Author Topic: CIMA (Comodo Instant Malware Analysis) New Version out 12 Jan 2009  (Read 51604 times)

Offline Eljo

  • Comodo's Hero
  • *****
  • Posts: 543
  • Twitter: Eljo_M
    • GooglePlus
Re: CIMA (Comodo Instant Malware Analysis) New Version out 12 Jan 2009
« Reply #15 on: November 30, 2009, 04:15:42 PM »
This means that the Heuristics detection finds it suspicious that the file has a "double extension"

normally the file would be .tmp or .exe not .tmp.exe as extension so based on this fact only it flags it as suspicious because this trick is used for malware to trick users to "run" it, but i assume you have set Heuristics detecion to High for this kind of alerts correct?


No idea I did not touch the Heuristics settings
My questions and remarks will not always point to below mentioned machines!
Windows 8.1 ASUS A75DE, AMD A8 4500M, 1.9Ghz, Radeon Dual HD7640G, HDD 500GB, Ram 8GB,  CIS8.x,

Offline Ronny

  • Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13540
  • Volunteer Moderator
Re: CIMA (Comodo Instant Malware Analysis) New Version out 12 Jan 2009
« Reply #16 on: November 30, 2009, 04:56:01 PM »
Can you please check the AV settings for Real-Time and Manual scan see how Heuristics is set?

Groet,
Ronny
Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

Offline Eljo

  • Comodo's Hero
  • *****
  • Posts: 543
  • Twitter: Eljo_M
    • GooglePlus
Re: CIMA (Comodo Instant Malware Analysis) New Version out 12 Jan 2009
« Reply #17 on: December 01, 2009, 01:18:40 AM »
Can you please check the AV settings for Real-Time and Manual scan see how Heuristics is set?

Groet,
Ronny

Hi Ronny, all tabs are LOW.
My questions and remarks will not always point to below mentioned machines!
Windows 8.1 ASUS A75DE, AMD A8 4500M, 1.9Ghz, Radeon Dual HD7640G, HDD 500GB, Ram 8GB,  CIS8.x,

Offline Ronny

  • Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13540
  • Volunteer Moderator
Re: CIMA (Comodo Instant Malware Analysis) New Version out 12 Jan 2009
« Reply #18 on: December 01, 2009, 02:15:01 AM »
I think you can safely conclude it's a False Alert. It's just the heuristics engine complaining about the double extension...
Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

Offline SiberLynx

  • Comodo's Hero
  • *****
  • Posts: 2194
Re: CIMA (Comodo Instant Malware Analysis) New Version out 12 Jan 2009
« Reply #19 on: December 01, 2009, 08:03:25 PM »
Hi Guys,

... This means that the Heuristics detection finds it suspicious that the file has a "double extension"...

Leaving aside the fact that I'm not using Comodo's AV, I may say that none of the antivirus / antimalware solutions should flag anything based on any file names.

That is less than funny.

Yes, there could be worms in files like <look at this picture>.jpg.com , we all know that...

But we have this “multi-extensions” feature and we have rights to use it.

Some programs are dynamically generating executables. The double/ triple extension could be a part of the process... (I am using that in some coding)

Would Comodo trigger the detection when on rename simple text file and call it “textFile.txt.exe”??? … in such situation probably even file type will not be analyzed???
Why not? Is that's what's going on?  WoW!!!

Neither signature nor heuristics analysis should not look at the names and make conclusions based on that.
The code is analyzed either based on fingerprints for the first plus “algorithmic guessing” is added to that for the latter.
The Behaviour  Blockers are analyzing the code without signatures based on the code's actions  and the potential outcome of such actions.

What  file names have to do with any type of such analysis?

...I think you can safely conclude it's a False Alert. It's just the heuristics engine complaining about the double extension...
That should not be the case.
Neither False Positives nor Real detections should be made based on any names

Cheers!
« Last Edit: December 01, 2009, 08:14:39 PM by SiberLynx »
Main OS - Ubuntu
XP Pro, SP3 (32bit), Admin; Comodo Firewall 3.14.130099.587; Proactive with Defense+; Emsisoft Anti-Malware v9; Sandboxie
Win 7 x64, Admin (UAC off); Win7 advanced FW +TinyWall; Emsisoft Anti-Malware v9; Sandboxie
Win 7 Ultimate 32bit (UAC off); Emsisoft Internet Security v9 beta

Offline OmeletGuy

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2914
  • Dragon Theme Maker
Re: CIMA (Comodo Instant Malware Analysis) New Version out 12 Jan 2009
« Reply #20 on: December 01, 2009, 08:32:26 PM »
Hi Guys,

Leaving aside the fact that I'm not using Comodo's AV, I may say that none of the antivirus / antimalware solutions should flag anything based on any file names.

That is less than funny.

Yes, there could be worms in files like <look at this picture>.jpg.com , we all know that...

But we have this “multi-extensions” feature and we have rights to use it.

Some programs are dynamically generating executables. The double/ triple extension could be a part of the process... (I am using that in some coding)

Would Comodo trigger the detection when on rename simple text file and call it “textFile.txt.exe”??? … in such situation probably even file type will not be analyzed???
Why not? Is that's what's going on?  WoW!!!

Neither signature nor heuristics analysis should not look at the names and make conclusions based on that.
The code is analyzed either based on fingerprints for the first plus “algorithmic guessing” is added to that for the latter.
The Behaviour  Blockers are analyzing the code without signatures based on the code's actions  and the potential outcome of such actions.

What  file names have to do with any type of such analysis?
That should not be the case.
Neither False Positives nor Real detections should be made based on any names

Cheers!

Its not based on the file name, I have tested that, Its based on the code in the file, If the code has 2 extensions it get the name Heur.Dual.Extensions.


Now get back to topic please, or make a thread for this.
« Last Edit: December 01, 2009, 08:34:10 PM by OmeletGuy »
System Details: W8.1-64bit | 16GB DDR3 | Intel Core I7-4710MQ[at]2.5Ghz to 3.5Ghz | CIS 8.2 | Geforce 840M

Offline SiberLynx

  • Comodo's Hero
  • *****
  • Posts: 2194
Re: CIMA (Comodo Instant Malware Analysis) New Version out 12 Jan 2009
« Reply #21 on: December 02, 2009, 12:04:50 AM »
Its not based on the file name, I have tested that, Its based on the code in the file, If the code has 2 extensions it get the name Heur.Dual.Extensions.
Now get back to topic please, or make a thread for this.
Hi OmeletGuy,

Can you please clarify what do you mean by getting back on topic?
The question was about the detection and the answer by Ronny was about the file name double-extension

In addition I've seen the similar question(s) somewhere else in the forum

Can you please tell what do you mean by "the code has 2 extensions"?

I am really interested since I am kinda writing programs for a long time ...
probably I am missing something about the "double/triple extension code"  :)

My regards
Main OS - Ubuntu
XP Pro, SP3 (32bit), Admin; Comodo Firewall 3.14.130099.587; Proactive with Defense+; Emsisoft Anti-Malware v9; Sandboxie
Win 7 x64, Admin (UAC off); Win7 advanced FW +TinyWall; Emsisoft Anti-Malware v9; Sandboxie
Win 7 Ultimate 32bit (UAC off); Emsisoft Internet Security v9 beta

Offline OmeletGuy

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2914
  • Dragon Theme Maker
Re: CIMA (Comodo Instant Malware Analysis) New Version out 12 Jan 2009
« Reply #22 on: December 02, 2009, 01:29:21 AM »
By get back on topic, i mean your taking about CIS in the CIMA thread. :)


Actually i cant real tell you much about that (don't know much about it :P) All I know is that a exe that has Dual Extensions can execute something on one system and something else on a different system. Thats why its so dangerous.

Thats as much as i know, but i maybe wrong.  :-\

PM Umesh asking what Dual Extensions is, he will know exactly.
System Details: W8.1-64bit | 16GB DDR3 | Intel Core I7-4710MQ[at]2.5Ghz to 3.5Ghz | CIS 8.2 | Geforce 840M

Offline SiberLynx

  • Comodo's Hero
  • *****
  • Posts: 2194
Re: CIMA (Comodo Instant Malware Analysis) New Version out 12 Jan 2009
« Reply #23 on: December 02, 2009, 02:12:22 AM »
By get back on topic, i mean your taking about CIS in the CIMA thread. :)
Actually i cant real tell you much about that (don't know much about it :P) All I know is that a exe that has Dual Extensions can execute something on one system and something else on a different system. Thats why its so dangerous.
Thats as much as i know, but i maybe wrong.  :-\
PM Umesh asking what Dual Extensions is, he will know exactly.

Thanks for reply OmeletGuy ,

I don't need to PM Umesh regarding this  since I know that for sure:

That must not be the issue of being detected by Heuristics!

If you tested that, please PM me the code you mentioned and I know how to test that.
(you can add a few words about the method of your test - that will be appreciated, but not really necessary)

Not that there is no such thing as "double-extension code" and I know how to write programs (please do not get me wrong - that is not a conformational talking) - that is a real big issue I can see here

As for the other sources I mentioned earlier

«Harmful file flagged based on doule extension»:
https://forums.comodo.com/empty-t9143.0.html
Heur.Dual.Extensions :
https://forums.comodo.com/empty-t45006.0.html
https://forums.comodo.com/empty-t42911.0.html
https://forums.comodo.com/empty-t42148.0.html
https://forums.comodo.com/empty-t42313.0.html

…. and so on... That is definitely wrong – that must not happen ever.

The usual answer is:
Quote
Dual extensions are usually used by malware to disguise as genuine files. There is generic detection

That is not an answer at all!!!

Yes, you are right "Dual Extensions can execute something" as you said ... and I posted the most common example above ... so what?!

The names does not matter in relation with AV heuristics analisys
The name of the detections does not matter much as well ... as we know....
Call it anything - like: "You.Are.Screwed" - it means as much as "Trojan.Agent.Backdoor.Opened.In.Your.BackYard.And.Horse.Is.In.Your.FrontYard.Eating.Grass"
 ;D
Again none of the security should do that as result of the  “Heuristics analysis” !!!!
It could be different additional service based on file names only, but not a Heuristics … excuse me...

Cheers!
« Last Edit: December 02, 2009, 08:39:44 AM by SiberLynx »
Main OS - Ubuntu
XP Pro, SP3 (32bit), Admin; Comodo Firewall 3.14.130099.587; Proactive with Defense+; Emsisoft Anti-Malware v9; Sandboxie
Win 7 x64, Admin (UAC off); Win7 advanced FW +TinyWall; Emsisoft Anti-Malware v9; Sandboxie
Win 7 Ultimate 32bit (UAC off); Emsisoft Internet Security v9 beta

Offline OmeletGuy

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2914
  • Dragon Theme Maker
Re: CIMA (Comodo Instant Malware Analysis) New Version out 12 Jan 2009
« Reply #24 on: December 02, 2009, 02:41:21 AM »
Thanks for reply OmeletGuy ,

I don't need to PM Umesh regarding this  since I know that for sure:

That must not be the issue of being detecting by Heuristics!

If you tested that, please PM me the code you mentioned and I know how to test that.
(you can add a few words about the method of your test - that will be appreciated, but not really necessary)

Not that there is no such thing as "double-extension code" and I know how to write programs (please do not get me wrong - that is not a conformational talking) - that is a real big issue I can see here

As for the other sources I mentioned earlier

«Harmful file flagged based on doule extension»:
https://forums.comodo.com/empty-t9143.0.html
Heur.Dual.Extensions :
https://forums.comodo.com/empty-t45006.0.html
https://forums.comodo.com/empty-t42911.0.html
https://forums.comodo.com/empty-t42148.0.html
https://forums.comodo.com/empty-t42313.0.html

…. and so on... That is definitely wrong – that must not happen ever.

The usual answer is:
That is not an answer at all!!!

Yes, you are right "Dual Extensions can execute something" as you said ... and I posted the most common example above ... so what?!

The names does not matter in relation with AV heuristics analisys
The name of the detections does not matter much as well ... as we know....
Call it anything - like: "You.Are.Screwed" - it means as much as "Trojan.Agent.Backdoor.Opened.In.Your.BackYard.And.Horse.Is.In.Your.FrontYard.Eating.Grass"
 ;D
Again none of the security should do that as result of the  “Heuristics analysis” !!!!
It could be different additional service based on file names only, but not a Heuristics … excuse me...

Cheers!

My test was to prove that detection isnt based on the name of the file, so pick any exe and add .tmp.exe or exe.tmp to the end of it.

Thats all i did, and got no detection for it, so its not name based, therefore it must be something in the code.
System Details: W8.1-64bit | 16GB DDR3 | Intel Core I7-4710MQ[at]2.5Ghz to 3.5Ghz | CIS 8.2 | Geforce 840M

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5157
  • I believe in doubt.
    • Evolutionary history of life
Re: CIMA (Comodo Instant Malware Analysis) New Version out 12 Jan 2009
« Reply #25 on: December 02, 2009, 02:48:16 AM »
I renamed pidgin-portable.exe to pidgin-portable.tmp.exe and scanned it: Heur.Dual.Extensions.
Ubuntu 17.04, 64-bit | Chrome 60β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline SiberLynx

  • Comodo's Hero
  • *****
  • Posts: 2194
Re: CIMA (Comodo Instant Malware Analysis) New Version out 12 Jan 2009
« Reply #26 on: December 02, 2009, 04:58:05 AM »
I renamed pidgin-portable.exe to pidgin-portable.tmp.exe and scanned it: Heur.Dual.Extensions.
Thanks JoWa,

"Good" stuff ... Yeah!

... I am working with Pidgin Portable ...
I was talking to Guys like half an hour ago, cause they are on ICQ and I don't use it

That's what I was saying above about renaming files like that ...  and my "guess" even not using Comodo's AV was correct
Quote from: SiberLynx
... Would Comodo trigger the detection when on rename simple text file and call it “textFile.txt.exe”  ???… in such situation probably even file type will not be analyzed??? Why not? Is that's what's going on?  WoW!!!

This thing if a pure laughter ... - do we need Heuristics for that ?
What kind of "Heuristics" is that?

Cheers!

=======

My test was to prove that detection isnt based on the name of the file, so pick any exe and add .tmp.exe or exe.tmp to the end of it.
Thats all i did, and got no detection for it, so its not name based, therefore it must be something in the code.

Sorry man,

That is a contradiction to your previous sayings - you said that you tested the code(!) that somehow has "double-extension"

and that what "puzzled" me (not)
Now you are stating something different and that is just about the "names"

and JoWa got the opposite result

I have to refrain myself from writing more ... but I hope that you understand that the issue is serious and we must not allow ourselves.... such a "freedom of speech" when answering questions to less experienced users...

 ... oh!! well...  enough said

Cheers!
« Last Edit: December 02, 2009, 05:16:32 AM by SiberLynx »
Main OS - Ubuntu
XP Pro, SP3 (32bit), Admin; Comodo Firewall 3.14.130099.587; Proactive with Defense+; Emsisoft Anti-Malware v9; Sandboxie
Win 7 x64, Admin (UAC off); Win7 advanced FW +TinyWall; Emsisoft Anti-Malware v9; Sandboxie
Win 7 Ultimate 32bit (UAC off); Emsisoft Internet Security v9 beta

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5157
  • I believe in doubt.
    • Evolutionary history of life
Re: CIMA (Comodo Instant Malware Analysis) New Version out 12 Jan 2009
« Reply #27 on: December 02, 2009, 06:36:15 AM »
Would Comodo trigger the detection when on rename simple text file and call it “textFile.txt.exe”???
No. (I renamed a text file and scanned it.) ;)
Ubuntu 17.04, 64-bit | Chrome 60β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline SiberLynx

  • Comodo's Hero
  • *****
  • Posts: 2194
Re: CIMA (Comodo Instant Malware Analysis) New Version out 12 Jan 2009
« Reply #28 on: December 02, 2009, 06:43:13 AM »
No. (I renamed a text file and scanned it.) ;)
Thanks JoWa,

I'm glad to hear that ... much better than with Pidgin  :D

but still not good enough ... if you know what I mean  ;)

Cheers!

Main OS - Ubuntu
XP Pro, SP3 (32bit), Admin; Comodo Firewall 3.14.130099.587; Proactive with Defense+; Emsisoft Anti-Malware v9; Sandboxie
Win 7 x64, Admin (UAC off); Win7 advanced FW +TinyWall; Emsisoft Anti-Malware v9; Sandboxie
Win 7 Ultimate 32bit (UAC off); Emsisoft Internet Security v9 beta

Offline fatih.orhan

  • Global Moderator
  • Comodo Loves me
  • *****
  • Posts: 148

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek