A trojan infected file that Comodo was not able to detect

My computer just got infected for the first time in my life. Although I’m very cautious, I’ve fallen for this old trick because Comodo gave me false negative result.

I tried to send it to comodo using the submit option of CIS but it was not possible.

Therefore I’m posting it hier. I hope you can find a solution to this trojan infected word file.

[attachment deleted by admin]

Hi ribozyme,

Thank you for reporting this.
We’ll check it.

Best regards
Abinaya R

It is a GrandCrab Ransom Trojan

All files on my mycloud storage are encrypted.

Trendmicro online scanner was able to detect it

[attachment deleted by admin]

Is there anything new about this topic other than deleting the submitted files?

[off topic]
ı suggest you to this settings https://www.youtube.com/watch?v=vktNQCwB2UY
ı think with this settings you dont encounter any infection and see cruelsisters other videos for what capable of comodo with this settings

Depending how the file was put onto the machine, will depend if the settings in that video would have protected the OP.

I.e. If the file was put onto the computer by any other means than Google Chrome (or which ever browser you decide to set to be run as virtualised) then a false-negative would have still been able to avoid the sandbox and potentially infect the machine.

This is because the sandbox config in that video, from what I can tell (due to the default proactive setting being activated, then the youtuber showing which settings they then changed), should still be allowing applications to bypass the sandbox if it is rated ‘Trusted’ that come from any other source than Chrome.

if comodo well configured generally ıt doesnt allow to run anything unless you allow it but anyway have you ever tryed you mentioned in your post

I was referring to the video you linked to.

In general yes, you can lock Comodo down further to require permission to run any executable file.

Just this isn’t the case with the settings in the video you linked to.

P.s. I do not have a false-negative executable file to test with. However I do understand what the settings do to a reasonable level, so I am confident what I am saying is accurate.


Would be interested to know if it can be confirmed that a version of GandCrab got whitelisted by Comodo.

he can change settings just unrecognized files > blocked in the auto containment settings and safe mode firewall dont show alerts block request

I think you are all missing the point here. Of course I know how to open or run any file with sandbox.

But this was not the case. I was distracted, tired and incautious.

I just right clicked to the file and scanned with comodo. It just showed no threats found. So I opened and allowed to run the macro. That was of course stupid for an experienced person. But stupid things happens and we learn from them.

Why I posted here is simple. I know that comodo cannot bring my files back. My intend was only to warn comodo users and make comodo aware about this malware/trojan.

To rescue my files I need to use the rescue disk of course. But if latest signature is not able to detect this malware, what will be the point of using comodo rescue disk to clean my system? Therefore I used several different alternatives.

Finally I hope comodo updates its signatures soon with this malware so no comodo users shall be in my shoes.

comodo s signatures are the not the best we use it for default deny and ı understand your sitiuation but ı already say in my post off topic ı m saying these for you wont encounter like this problem again

If it is a false-negative as originally suspected by the OP then it would not have been classed as Unrecognized but classed as Trusted.

!ot! then he can disable cloud lookup for this type of trusted malwares but maybe ı try with cs s settings


Here is my protocol for anyone interested.

If such a thing happens to you you should follow this steps.

If you detect anything unusual in the computer, such as suddenly a *.txt files appears, or some programs does not function properly, in my case all add-ons of my chrome was either deactivated or corrupted, the suffix of a file is changed with something non-recognizable, in my case it was *.adrn, immediately close the computer. This is the only way to make sure the encryption program does not wok anymore. If you are quick enough you can save your files. Otherwise it is too late. I was lucky that the encryption trojan was busy by encrypting big video files, which were not important to me.

After you close your system get a rescue disk ready, use several different antivirus rescue disk. Don’t stuck only with comodo or any other one.

Boot from the rescue disk. Backup your non-encryrpted files to a harddisk. Back up your encrypted files onto another harddisk (if they are important for you. Otherwise antivirus program may recognize them as malicious and delete them. In that case you can not use a future decyrptor program to save those files)

Scan your computer and clean backup harddisk with different antivirus software using their free rescue disks. Make sure that the malware is totally cleaned.

You should scan your dirty harddisk as well but make sure that the antivirus program does not deletes anything automatically.

Finally format and reinstall your OS.

This is the path that I’m following.

I hope this protocol helps if this happens to someone.

A new decryptor has been released by Bitdefender that decrypts files encrypted by GandCrab up to version 5.1.

You can download it here: Bitdefender Labs

Thanks ReeceN. It works very well with 5.0.4. Tested and decryption continues without any error.

Fantastic news!

Glad it works for you. :slight_smile:

finished. All files are back. Thanks again :-TU

Pleasure :slight_smile: