anticipation. Really realising the value of CIMA now I am coming to understand it! Just need a bit better explanation for mere mortals :-)

Mouse

As CIMA executes a malware in virtual environment and notices all changes in system, it analyzes all changes after a given time period, you can call it time out period. When it times out, process it executed may be running (active) or may have completed (exited).

Regarding verdict, it analyzes all activities and depending on impact malware executioon made on system it gives verdict. So it can be downloader as well as downloaded application.

Thanks
-umesh

[knk2006]

Hi mouse1,
As CIMA executes a malware in virtual environment and notices all changes in system, it analyzes all changes after a given time period, you can call it time out period. When it times out, process it executed may be running (active) or may have completed (exited).

Regarding verdict, it analyzes all activities and depending on impact malware executioon made on system it gives verdict. So it can be downloader as well as downloaded application.

Thanks
-umesh

                 
thanks for the clarification ...However with  coco << that's how i like to call CIS .. i shall not worry 
                         

[mouse1]

Hi mouse1,
As CIMA executes a malware in virtual environment and notices all changes in system, it analyzes all changes after a given time period, you can call it time out period. When it times out, process it executed may be running (active) or may have completed (exited).

Regarding verdict, it analyzes all activities and depending on impact malware executioon made on system it gives verdict. So it can be downloader as well as downloaded application.

Thanks
-umesh

OK thanks can now use CIMA with more confidence.

So maybe say - 'Some malicious activity may have been missed since CIMA timed out before submitted file had stopped running.'

Best wishes

Mouse

[Tags:]