First of all when Comodo said in their blog: “The dropper (installer) component of the malware was digitally signed by a trusted Certificate Authority. Because the installer was ‘trusted’, it was then able to evade detection by the heuristic and Host Intrusion Protection Systems (HIPSs) of many popular Antivirus and Internet Security programs.” This means CIS got bypassed as well? Just want to make sure. Yes or no?
Now the file itself was digitally signed by “GlobalSign” but you can see other thing if you look at other source you will get more pictures than Comodo provided in their blog. You can see in “signatures of other parties” “Comodo Time S…”. It’s a timestamp which is used in the process of code signing? And you can put anything in there such as Comodo, Symantec, etc? Right? According to the Russian source on that page. Or Comodo made a mistake?
Also is there any protection for this? I take it as a no?
In addition to what Chiron posted re: his “wish list” thread
The discussion about fake dig. signatures has a history here
I wouldn’t be bothered at the moment to find my request posted few years ago, where I said that the way dig.sig is implemented it is possible to fake it, therefore white-listing or TVL stuff is not reliable technology & definitely cannot be accepted as a panacea
At that time the answer from Comodo was: “no way”. Well, two months (or less) later we’ve seen the 1st one (Realtek, as far as I remember) and as you know nowadays security experts are finding ~ 10-20 per day (approximately 1.5 year old data)… definitely should be more currently
Now we have a huge brunch of “reporting whitelisted malware” and eventually referred article in Comodo’s own blog.
Definitely Comodo devs should give more clarified answer concerning this particular (stressing!) case… but at the end of the article they kinda confidently stated:
1. Download [url=https://antivirus.comodo.com/index.php?track=3945]Comodo Antivirus[/url] and perform a full scan with up-to-date antivirus database.
2. Remove [url=https://www.comodo.com/home/malware-found.php?track=3945]Malware Found[/url] by choosing from recommended options and stay protected.
so basically they answered your question
Yes?... No? … Are you protected from this bypass? … Or your protection (Comodo) will be bypassed ?
... Clear? Blurred? 88) :D
Thank you for the reply. Now what I wanted to know is this… Before Comodo removed that vendor from the TVL? Was CIS able to protect you? I agree with you 100% on that point.
Thank you for the reply and detailed information. I agree. No they didn’t answered my Q at all. It was later they analyzed it and found it to be malicious what about before Comodo removed that vendor from the TVL? Was CIS able to protect you against that file?
Thank you for the link. So CIS failed. That’s what I was thinking. Okay can somebody now from Comodo Staff or moderators explain the Comodo timestamp signature in that file?
This sort of vulnerability is supposed to be fixed with V6. The first Beta had some bugs which resulted in it not protecting correctly, but the next Beta is supposed to have that fixed.
If the vendor was on the Trusted Vendor List then you would not have been protected during the time it was on the TSV. That Vendor is not on it at the moment of writing
It is not the same file but it uses a similar technique; being using a stolen certificate.
2. CIS does not need to remove it from the TVL, because the .exe files of all vendors can be injected.
Comodo needs to remove the vendor from the TVL to help prevent future infections. Not removing the vendor is a highly irresponsible things to do. I also stress that it is not an easy job to actually certificates from vendors; so it is not that we are getting bombarded by hundreds or more digitally signed malwares by trusted vendors.
3. The behavior blocker of CIS V6 can not block it.
[quote="Chiron post:8, topic:283512"]
This sort of vulnerability is supposed to be fixed with V6. The first Beta had some bugs which resulted in it not protecting correctly, but the next Beta is supposed to have that fixed.
[/quote]
That is the catch with beta testing. Things may not work yet as intended.