CCE Test

I tested CCE today on XP SP3 32 bits today with app. 100 zeroday malware.

No AV installed.
XP FW enabled.

KillSwitch replacing task manager.

After running all the malware (40 already downloaded malware & app. 60 malware were directly run through browser i.e pasting malware links in the browser.

Malware sources - MDL, MBL, Malc0de & CleanMX.

So after running all the malware I restarted the system. I was not able to run/open anything like msconfig, internet explorer, comodo dragon, security center, 7 zip, hitmanpro, malwarebytes, etc.

So I tried to open KillSwitch by right clicking in the taskbar, by going into the CCE folder in the system, usiing a USB which also had CCE installation, but I was not able to run KillSwitch, CCE Scan & Autorun with any way.

I was only able to open KillSwicth with Ctrl + Del & through KillSwicth I was able to open AutoRun & Quick Repair. After killing malware processes & repairing through quick repair & deleting malware entries through autorun I was able to run CCE scan too. After cleaning all the found malware by CCE scan the system was back to normal & everything was back to normal again.

Only 1 Question.

I was able to open KillSwitch only through Ctrl + Del & no other way, neither through USB. Once KillSwitch opened everything was good to go.

But what would have happened if I haven’t replcaed task manager with KillSwicth, I guess thats why KillSwicth opened with Ctrl + Del, right?

How would I have opened KillSwitch & perform the cleanup?

CCE has an Aggressive Mode :P0l
Just keep Shift pressed during opening CCE.exe and it will start killing all unsafe processes in order to run.
I thought you are aware of it.

I forgot about agressive mode. Anyway I didn’t know how to run in agressive mode. Thanxx for the info.

So shift works for all killswitch, autorun & cce?

I thought it worked for only CCE? Then again, I haven’t actually tried it on my own. Does anyone know if it works for all three?

I know. It works only for CCE and Killswitch. Autorun Analyzer is not included.

Good to know it works with KillSwitch.

Does CCE scan scans everything everytime or it has some kind of whitelisting/trusted files & they are ignored?

When I tested CCE there was 1 program something called wajam, it was active & KillSwicth showed it as safe. But when I did CCE scan it found 2 wajam files as malware in its folder in program files. So I guess CCE scans everything everytime, right? I uploaded those 2 files at VT & none detected. So I dont know if it was malware or not. I forgot to upload to Valkyrie. And Valkyrie uploader never works here. The files uploaded through uploader always keeps analyzing & nothing happens.

Agressive Mode is just for running CCE in the situation where it cannot run due to malware or it can also detect more malware?

It’s not about detection or scan.
It’s to run CCE even when it’s blocked by malware.

so you meam you just have to highlight that CCE file and hold shift? wow

highlight CCE.exe hold shift then run the file (double click or hit enter)

A vain attempt from rynesandbergfan23 with CCE to clean an infected PC

With respect to the tester, I watch his videos on security software test, I didn’t liked this test or find it apt for the tools like CCE.

First any tester should know that CCE is an advanced tool.

It is a multiple cleaning excellent tool with KillSwitch, AutoRun, Quick Repir & CCE Scan.

He opened KillSwitch but didn’t killed any malicious process which is a must & very helpful for cleaning the system & faster further other scans as active malicious processes sometimes slow downs the works. Now I know CCE was just analyzing & the verdict as malicious was not there but as I mentioned its an advanced tool so the user testing it should kill the processes which he finds malicious & that is not something hard to know through KillSwitch. An intermediate user like me can easily do so.

He didn’t checked autorun & quick repair.

Secondly he ran smart scan. OK smart scan is good but you should run smart scan for general everyday purpose & if it finds anything then you may run full scan. But for infected systems you should run full scan as it finds a lot as I have tested CCE.

Lastly each has his own way of using CCE.

But what I find good is

KillSwicth definitely should be the first & kill all the dangerous processes found.
Second AutoRun & delete all the dangerous entries & if you cannot make out if an entry/entries are malware related or not, leave it as later CCE full scan may find it & delete it.
Thirdly Quick Repair as it is very useful & solves quite a probs.
Lastly CCE full scan.
And double check KillSwitch, AutoRun & Quick Repair.
Any other tools for more opinions.

This is the way I use it.

But KillSwicth should always be the first. You can use the other tools in whatever order you like. Coz sometimes net may not work due to infection & you may not be able to run CCE scan so you may need to run autorun before CCE scan. For ex- I was testing CCE & due to infection net was not working so I was not able to update CCE on the system. I checked internet explorer which had a new addon under manage addon called I like this when I disabled it net worked so I enabled it again & ran autorun & it found this entry & I deleted it & net worked. Similarly sometimes its good to use Quick Repair after KillSwitch due to infection.

Basically I mean KillSwitch should be the first & rest depends on the nature of infection & that you come to know when you check the system with CCE tools & start cleaning.

In my tests I have observe that it mostly cleans every active malware & brings the system back to normal. In my test only once it failed to get the system back to normal & in the same test MBAM & HitmanPro the other tools I used also failed to clean the infecton what CCE could not clean.

Thanxx
Naren

I’ve used your post (Naren) as the basis of a comment on his blog.

I really don’t understand why he didn’t use Killswitch to terinate the processes he highlighted or why he ran a smart scan instead of a full scan. I’m interested to see his response.

Cheers,
Ewen :slight_smile:

P.S. I agree 100% with the logic flow in how you use CCE and KS - logical and thorough.

OK I checked his blog. These are few words there

“It appears that a piece of malware infected the Windows Logon process and CCE damaged the process when attempting to remove the infection. To us, this looks like CCE cannot effectively remove malicious code from legitimate files.”

In my test too I have come across Windows Logon infection & if I remember correctly, Quick Repair detected & successfully repaired it.

User error and not the software at fault.
Perhaps someone can persuade him to retest :wink:

I have also left a comment on his blog with that suggestion…

:-TU
Where is his blog please ???

http://malware-geek.blogspot.com/2012/02/comodo-cleaning-essentials.html

Thanks Siketa :-TU

Just watched the video.

First thing is that he did not start CCE in aggressive mode, he did not use Killswitch to kill the suspicious processes either.

Second, he did not change any options, no deep scan, no mbr scan, no rootkit scan etc…

Therefore, it is just a plain CAV detection test on an infected machine…may not be something which suits a review.

I have come across systems infected by Sality, where it would be almost impossible to talk that much after extracting CCE, without using Aggressive mode. If the reviewer had one of those sality infections, he would have failed himself immediately (not a CCE fault)