Hmm, doesn’t seem to be in there. Not sure whether that is good or bad.
I apologize for bringing up so many issues with all my posts, but my mindset is that there is nothing more useless than a beta tester that doesn’t report anything 
I have no idea what you are talking about. Please describe what you do step by step because i am really tired trying to figure out what you might possibly be doing. From here it sems to me that you have an infested system which has been experiemnted a lot before and you are simply reporting these past issues thinking they happened after CIS5. The samples you sent DO NOTHING. They are NOT even TDSS.
If you have executables that are added to safe list, that means they are SAFE by cloud verdict!!!And if they are safe, that means they are NOT malware. If you think otherwise, then send them to me and let me see.
One last time, i will try the rootkit TDSS from languy and if there is nothing there again, i am afraid i will no longer pay attention to this thread. We can not go anywhere with this unstructured testing like hey i run this, its not working.
ITs ok. Lets make a clean start. Please find a clean VMWAre or Microstf Based Vritual MAchine or a brand new formatted clean computer before testing.
All thsoe weird issues you observe can only mean your system was infested heavily before.
Egemen, to clarify even further (if possible):
- My PC is reformatted and get’s a brand new Windows Vista x64 image before and after every test.
- I install and update to the latest Beta.
- Download xx samples from MDL and confirm via VirusTotal that they are malicious.
The last test I preformed, I took my entire (work-in-progress) collection of malware that has been downloaded in the past 4 weeks, aprox. 248 samples, and executed them one-by-one while COMODO Beta 5 runs with the following settings:
*Paranoid Mode
*Create Rules For Safe Applications
*Image Execution at max, with everything ticked, treat unrecognized files as untrusted
*Sandbox enabled, everything ticked
More than half of the samples were treated as a “safe” application and were not sandboxed. Again, every single one of these files have been confirmed to be malicious via VirusTotal.
If you feel the need to abandon this thread I understand, there are still plenty of important bugs in many threads around here. I for one however, do not feel safe with everything I have found.
Ok good.
1 - What is the CIS version?
2 - What is the operating system?
3 - Pls send me one of those SAFE files and let me see.
Egeman,
Take a look at this post (link accessible to moderators only). Could it be the same issue as AlanMcAlan?
No it is different.
In windows XP, i have just tested.
1 - IT can infect the system with default configuration: i.e. Active Configuration is COMODO Internet SEcurity and default restriction level is Partially Limited. Why? Because RPC Control\spoolss is not in the protected COM list.
2 - It is blocked successfully if default restriction is Limited or higher in any configuration.
3 - It is blocked in proactive security configuration with ANY restrivction level.
So in Windows XP, the reason is a mising protected COM interface in default policy.
Languy99 tested with windows 7 and it is the same. When you switch to Proacitve Security, it is blocked. We will see what it is doing with Spooler service and decide whether we should include it by default or not. It might be a windows vulnerability or something.
Yes, this is TDL3 aka TDSS aka Alureon which is very common infection these days, so default config. need to be strengthen by adding print, spooler subsystem and that will solve tommymacangel infection also… (see pic.)
Thank you egemen for clarification
BTW. what I need to do to become “Malware Research Group” member?
[attachment deleted by admin]
Languy99 tested with windows 7 and it is the same. When you switch to Proacitve Security, it is blocked. We will see what it is doing with Spooler service and decide whether we should include it by default or not. It might be a windows vulnerability or something.
As we all know, rpc/spooler services is not systematically a malware (i personnally have defense+ rules for it for software without internet permission, e.g. Microsoft Word, Acrobat…, if i don’t, i can’t print anything to my usb connected laser printer).
But, even in the eventuality of some windows vulnerability, cis default configuration iS, like in many other instances, the vulnerabiliy and should not be a existing choice since only the proactive mode confers a protection.
So what was the result from further testing? ???
Is there a problem or not?