Comodo firewall bypassed by signed malware

[futuretech]

I'm not sure why this tread even exists? This a problem for any security software that is based on white listing approach. Because of possible mistakes there is even specific topics to report such errors when malware is incorrectly whitelisted.

https://forums.comodo.com/av-false-positivenegative-detection-reporting/report-trusted-and-whitelisted-malware-here-2017-no-live-malware-t117715.0.html

https://forums.comodo.com/comodo-valkyrie-fls/post-valkyrie-links-in-which-you-believe-that-the-manual-analysis-is-wrong-t80646.0.html

[Yousername]

This is not a digitally signed application. Trusted vendors have nothing to do with this, the file was whitelisted by file hashes. I also encountered a similar sample of the same class (Emotet - basically a banking trojan) which also copied a file to appdata and was whitelisted.  The variant that I submitted has been blacklisted now.

On a side note I have tried removing the Trusted Vendors List. It seems that with cloud lookup enabled, it still checks the TVL in the cloud (vendors that are found trusted by cloud scan are added back to the TVL), so removing TVL with cloud lookup enabled is basically pointless. If you were to disable cloud lookup and remove TVL it might result in system files being sandboxed if you aren't careful, and of course usability is impacted.

[shmu26]

I'm not sure why this tread even exists? This a problem for any security software that is based on white listing approach.

Well, most whitelisting solutions that I know of (NoVirusThanks EXE Radar Pro, VoodooShield, SecureAPlus, ReHIPS) don't have a hidden and constantly updating whitelist that is prone to error. At the most, they have a limited Trusted Vendors List that the user can easily monitor.

However, now that I think about it, your point is quite valid as regards Avast hardened mode/aggressive, and Kaspersky Trusted Applications Mode

[Jon79]

[...] your point is quite valid as regards Avast hardened mode/aggressive, and Kaspersky Trusted Applications Mode

Which are default-allow AVs with a feature to act like default-deny ones

If you were to disable cloud lookup and remove TVL it might result in system files being sandboxed if you aren't careful, and of course usability is impacted.

If you have a stable PC (meaning you don't install new apps because you are fine with the ones you already have), you can disable cloud lookup and remove every entry in the TVL but the ones about Microsoft (and few other apps you use), as shown in this video (from cruelsister) https://www.youtube.com/watch?v=TetSy5vn7_M&ytbChannel=cruelsister1

The problem with CIS is that TVL will be restored when CIS upgrades to a new version (and also when you import your settings), unless they have fixed this bug

[AtlBo]

Think this may have been fixed.  I updated two weeks ago with a trimmed TVL, and it did not revert to the full list.