Author Topic: False positives and exploits which are undetected  (Read 119195 times)

Offline wasgij6

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5453
« Last Edit: December 29, 2011, 03:25:00 AM by wasgij6 »
| Win 10 Pro (x64) | UAC Disabled | CCAV | Intel i7 4770k | Asus Maximus VI Formula Mobo | Asus GeForce GTX 780 | G.Skill TridentX 32gb RAM | Samsung 850 Pro SSD |

Offline wasgij6

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5453
| Win 10 Pro (x64) | UAC Disabled | CCAV | Intel i7 4770k | Asus Maximus VI Formula Mobo | Asus GeForce GTX 780 | G.Skill TridentX 32gb RAM | Samsung 850 Pro SSD |



Offline Slav

  • Comodo Member
  • **
  • Posts: 27
Re: False positives and exploits which are undetected
« Reply #34 on: October 24, 2012, 11:07:28 AM »
Thank you for your feedback,  goodjohnjr! As we can see reports  include unresolved domains or redirections to them. Results of competitors based on SURBL Blocklist and GEO-policy (UA or RU zones are suspicious by default). We use other methods. It should be noted that php scripts can be redirected to other sites on each visit.

In addition, you can compare results with VT:

1. https://www.virustotal.com/url/0932c275759ba3b0a4f9b9791ae5c1efe932e7279f3b031db33006324b7bdbd9/analysis/1351090548/

2. https://www.virustotal.com/url/aaaad6d2ac028a40dfcc38df80456bc1e705a3602c7525c392f29a4f76c5bba0/analysis/1351090662/

3.https://www.virustotal.com/url/6e3fa5b9dcc397e2a92a31ad1d5a3bb948530a5830ac11ac072dea860cdfafde/analysis/1351090703/

4. https://www.virustotal.com/url/6e8317d7a8a681990ac71cac10763098c61ce259f8f4d71838916c30ad0c111e/analysis/1351090805/

5. https://www.virustotal.com/url/532342b74086aa6bcf3bb0ad8096a1227159db5544bd05b9781817e3ddb21ee0/analysis/1351090870/
« Last Edit: October 24, 2012, 11:11:18 AM by Slav »

Offline goodjohnjr

  • Comodo Family Member
  • ***
  • Posts: 61
Re: False positives and exploits which are undetected
« Reply #35 on: October 24, 2012, 11:39:30 AM »
Thank you for your feedback,  goodjohnjr! As we can see reports  include unresolved domains or redirections to them. Results of competitors based on SURBL Blocklist and GEO-policy (UA or RU zones are suspicious by default). We use other methods. It should be noted that php scripts can be redirected to other sites on each visit.

In addition, you can compare results with VT:

1. https://www.virustotal.com/url/0932c275759ba3b0a4f9b9791ae5c1efe932e7279f3b031db33006324b7bdbd9/analysis/1351090548/

2. https://www.virustotal.com/url/aaaad6d2ac028a40dfcc38df80456bc1e705a3602c7525c392f29a4f76c5bba0/analysis/1351090662/

3.https://www.virustotal.com/url/6e3fa5b9dcc397e2a92a31ad1d5a3bb948530a5830ac11ac072dea860cdfafde/analysis/1351090703/

4. https://www.virustotal.com/url/6e8317d7a8a681990ac71cac10763098c61ce259f8f4d71838916c30ad0c111e/analysis/1351090805/

5. https://www.virustotal.com/url/532342b74086aa6bcf3bb0ad8096a1227159db5544bd05b9781817e3ddb21ee0/analysis/1351090870/

You are welcome and thank you. :)

I hate to say it but, since Comodo SiteInspector has existed I wanted to like it & I still do want to like it, but it has been the worst URL scanner that I have ever used/tested since I have been testing it since its beginning (it does so bad that it seems pretty much worthless since it literally misses 98% or more of URLS that I have tried/tested against it which are collected from Spam Emails/Email Sent From Hacked Accounts/Exploit & Malicious & Phishing Websites That I & Other People Have Accidentally Come Across/et cetera which other anti-malware companies have determined to be legitimate threats after I submitted them by email/to their URL scanners/to their forums/et cetera), things like Web Of Trust even easily beats Comodo SiteInspector & it does not even use a real-time malware scanner (that I know of) or anything but one or more block-lists & user ratings as far as I know); and SiteInspector has only detected 1-3 websites out of the many independently verified spam, scam, phishing, malicious, exploit, et cetera websites that I have submitted to it since its beginning.

I even use the Report As Malicious option a lot, and those links still do not get detected later even after reporting it there and/or by email to Comodo usually if ever.

I like the way that SiteInspector looks and the information that it shows, but its speed & detection abilities are terrible/horrible/the worst that I have ever tested/seen.

I seriously hopes that improves, it needs new block-lists and the ability to detect spam/scam/phishing/exploits/suspicious/malicious/et cetera websites better or at all and some heuristics/behavioral detection and website age/reputation ratings abilities or something.

Also Comodo DNS has done terrible in the tests that I have seen since its beginning, which is also sad to see, and I really do want to see them seriously improve; it is sad to see how terrible they perform in comparison to other Comodo products & other similar products in general, I have been watching/trying/testing them off & on since their beginning with the same poor results.

Sorry for the negativity but I am being honest as someone who wants to see Comodo succeed, and who is hoping to maybe one day return to using Comodo products again full-time in the future if things improve.

Thank you and good luck,
-John Jr

Offline astatix

  • Newbie
  • *
  • Posts: 3
    • Astatix Games
Re: False positives and exploits which are undetected
« Reply #36 on: June 05, 2013, 12:36:44 AM »
Hello,

I checked our website http://www.astatix.com with Site Inspector.

Here is a result:
_http://siteinspector.comodo.com/public/reports/14623926
For this URL I see the result:
Suspicious Activity: Suspicious

After clicking on "View Details" I see:
Suspicious URL behaviour was detected
Suspicious Network Connections.  Found by Honey Client.

I am sure that it is 100% false positive detection.
Can you explain what is "Suspicious Network Connections"?
« Last Edit: June 05, 2013, 09:17:12 AM by astatix »

Offline Slav

  • Comodo Member
  • **
  • Posts: 27
Re: False positives and exploits which are undetected
« Reply #37 on: June 05, 2013, 02:59:48 AM »
Hello, Astatix!
You were detected by our engine because you have link to file that is potentially dangerous https://www.virustotal.com/en/file/3872a8f31f304503d1ea5060fa915c7267ce4db5bc67388442f10a7151a64737/analysis/

Offline astatix

  • Newbie
  • *
  • Posts: 3
    • Astatix Games
Re: False positives and exploits which are undetected
« Reply #38 on: June 05, 2013, 04:24:35 AM »
Thank you for your reply, but I think that it is not the real reason. Now I see the next results:

Blacklist Checking: Safe
Phishing: Safe
Malicious Activity: Safe
Malware Downloads: Safe
Suspicious Activity: Suspicious

You are speaking about executable file, but checked index page have no links to this file!

Also I see the reason of detection:
Suspicious URL behaviour was detected
Suspicious Network Connections.  Found by Honey Client.

What is "Suspicious Network Connections"?

About worms.exe: it is a screensaver Funny Worms developed by us many years ago. It is about 100kb in size, but is not a virus, it is screen saver for Windows written in WinAPI. It is detected only by nono-major several anti-viruses. We contacted many of anti-virus developers about this file and they removed it from their databases.
Here is a description of this Funny Worms screen saver http://www.astatix.com/fw.php
Also it listed on hundreds of websites, for example at download.com:
http://download.cnet.com/Funny-Worms/3000-2257_4-10117713.html

Also this screensaver has no access to Internet, so it can't be a reason for "Suspicious Network Connections".

Offline Slav

  • Comodo Member
  • **
  • Posts: 27
Re: False positives and exploits which are undetected
« Reply #39 on: June 05, 2013, 07:55:28 AM »
We have inspected the downloaded file and make sure it is safe.
Link to the latest report here: http://siteinspector.comodo.com/public/reports/14651092?cache=true
'Suspicious Network Connections' alert means that the site had connections with suspicious sites with any content.

Offline astatix

  • Newbie
  • *
  • Posts: 3
    • Astatix Games
Re: False positives and exploits which are undetected
« Reply #40 on: June 05, 2013, 08:39:51 AM »
Slav, thank you for your help and explanation.

Offline Gaige

  • Comodo Loves me
  • ****
  • Posts: 160
Re: False positives and exploits which are undetected
« Reply #41 on: June 30, 2013, 06:19:58 AM »
infected sites:
dvdprime.donga.com
dvdprime.com

It's Using Java exploits.


[attachment deleted by admin]

Offline vadim

  • Comodo's Hero
  • *****
  • Posts: 332
Re: False positives and exploits which are undetected
« Reply #42 on: July 01, 2013, 03:01:28 AM »
infected sites:
dvdprime.donga.com
dvdprime.com

It's Using Java exploits.


Thank you for a feedback.

WebInspector detected these sites as unsafe:

http://app.webinspector.com/public/reports/15422522
http://app.webinspector.com/public/reports/15421363
--
Vadim Lvovskiy
Development Manager
COMODO Group Inc.

Offline Gaige

  • Comodo Loves me
  • ****
  • Posts: 160
Re: False positives and exploits which are undetected
« Reply #43 on: July 01, 2013, 09:59:15 AM »
infected Java exploit:  >:-D
***.jw-marriott.co.kr/main.asp
***.koreanmovie.com






Active links changed by Moderator

Please do not post active links to possible exploits.
« Last Edit: July 01, 2013, 10:09:07 AM by Dennis2 »

Offline Gaige

  • Comodo Loves me
  • ****
  • Posts: 160
Re: False positives and exploits which are undetected
« Reply #44 on: July 02, 2013, 10:50:31 AM »
http://app.webinspector.com/public/reports/15486150

Java exploit.

infected site:
 :P :-* :-X.kweather.co.kr (or  ??? :o ;).kweather.co.kr/main/main.html)



[attachment deleted by admin]

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek