Hi mad & woodrow,
Could you please provide us some “Being analyzed” files? I want to check them on our side.
thanks in advance!
The second screenshot from mad shows the dates, for me these dates change every time to the current date when I open that window.
Could this be an issue? The date should be the date the files were submitted right?
/W
@woodrow
The dates do not change in my case. The files and the dates stay the same.
Only when I am installing a new game and give it exception in CCAV, it gets added to the end of the being analyzed list; upon uninstalling the game, the entry disappears.
@Flykite and pio
I send you a link to the archive containing some sample files from the previously posted list.
Hi woodrow,
We are not there yet but working towards that goal.
There are significant improvements but every submitted file can not be classified over night at the moment, some do get analyzed very fast and some don’t.
Rest assured, we are working towards that goal, where you get up and CCAV world is classified into black and white 
Thanks
-umesh
Great Umesh!
Then it is not a good idea to release information that detection should take only 4 hours, this only adds to the confusion. (See posts above)
It is always better to say that this is still a work in progress, or else people trying CCAV will just uninstall it, and start spreading ■■■■.
Keep up the good work!
/W
Hi guys, what happened to Valkyrie now?
You guys must have found my id or something, poof and all the “Being analyzed” were gone and counter down to zero.
Just for fun I did run 2 of these files again (all malware by the way), and they ended up Being analyzed again… :o
Another thing is even more strange, all the files (malware) are now analyzed, but they did not get removed, Valkyrie had a few to many in these vaccination times or what?
/W
We are still missing point 6 in this graphic. Many unnecessary reanalysis and a great delay in protecting the whole community(detecting malware on everyone’s system). This had been working great with CIMA analysis - after finding suspicious behaviour the global cloud signature was made instantly (i.e. from executing new malware in sandbox to global detection of CIS users in ~15 minutes). BTW This is the new MS Windows Defender algorithm.
Hi morphiusz,
Please elaborate as what you mean we are still missing point 6?
Thanks
-umesh
No synchronization with verdicts from valkyrie.comodo.com and CCAV.
Are files found by valkyrie as malware (especially human analysis) submitted either via web interface or CCAV itself detected globally ad hoc?
Reanalysis of again executed files despite they’ve got a verdict before (according to woodrow).
I haven’t tested CCAV recently but remember that I had similar experience.
Hi morphiusz,
This is how it works:
1.
A file gets analyzed by any system, Valkyrie/ human, file’s verdict is immediately reflected via FLS (File Lookup Service). This way any new user who sees the file gets benefited immediately.
In case a file has been seen by CCAV and is under analysis on a given client, it is looked up at least once a day to re-check latest verdict if malware or safe.
So we do have all six points firmly in place.
Now regarding problem woodrow seeing that he has files classified in back-end but still not classified by CCAV, we will be looking at those cases if we have syncing problem somewhere between Valkyrie and look up service.
So to answer your questions:
There is periodic look up for files under analysis in CCAV.
Yes, including CIS gets benefited.
We did have issues in past where Valkyrie results were not reflect in cloud. Should be all fine now.
Thanks
-umesh
Thanks! Good to know.
Is this scenario true?
- File is submitted via valkyrie.comodo.com
- Found to be malware
- Immediate synchronization with FLS is made and after execution of that file user will get cloud detection (either CIS/CCAV)?
In case a file has been seen by CCAV and is under analysis on a given client, it is looked up at least once a day to re-check latest verdict if malware or safe.
An option in “being analyzed” tab in CCAV to “refresh verdict” would be handy.
Thank you for your detailed answer.
Dunno how reliable (False positive) Viruscope is but just wanted to share my thought i had.
When a unknown file run in sandbox, viruscope can take up 5sec to 1min to detect the file as malicious.
When the next user run the same unknown file, the file could be detected as Viruscope Cloud Signature and the user could get a alert immediately that Viruscope cloud detects its as a malicious file.
So the next user dont have to wait for Viruscope to detect the malicious file in the sandbox.
And since the file is the same as the first user. they will get the same recommended option to quarantine the file.
Hi morphiusz,
That’s right.
As soon as malware or safe verdict is given on a file on server side, it is immediately reflected via cloud and is available to all clients whether CIS, CCAV or any other Comodo services that could be using FLS.
However, once a file is found unknown by CCAV, the question comes as what frequency you poll on server to know latest verdict, here we have incremental logic like, check after 1hour then 2hrs and finally file is looked up once in maximum 24hrs.
So if a file that was under analysis and has been confirmed as malware on server side, client must see latest malware verdict within maximum next 24hrs. If not, then either we have some issue with syncing results to cloud or client is failing to look up for some machine specific issues.
Thanks
-umesh
Hi BlueTesta,
Virusscope is for providing results immediately based on behavior and allows to handle any kind of polymorphic malware and these results are also transmitted to back-end.
Finally in back-end, when centralized system ensures that file was really malware, via cloud results are made available to all users.
Thanks
-umesh
Ah thanks, good to know
I can confirm that many detections are being made in the cloud. I tested CIS on a VM and I notice that quite a few samples are not detected by on-demand at first, but are detected on-execution when CIS performs Cloud Lookup.
Hello woodrow ,We will research your issue. considering that you can reproduce it ,so please do the following steps.
1 uninstall ccav if you installed ccav before.and then install it .(please donot update it ,because we want a new data)
2 save the below script as xxx.reg and excute it .they only will open the ccav log function
*
3 reboot your system
4 run your malware file in sandbox,(manual sandbox or as you like) . as your mean ,the malware can be in valkyrie analyzing list ,we can wait for one day , there is no analyzing result.
5 there is one log for valkyrie scan or fls scan, the log is at “C:\ProgramData\COMODO\CCAV\usage_stat_log.txt” . you can send me a email with attached the file .my email is “xiaohua.ma[at]comodo.com” ,if sending fails ,you can change one, “273623676[at]qq.com”
6 or you can contact with me directly.
Thanks for you and your issue.
Hi nasion,
I will try to get this done, but I cannot promise when, my one year old do not like me in front of the computer ;D
I will install CCAV in a new VM, does that work for you?
Regarding not updating after install I do not understand, I have not found a way to manually update CCAV?
Do you want me to run the same malware again, these must be detected by now and will not give the correct picture, or?
/W
1 Yes, you can install a new ccav too.
2 Yes, You should run the same malware again.
3 “these must be detected by now ?” I donot know ,because you say you can reproduce it , so I want you to reproduce it and get the ccav log .
From what i understand here it will take hours for new unknowns to get a verdict and remedy in place?
The article behind Morphiusz pic:
If you read this you will see that Windows Defender (with cloud lookup enabled) takes care of a new unknowns in just 6 sec!
Or am I comparing apples and oranges here?
/W