Author Topic: Report trusted and whitelisted malware here - 2022 (NO LIVE MALWARE!)  (Read 42727 times)

Offline FlorinG

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3967
Re: Report trusted and whitelisted malware here - 2022 (NO LIVE MALWARE!)
« Reply #60 on: January 10, 2022, 01:51:20 PM »
Hello yigido,

Thank you four submissions, we'll check them.

Best regards,
FlorinG
If possible please post your malware submissions as SHA1 lists (created with HashMyFiles or any other software). Always make sure first you have submitted the samples through CIS.

Offline yigido

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 6106
  • Left the forum... Thanks COMODO for everything.
Re: Report trusted and whitelisted malware here - 2022 (NO LIVE MALWARE!)
« Reply #61 on: January 10, 2022, 04:38:37 PM »
Trusted Malware

SHA-1 :  74ce4a67687b19d2bea5e4cf7ece3fa222307c2d
https://www.virustotal.com/gui/file/95104c5892d5c7103d3c4fc6d1137006a419a869c9906b6c37854c67a343bbb9/details

File persist in File Intelligence!

Offline yigido

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 6106
  • Left the forum... Thanks COMODO for everything.

Offline Qiuhui.Wang

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 2178
Re: Report trusted and whitelisted malware here - 2022 (NO LIVE MALWARE!)
« Reply #63 on: January 10, 2022, 08:53:01 PM »
Trusted Malware

SHA-1 :  74ce4a67687b19d2bea5e4cf7ece3fa222307c2d
https://www.virustotal.com/gui/file/95104c5892d5c7103d3c4fc6d1137006a419a869c9906b6c37854c67a343bbb9/details

File persist in File Intelligence!
Trusted Potential Unwanted App - PUA Hacktool

SHA-1 : 9d6d0fea98e4d6ba614d9c1bdc24d2e83451b228

https://www.virustotal.com/gui/file/1ad888606f448d0d04c37ba11348b4c7d06f22b1cb3e8c217a21a5674bf29ce0/detection
https://valkyrie.comodo.com/get_info?sha1=9d6d0fea98e4d6ba614d9c1bdc24d2e83451b228

Hi,

Thank you for your submission.
We'll check these.

Best regards
Qiuhui.Wang

Offline yigido

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 6106
  • Left the forum... Thanks COMODO for everything.
Re: Report trusted and whitelisted malware here - 2022 (NO LIVE MALWARE!)
« Reply #64 on: January 13, 2022, 04:44:30 AM »
« Last Edit: January 13, 2022, 04:48:26 AM by yigido »

Offline FlorinG

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3967
Re: Report trusted and whitelisted malware here - 2022 (NO LIVE MALWARE!)
« Reply #65 on: January 13, 2022, 08:48:23 AM »
Hello yigido,

Thank you for sharing this, we'll check this.

Best regards,
FlorinG
If possible please post your malware submissions as SHA1 lists (created with HashMyFiles or any other software). Always make sure first you have submitted the samples through CIS.

Offline yigido

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 6106
  • Left the forum... Thanks COMODO for everything.
Re: Report trusted and whitelisted malware here - 2022 (NO LIVE MALWARE!)
« Reply #66 on: January 13, 2022, 09:29:13 AM »
Truested Malware

SHA1:  cccfe140340370a7b8ccf70e76c0284203e26322
https://www.virustotal.com/gui/file/17fe63c10c3972244152780f75e723914c2ca4dd1a03ff2dc9c4d6b999a99505/detection
https://valkyrie.comodo.com/get_info?sha1=cccfe140340370a7b8ccf70e76c0284203e26322

"Human Expert Analysis" says it is safe! How did this happen?

Hi FlorinG,

Please remove "InstallShield Software Corporation" vendor from Trusted Vendor List (TVL)
One example is enough for deleting it from "Trusted"
Please see screenshot

Please check it.

Thanks,
yigido

Offline bogdanr

  • First Response Group
  • Comodo's Hero
  • *****
  • Posts: 772
Re: Report trusted and whitelisted malware here - 2022 (NO LIVE MALWARE!)
« Reply #67 on: January 13, 2022, 10:05:19 AM »
Hi FlorinG,

Please remove "InstallShield Software Corporation" vendor from Trusted Vendor List (TVL)
One example is enough for deleting it from "Trusted"
Please see screenshot

Please check it.

Thanks,
yigido


Hi yigido,

The TVL layer does not work as you might think.

1. the mentioned file (from your vt link) is actually signed with "Flexera Software LLC" as naming (if you are referring to a different file, please let us know)
2.  TVL entries covers  certs  only with a trusted CA chain , valid signed ( not  self signed, expired, invalid, or  altered by injected malware ) which have been evaluated internally by a complex process with multiple additional layers of decision and control.



Thanks,
Bogdan
« Last Edit: January 13, 2022, 10:08:12 AM by bogdanr »

Offline yigido

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 6106
  • Left the forum... Thanks COMODO for everything.
Re: Report trusted and whitelisted malware here - 2022 (NO LIVE MALWARE!)
« Reply #68 on: January 13, 2022, 10:12:43 AM »

Hi yigido,

The TVL layer does not work as you might think.

1. the mentioned file (from your vt link) is actually signed with "Flexera Software LLC" as naming (if you are referring to a different file, please let us know)
2.  TVL entries covers  certs  only with a trusted CA chain , valid signed ( not  self signed, expired, invalid, or  altered by injected malware ) which have been evaluated internally by a complex process with multiple additional layers of decision and control.



Thanks,
Bogdan

Hi Bogdan,

Please see the attached screenshot.
It shows the trusted PUA submission above. Same hash (SHA1 : cccfe140340370a7b8ccf70e76c0284203e26322 )

Thanks,

Offline bogdanr

  • First Response Group
  • Comodo's Hero
  • *****
  • Posts: 772
Re: Report trusted and whitelisted malware here - 2022 (NO LIVE MALWARE!)
« Reply #69 on: January 13, 2022, 11:59:12 AM »
For the submitted file - the cert is not valid. As per your screenshot, it just says signed (signature not validated, CIS would validate status on encounter and check against tvl only if valid) and the company stated is taken from file version, not from cert name (it  does not state that the certificate name is the company name which distributes the file , the company name is taken  from file version, these are totally 2 different things). Can you please specify the comodo product and version you are using (from screenshot)?
« Last Edit: January 13, 2022, 12:05:41 PM by bogdanr »

Offline yigido

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 6106
  • Left the forum... Thanks COMODO for everything.
Re: Report trusted and whitelisted malware here - 2022 (NO LIVE MALWARE!)
« Reply #70 on: January 13, 2022, 12:36:00 PM »
For the submitted file - the cert is not valid. As per your screenshot, it just says signed (signature not validated, CIS would validate status on encounter and check against tvl only if valid) and the company stated is taken from file version, not from cert name (it  does not state that the certificate name is the company name which distributes the file , the company name is taken  from file version, these are totally 2 different things). Can you please specify the comodo product and version you are using (from screenshot)?
Attached

Offline yigido

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 6106
  • Left the forum... Thanks COMODO for everything.
Re: Report trusted and whitelisted malware here - 2022 (NO LIVE MALWARE!)
« Reply #71 on: January 17, 2022, 07:25:51 AM »
Why you guys add Potential Unwanted Apps to whitelist? Joke samples shouldn't be whitelisted  :-TD
In my opinion, some files should stay in gray area. It may be not bad but not safe either. Please remove the clean verdict of these samples.

Trusted Joke Malwares - PUA
https://valkyrie.comodo.com/get_info?sha1=207c3f932d8ac66bc10e090a97c02ac07dbb68fa
https://valkyrie.comodo.com/get_info?sha1=3200c4e4d0d4ece2b2aadb6939be59b91954bcfa
https://valkyrie.comodo.com/get_info?sha1=329bbdb1f877942d55b53b1d48db56a458eb2310
https://valkyrie.comodo.com/get_info?sha1=493286b108822ba636cc0e53b8259e4f06ecf900
« Last Edit: January 17, 2022, 07:29:40 AM by yigido »

Offline FlorinG

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3967
Re: Report trusted and whitelisted malware here - 2022 (NO LIVE MALWARE!)
« Reply #72 on: January 17, 2022, 07:45:07 AM »
Hello yigido,

Thank you for reporting this. We'll check these.

Best regards,
FlorinG
If possible please post your malware submissions as SHA1 lists (created with HashMyFiles or any other software). Always make sure first you have submitted the samples through CIS.

Offline yigido

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 6106
  • Left the forum... Thanks COMODO for everything.

Offline meldan

  • First Response Group
  • Comodo's Hero
  • *****
  • Posts: 3569
Re: Report trusted and whitelisted malware here - 2022 (NO LIVE MALWARE!)
« Reply #74 on: January 23, 2022, 11:14:35 AM »
Hi,

Thank you for your submission, we'll check it.

Kind Regards,
Erik M.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek