Author Topic: Is CIMA reliable?  (Read 11730 times)

Offline Adonis

  • Comodo's Hero
  • *****
  • Posts: 382
Is CIMA reliable?
« on: September 07, 2010, 03:27:21 PM »
I want to ask a question that troubles me since I installed CIS 5.0 beta.

Since CIMA is the basis of a cloud behavior blocking in CIS 5.0, can we trust it? CIMA should execute files in the virtual environment and technically it should have 99.9% detction of malicious files because it sees how the cloaked file behaves in a real machine. so how could it not detect this file?

http://www.virustotal.com/file-scan/report.html?id=41c85ca55c212b87d22faada78d89d55fdf905bcdc85147fed6e4df6f4588c16-1283887157

http://camas.comodo.com/cgi-bin/submit?file=41c85ca55c212b87d22faada78d89d55fdf905bcdc85147fed6e4df6f4588c16

I am in doubt that 38/43 virus total engines flagged it and it was a false positive.

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 23710
Re: Is CIMA reliable?
« Reply #1 on: September 07, 2010, 09:42:39 PM »
Your concern is with detection. Where, given the nature of prevention, it should be with the prevention capabilities of CIS v5. All unknown files will run sandboxed until found safe. If CIMA misses a malware the malware will still run sandboxed.

Remember it is never CIMA that deems a file safe. That is done by analysts:
CIMA only marks the file if its bad...
if it can't verdict a file it does NOT mark it as safe.

Melih
Let me put an end to this discussion:
Melih answered the question very clearly before.

CIMA is used to mark files as MALICICOUS NOT A SAFE. SAFE files are marked by analysts.

"If CIMA does not catch it, they must be marking it as safe" is a very naive assumption with no basis... Dont assume but experiment if you want to see what is going on.

So, even it CIMA is totally messing up it will never tell anything is safe. Unknown files will keep on running in the sandbox.

When it comes to preventing malware a HIPS is still better than a behaviour blocker. So, I am not quite sure where you get the 99,9% condition from.

Other than that it is good to look for discrepancies to see if there is room for improvement.

Also report this malware in AV False Positive/Negative Detection Reporting board. And please only post the url's to CIMA and VT when submitting it there; there should no malware be posted in that board (read the stickies).

« Last Edit: September 07, 2010, 10:07:29 PM by EricJH »

Offline Adonis

  • Comodo's Hero
  • *****
  • Posts: 382
Re: Is CIMA reliable?
« Reply #2 on: September 08, 2010, 09:34:59 AM »
Your concern is with detection. Where, given the nature of prevention, it should be with the prevention capabilities of CIS v5. All unknown files will run sandboxed until found safe. If CIMA misses a malware the malware will still run sandboxed.

Remember it is never CIMA that deems a file safe. That is done by analysts:So, even it CIMA is totally messing up it will never tell anything is safe. Unknown files will keep on running in the sandbox.

When it comes to preventing malware a HIPS is still better than a behaviour blocker. So, I am not quite sure where you get the 99,9% condition from.

Other than that it is good to look for discrepancies to see if there is room for improvement.

Also report this malware in AV False Positive/Negative Detection Reporting board. And please only post the url's to CIMA and VT when submitting it there; there should no malware be posted in that board (read the stickies).



Thanks Eric.

I feel much safer after your answer  :)

But can you tell me why CIMA can not detect the file i posted. the file is definitely malicious so cima should detect some malicious behavior in it

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 23710
Re: Is CIMA reliable?
« Reply #3 on: September 08, 2010, 02:39:28 PM »
It could be a virutal machine aware malware. Another possible vm aware malware is currently discussed in Chinese signed malware VS CIS 5 RC2.

Offline goodjohn1984

  • Comodo's Hero
  • *****
  • Posts: 318
Re: Is CIMA reliable?
« Reply #4 on: February 06, 2011, 08:04:41 PM »
Your concern is with detection. Where, given the nature of prevention, it should be with the prevention capabilities of CIS v5. All unknown files will run sandboxed until found safe. If CIMA misses a malware the malware will still run sandboxed.

Remember it is never CIMA that deems a file safe. That is done by analysts:So, even it CIMA is totally messing up it will never tell anything is safe. Unknown files will keep on running in the sandbox.

When it comes to preventing malware a HIPS is still better than a behaviour blocker. So, I am not quite sure where you get the 99,9% condition from.

Other than that it is good to look for discrepancies to see if there is room for improvement.

Also report this malware in AV False Positive/Negative Detection Reporting board. And please only post the url's to CIMA and VT when submitting it there; there should no malware be posted in that board (read the stickies).



But sometimes installers can not run in the Sandbox without crashing/failing/etc, so then you need to run it outside of the Sandbox to install the program and if the HIPS & AV & Firewall miss some malware while running such an installer Un-Sandboxed; then the Sandbox is rendered useless in this situation (but the Sandbox can be helpful in many other situations). (I had some malware bypass CIS in this way. ;)

I am happy that CIMA (Not in CIS yet), Sandboxing, Comodo DNS, and Cloud Scanning is now in CIS; the more layers the better usually, when properly balanced. :)

Keep up the good work Team Comodo. :)




 

Seo4Smf 2.0 © SmfMod.Com Smf Destek