[1079] Bypassed by two separate samples

Hey folks, upon doing my monthly virus testing I ran across two completely different samples that bypass 1079 completely, one a rogue, the other a backdoor.

*Paranoid Mode.
*Do not creating rules for safe/trusted applications.

I executed the first (rogue) and it installed and was in the taskbar within 5 seconds, no sandbox, no alerts from COMODO. The second sample installed itself, opened a browser window, no sandbox, no alerts from COMODO. For good measure I switched to my second snapshot with V4 installed, it blocked both of the samples as expected.

I am willing to upload these samples to COMODO for analysis, to be added to the virus database…etc. But this to me sounds like a major bug that needs to be addressed ASAP.

Can you please upload these to virustotal and CIMA and post links to the results?

Also, can you please mention (not give links) where you got these from? Was it MDL?

On another note, just to preempt languy99, you’ll want to PM him a link to these malware so he can test them himself.

Sure, unfortunately CIMA does not work for me, never has. Both were from MDL.



Oddly, one of them is caught by Comodo AV per virustotal.

Can you please send these samples to me? LEt me see what happens.


[quote author=AlanMcAlan link=topic=60601.msg425380#msg425380 date=1282091726]
Sure, unfortunately CIMA does not work for me, never has. Both were from MDL.

Yes i have tested the same chinise malware and +1 for me, xunjie.exe run perfectily (infect the system)… The same with a tdss sample i found…

Sure thing, just PM me your e-mail address.

@tommymacange, I’m glad (well, not really in the end) that someone else is having this problem too. At first I thought it was only on my side but I guess not now.


[attachment deleted by admin]

Hi Salmonela, when I ran my tests I did not use Cloud scanning or cloud look-up to be fair in comparison to V4.

Any news? A few folks that I have sent the sample to are now seeing alerts from COMODO about this, I’m curious if it was fixed in the recently released beta.


I dont see anything bypassing CIS sandbox. IF you are talking about application starting, thats not bypassing. What do you call a bypass? Can you please be specific about how you test?


Hi Egeman, perhaps I should have clarified, I do not use/run the sandbox, cloud scanning, or antivirus to be fair in comparison to versions 3 and 4.

Maybe you should? lol

Makes no sense to, if V3 protected me just fine in this case, I don’t see why I would need the AV, cloud scanning, and sandbox to keep me as safe, when all I had to do in V3 was set it as “Blocked Application”.

Alan, you still haven’t answered egemen’s question.

To answer both, I would call a bypass one or more (two in this case) completely different malware samples that are able to install/run and compromise the users system. In this case, the samples did so and compromised the system. Running a default-deny security solution did not protect the user in this case.

For the last question, how do I test. Simple, nothing fancy. I run the latest beta inside of a testing PC (which is reformatted for every test), download 10 or more samples from MalwareDomainList and confirm via VirusTotal that they are marked as a virus by more than one vendor. I then execute each sample one-by-one to test the product’s effectiveness at keeping the computer safe.

Your samples are able to bypass D+ nothing more. Did you used paranoid mode?
I dont know if is worthwhile to fix this in D+, anyway D+ was never designed to block everything.
But if the developers choose to improve D+ would be great but I think that the development of D+ have been stoped for a while due to the sandbox and the other new technologies.

in reality you can’t compare V3 to V4 or V5 reason, well V3 was a hardened HIPS application with some add-ons and goodies but at the core of it, it was HIPS. Now V4 brought along the sandbox, what happened then, well the restrictions placed upon the system by D+ were loosened becasue the sandbox takes up the slack. Now in v5 the D+ restrictions are loosed even more because the sandbox in V5 is even better and so is the AV. So in reality you can’t compare each HIPS to each other becasue they are now acting differently. If you want to compare HIPS v5 to earlier versions, especially v3 you have to put it in paranoid mode becasue now it will basically act just like it did in V3.

Mr. AlanMcAlan, I think something is wrong with your installation (maybe you should check your rule for explorer.exe) see pic. a

test scenario:

  1. disabled sandbox
  2. switched to paranoid mode
  3. disabled cloud requests
  4. disabled AV
  5. run xunjie.exe
    6… see sec. pic. b

Edit: ups, it seems it is not the same file, I think I have updated version, http://www.virustotal.com/file-scan/report.html?id=3f893c4c459b0b0e7bc7d1601f8cacd62381f3566db3da724044244f87d73335-1282304552
could you please send me your samples to test them
TIA :slight_smile:

[attachment deleted by admin]

That’s kind of what I was thinking, but could not articulate it as well as languy.