Author Topic: Classfication and Detection "Singularity" ?!  (Read 437 times)

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 408
  • I like CIS , Kali Linux and IDA Pro ! ;)
Classfication and Detection "Singularity" ?!
« on: May 24, 2017, 11:58:41 PM »
hey guys , i have latenight (for me) discussion with "Futuretech" about this topic !!!  ;)

Trust applications signed by trusted vendors file rating setting : ON

https://valkyrie.comodo.com/get_info?sha1=6ccdae5524dac0ccd033985557775df0b7735157

COMODO VT Verdict : Application.RiskTool.AnyDesk.~
Human Expert Analysis : CLEAN
Valkyrie signature detection : CLEAN
CAV : NO Detection

https://valkyrie.comodo.com/get_info?sha1=9ca7408cb40c29a73c913c407aa0a8c771633531

COMODO VT Verdict : ApplicUnwnt.UnclassifiedMalware
Human Expert Analysis : PUA
Valkyrie signature detection : MALWARE
CAV : NO Detection

Trust applications signed by trusted vendors file rating setting : OFF

https://valkyrie.comodo.com/get_info?sha1=6ccdae5524dac0ccd033985557775df0b7735157

COMODO VT Verdict : Application.RiskTool.AnyDesk.~
Human Expert Analysis : CLEAN
Valkyrie signature detection : CLEAN
CAV : Posivitv Detection as Application.RiskTool.AnyDesk.~

https://valkyrie.comodo.com/get_info?sha1=9ca7408cb40c29a73c913c407aa0a8c771633531

COMODO VT Verdict : ApplicUnwnt.UnclassifiedMalware
Human Expert Analysis : PUA
Valkyrie signature detection : MALWARE
CAV : Posivitv Detection as ApplicUnwnt.UnclassifiedMalware

I think it is not a good idea that a "trusted vendor"classification seems to be "stronger argument" then a positiv signatur detection ! what do you think about that fact ?

thx in advance !
« Last Edit: May 25, 2017, 02:13:24 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline fatih.orhan

  • Global Moderator
  • Comodo Loves me
  • *****
  • Posts: 157
Re: Classfication and Detection "Singularity" ?!
« Reply #1 on: May 25, 2017, 12:27:21 AM »
Hi Pio

That's really tricky cases, and a double-edge sword. The first sample you analyzed is a remote desktop application. We cannot conclude it has a malware behavior, but may lead it some circumstances. So human expert verdict is SAFE. The second one is already "ApplicUnwnt.UnclassifiedMalware" in VT, same as PUA definition. And our experts marked as such, probably because there is an additional adware component installed with the software.

We may get the details from experts if you want. But in any case, the vendor classification helps much to reduce false classifications, rather than the inverse.

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 408
  • I like CIS , Kali Linux and IDA Pro ! ;)
Re: Classfication and Detection "Singularity" ?!
« Reply #2 on: May 25, 2017, 02:38:08 AM »
Hi Fatih ,

thanks for your quik and detailed reply !!! :-TU

I have changed my Post a bit ! I would like to say more , but I'll give you a longer answer later, because i need sleep ! Now ! Sorry ...   :a0

Let´s try it with a small riddle and with regard to the headline of my threat . I hope this is not too cryptic ?! ;)


Trust applications signed by trusted vendors file rating setting : ON

COMODO VT Verdict : Application.RiskTool.AnyDesk.~
Human Expert Analysis : CLEAN
Valkyrie signature detection : CLEAN
CAV : NO Detection
Trust applications signed by trusted vendors file rating setting : OFF

COMODO VT Verdict : Application.RiskTool.AnyDesk.~
Human Expert Analysis : CLEAN
Valkyrie signature detection : CLEAN
CAV : Posivitv Detection as Application.RiskTool.AnyDesk.~

Question : Whats wrong ? Several answers are possible !!! Futuretech do you wanna say something ?  :D
« Last Edit: May 25, 2017, 03:16:09 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2906
Re: Classfication and Detection "Singularity" ?!
« Reply #3 on: May 25, 2017, 03:33:21 PM »
Hi Pio

That's really tricky cases, and a double-edge sword. The first sample you analyzed is a remote desktop application. We cannot conclude it has a malware behavior, but may lead it some circumstances. So human expert verdict is SAFE. The second one is already "ApplicUnwnt.UnclassifiedMalware" in VT, same as PUA definition. And our experts marked as such, probably because there is an additional adware component installed with the software.

We may get the details from experts if you want. But in any case, the vendor classification helps much to reduce false classifications, rather than the inverse.
User won't get PUA CAV detection unless trust applications signed by trusted vendors is disabled in CIS file rating settings.

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 408
  • I like CIS , Kali Linux and IDA Pro ! ;)
Re: Classfication and Detection "Singularity" ?!
« Reply #4 on: May 26, 2017, 01:13:38 AM »
almost right ......  ;)

User won't get PUA CAV detection unless trust applications signed by trusted vendors is enabled in CIS file rating settings.

Trust applications signed by trusted vendors file rating setting : ON

COMODO VT Verdict : Application.RiskTool.AnyDesk.~
Human Expert Analysis : CLEAN
Valkyrie signature detection : CLEAN
CAV : NO Detection

Further questions follow ....  ;)
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek