To my mind this screens do not prove anything. I see 2 files in temp (you had to run ccleaner before you scan with mbam or hitman pro) and all other files just sit in your downloads folder not doing any damage. Yes probably AV part missed them letting you to download them but it does not mean that CIS as a suite missed them. I am sure it blocked them when you tried to run them because your own screens prove it (no traces of malware in windows except temp and files that you downloaded and the sit it my documents/downloads)
+1
Temp files and malware executables in a download folder do not represent TDSS infection.
Sitting on disk is one thing. Actually running unsandboxed is another thing. I see no screenshot of Active Processes, Process Hacker, Process Explorer, Gmer etc…
Rootkit Unhooker SR2+ XueTr + Tdsskiller by kaspersky see the infected driver:
http://img715.imageshack.us/img715/8160/comodotdss4.th.jpg
Of course MBAM is not able to see the infected driver but inly the dropper (temp)
http://img571.imageshack.us/img571/8538/comodotdss3.th.jpg
And finaly NIS on my host block the ACTIVE infection (the bad connection made by wmnat.exe)
http://img44.imageshack.us/img44/5313/comodotdss3host.th.jpg
…
hook me up with those samples please, I want to test this myself.
OK So I got the TDSS sample. I unpacked it and dropped it on the desktop. No warngin from CIS yet. So I double clicked it and got a cloud AV warning. [PICTURE 2]
So the I went and disabled cloud AV. Once again I double clicked the file and got a D+ warning that said heuristics have found malicious activity. This is your second change to block it. [PICTURE 1]
So I selected sandbox, and it sandboxed the process. Then I went and looked at the D+ events to see what it did. [PICTURE 3]
Then I rebooted and ran CCleaner. After that I ran Hitmanpro and it says it found a rootkit, I went and looked at the file, it is a comodo driver, the signature is still valid and I submitted it to VT to see if anything detected it. [PICTURE 4]
http://www.virustotal.com/file-scan/report.html?id=5c6bcc68c91598f0b216c09562e499abb10cf64e60028e160c6dcff743a7bfc4-1282419964
Then I ran Gmer and it identified another suspicious driver, so I went and looked it at. Once again a valid signature. I also submitted that one to virus total [PICTURE 5]
http://www.virustotal.com/file-scan/report.html?id=3d64f233dc866537e50549a7c1a2b40a954055b22f0bda39825b04c38c607cb7-1282420092
Then I did a scan with malwarebytes and if found nothing. [PICTURE 6]
Ok, so to see if those are FP from Hitman pro and Gmer I reinstalled CIS v5 .1091 on a clean machine and did both scans again. [PICTURE 7]
As you can see they didn’t detect anything. So what happened, I’m not sure. I don’t know how that TDSS could infect those two drivers and they will still have a valid signature. I have this malware incase Egemen wants to test it out.
[attachment deleted by admin]
languy, in my case Gmer found nothing but tdss killer, rootkit unhooher, and XueTr found
it… No one ARK can detect all rootkit… bye
@Languy try to copy that driver from GRMER to desktop then scan it…
BTW. You have a PM 
Languy any update on that ? I’m mystified as to what went on with your test. ???
I redid the test and this time Gmer found the same one but hitman pro this time found another driver. I will retest again and see if I can grab the file from GMER.
Could you PM me this sample please Languy? I’d like to test it on a real system,I’m wondering if there are anomalies with CIS when in a VM (apart from the known VBox issues).
That’s funny (I don’t mean that in a bad way) I opened up my library of MDL samples (248) and more than half pass the sandbox since they are a “safe” file. I guess what’s worse, is they they are being added to “Trusted Files”.
Alan I’m starting to think that there are major incompatibilities with the sandbox in a VM ,all the samples I’ve tested on a real system have been correctly dealt with.I’m not saying this is a fact,but there seems to be a large discrepancy with detection rates in and out of a VM.
Hi Andyman, I do not run a VM to completely remove the chance that there may be incompatibilities.
As an example for my last post:
*Paranoid Mode
*Create Rules For Safe Applications
*Image Execution at max, with everything ticked, treat unrecognized files as untrusted
*Sandbox enabled, everything ticked
File exe.exe (which was a Zeus I believe) is added to trusted files with the company name of “Microsoft Corporation”, is not sandboxed, and does not trigger any D+ messages.
As a side-note, I am loving the cloud scanner. I downloaded 50 samples from today and yesterday, COMODO already detected half, I submitted the rest and within an hour the rest were detected and removed.
In that case there’s something amiss definitely,I didn’t notice you were running out of a VM,my bad ;D .
I’m quite eager to filter out the spurious bypass claims from the forums to allow Egemen to deal with the genuine issues. :-TU
Completely understandable, but I guess to some degree it is better to report it than not to. 
Hah, there is also some degree of pleasure watching the COMODO cloud alert pop-up every few minutes since it JUST confirmed that another file I sent was malicious. I have a feeling (if cloud is tested) that COMODO will do well in AV-C :-TU
Yes I’d never discourage anyone from trying to ‘break’ CIS during this Beta stage,that’s what it’s here for. :-TU
I agree with you on the Cloud analysis feature,it’s a most welcome addition.
I’m not sure if this is normal or not, perhaps someone can chime in though.
I ran with the same settings as the last test:
*Paranoid Mode
*Create Rules For Safe Applications
*Image Execution at max, with everything ticked, treat unrecognized files as untrusted
*Sandbox enabled, everything ticked
The file (8088552888.exe) was sandboxed as untrusted, found by the cloud on execution and deleted. Yet here is the aftermath:
[attachment deleted by admin]
check the task scheduler I bet it is in there.