Comodo Cloud Antivirus v1.12.420066.533 RC

[woodrow]

Hi guys, what happened to Valkyrie now?
You guys must have found my id or something, poof and all the "Being analyzed" were gone and counter down to zero.
Just for fun I did run 2 of these files again (all malware by the way), and they ended up Being analyzed again...
Another thing is even more strange, all the files (malware) are now analyzed, but they did not get removed, Valkyrie had a few to many in these vaccination times or what?

/W

[morphiusz]

We are still missing  point 6 in this graphic. Many unnecessary reanalysis and a great delay in protecting the whole community(detecting malware on everyone's system). This had been working great with CIMA analysis - after finding suspicious behaviour the global cloud signature was made instantly (i.e. from executing new malware in sandbox to global detection of CIS users in ~15 minutes). BTW This is the new MS Windows Defender algorithm.

[Umesh]

Hi morphiusz,
Please elaborate as what you mean we are still missing point 6?

Thanks
-umesh

We are still missing  point 6 in this graphic. Many unnecessary reanalysis and a great delay in protecting the whole community. BTW This is the new MS Windows Defender algorithm.

[morphiusz]

No synchronization with verdicts from valkyrie.comodo.com and CCAV.
Are files found by valkyrie as malware (especially human analysis) submitted either via web interface or CCAV itself detected globally ad hoc?
Reanalysis of again executed files despite they've got a verdict before (according to woodrow).
I haven't tested CCAV recently but remember that I had similar experience. 

[Umesh]

Hi morphiusz,
This is how it works:
1.
A file gets analyzed by any system, Valkyrie/ human, file's verdict is immediately reflected via FLS (File Lookup Service). This way any new user who sees the file gets benefited immediately.

2.
In case a file has been seen by CCAV and is under analysis on a given client, it is looked up at least once a day to re-check latest verdict if malware or safe.

So we do have all six points firmly in place.

Now regarding problem woodrow seeing that he has files classified in back-end but still not classified by CCAV, we will be looking at those cases if we have syncing problem somewhere between Valkyrie and look up service.

So to answer your questions:

No synchronization with verdicts from valkyrie.comodo.com and CCAV.

There is periodic look up for files under analysis in CCAV.

Are files found by valkyrie as malware (especially human analysis) submitted either via web interface or CCAV itself detected globally ad hoc?

Yes, including CIS gets benefited.

I haven't tested CCAV recently but remember that I had similar experience.

We did have issues in past where Valkyrie results were not reflect in cloud. Should be all fine now.


Thanks
-umesh

No synchronization with verdicts from valkyrie.comodo.com and CCAV.
Are files found by valkyrie as malware (especially human analysis) submitted either via web interface or CCAV itself detected globally ad hoc?
Reanalysis of again executed files despite they've got a verdict before (according to woodrow).
I haven't tested CCAV recently but remember that I had similar experience.

[morphiusz]

Thanks! Good to know.
Is this scenario true?
1. File is submitted via valkyrie.comodo.com
2. Found to be malware
3. Immediate synchronization with FLS is made and after execution of that file user will get cloud detection (either CIS/CCAV)?

In case a file has been seen by CCAV and is under analysis on a given client, it is looked up at least once a day to re-check latest verdict if malware or safe.

An option in "being analyzed" tab in CCAV to "refresh verdict" would be handy.

Thank you for your detailed answer.

[BlueTesta]

Dunno how reliable (False positive) Viruscope is but just wanted to share my thought i had.


When a unknown file run in sandbox, viruscope can take up 5sec to 1min to detect the file as malicious.

When the next user run the same unknown file, the file could be detected as Viruscope Cloud Signature and the user could get a alert immediately that Viruscope cloud detects its as a malicious file.
So the next user dont have to wait for Viruscope to detect the malicious file in the sandbox.

And since the file is the same as the first user. they will get the same recommended option to quarantine the file.

[Umesh]

Hi morphiusz,
That's right.

3. Immediate synchronization with FLS is made and after execution of that file user will get cloud detection (either CIS/CCAV)?

As soon as malware or safe verdict is given on a file on server side, it is immediately reflected via cloud and is available to all clients whether CIS, CCAV or any other Comodo services that could be using FLS.

However, once a file is found unknown by CCAV, the question comes as what frequency you poll on server to know latest verdict, here we have incremental logic like, check after 1hour then 2hrs and finally file is looked up once in maximum 24hrs.

So if a file that was under analysis and has been confirmed as malware on server side, client must see latest malware verdict within maximum next 24hrs. If not, then either we have some issue with syncing results to cloud or client is failing to look up for some machine specific issues.

Thanks
-umesh

Thanks! Good to know.
Is this scenario true?
1. File is submitted via valkyrie.comodo.com
2. Found to be malware
3. Immediate synchronization with FLS is made and after execution of that file user will get cloud detection (either CIS/CCAV)?

An option in "being analyzed" tab in CCAV to "refresh verdict" would be handy.

Thank you for your detailed answer.

[Umesh]

Hi BlueTesta,
Virusscope is for providing results immediately based on behavior and allows to handle any kind of polymorphic malware and these results are also transmitted to back-end.

Finally in back-end, when centralized system ensures that file was really malware, via cloud results are made available to all users.

Thanks
-umesh

Dunno how reliable (False positive) Viruscope is but just wanted to share my thought i had.


When a unknown file run in sandbox, viruscope can take up 5sec to 1min to detect the file as malicious.

When the next user run the same unknown file, the file could be detected as Viruscope Cloud Signature and the user could get a alert immediately that Viruscope cloud detects its as a malicious file.
So the next user dont have to wait for Viruscope to detect the malicious file in the sandbox.

And since the file is the same as the first user. they will get the same recommended option to quarantine the file.

[BlueTesta]

Ah thanks, good to know 

[Yousername]

I can confirm that many detections are being made in the cloud. I tested CIS on a VM and I notice that quite a few samples are not detected by on-demand at first, but are detected on-execution when CIS performs Cloud Lookup.

[nasion]

Hi guys, what happened to Valkyrie now?
You guys must have found my id or something, poof and all the "Being analyzed" were gone and counter down to zero.
Just for fun I did run 2 of these files again (all malware by the way), and they ended up Being analyzed again...
Another thing is even more strange, all the files (malware) are now analyzed, but they did not get removed, Valkyrie had a few to many in these vaccination times or what?

/W

Hello woodrow ,We will research your issue. considering that you can reproduce it ,so please do the following steps.

1  uninstall ccav if you installed ccav before.and then install it .(please donot update it ,because we want a new data)

2  save the below script as xxx.reg and excute it .they only will open the ccav log function   
*

3 reboot your system

4 run your malware file in sandbox,(manual sandbox or as you like) . as your mean ,the malware can be in valkyrie analyzing list ,we can wait for one day , there is no analyzing result.

5 there is one log for valkyrie scan or fls scan, the log is at  "C:\ProgramData\COMODO\CCAV\usage_stat_log.txt" . you can send me a email with attached the file  .my email is "xiaohua.ma[at]comodo.com" ,if sending fails ,you can change one, "273623676[at]qq.com"

6 or you can contact with me directly.

Thanks for you and your issue.

[woodrow]

Hello woodrow ,We will research your issue. considering that you can reproduce it ,so please do the following steps.

1  uninstall ccav if you installed ccav before.and then install it .(please donot update it ,because we want a new data)

2  save the below script as xxx.reg and excute it .they only will open the ccav log function   
 
  Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\COMODO\CCAV]
"debug_log"=dword:00000001


[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\COMODO\CCAV]
"debug_log"=dword:00000001

3 reboot your system

4 run your malware file in sandbox,(manual sandbox or as you like) . as your mean ,the malware can be in valkyrie analyzing list ,we can wait for one day , there is no analyzing result.

5 there is one log for valkyrie scan or fls scan, the log is at  "C:\ProgramData\COMODO\CCAV\usage_stat_log.txt" . you can send me a email with attached the file  .my email is "xiaohua.ma[at]comodo.com" ,if sending fails ,you can change one, "273623676[at]qq.com"

6 or you can contact with me directly.

Thanks for you and your issue.

Hi nasion,
I will try to get this done, but I cannot promise when, my one year old do not like me in front of the computer 

I will install CCAV in a new VM, does that work for you?
Regarding not updating after install I do not understand, I have not found a way to manually update CCAV?
Do you want me to run the same malware again, these must be detected by now and will not give the correct picture, or?

/W

[nasion]

Hi nasion,
I will try to get this done, but I cannot promise when, my one year old do not like me in front of the computer 

I will install CCAV in a new VM, does that work for you?
Regarding not updating after install I do not understand, I have not found a way to manually update CCAV?
Do you want me to run the same malware again, these must be detected by now and will not give the correct picture, or?

/W

1 Yes, you can install a new ccav too.
2  Yes, You should run the same malware again.
3  "these must be detected by now ?" I donot know ,because you say you can reproduce it , so I want you to reproduce it and get the ccav log  .

[woodrow]

From what i understand here it will take hours for new unknowns to get a verdict and remedy in place?

The article behind Morphiusz pic:

https://blogs.technet.microsoft.com/mmpc/2017/07/18/windows-defender-antivirus-cloud-protection-service-advanced-real-time-defense-against-never-before-seen-malware/?platform=hootsuite

If you read this you will see that Windows Defender (with cloud lookup enabled) takes care of a new unknowns in just 6 sec!

Or am I comparing apples and oranges here?

/W