A way of testing viruscope recognition and reversal

Current viruscope recognisers are:

  • Move (not copy) self to autorun path
  • Move (not copy) self to other folder and copy link (shortcut) to self to autorun path
  • Move (not copy) self to other folder and set registry value in autorun key to self

Recognition operates only if the file first executed is an unknown .exe file, not a trusted or a batch file. However the action of any file, whether .exe or batch run by that initial file (and so on recursively) can form part of a detection set for that initial file and can be reversed.

Most people don’t want to run malware to test VC.


So you can get a Viruscope alert, and thus test recognition and reversal by finding a program in which you can manually or programmatically carry out file moves, and arranging for it to be rated as unknown. If it is also capable of editing a registry, or running a program that can like regedit.exe, that’s ideal!

One example might be a Windows explorer file manager substitute, though I would not recommend you use a full replacement Windows shell. But how do you arrange for it to be unknown? You could:

[ol]- find a relatively obscure one that happens to be unknown - we use explorer++ in the example below

  • find a beta version of a better known one which is unknown
  • remove the programs vendor and/or trusted file entry from CIS and disable all cloud interactions or disconnect your network connection
  • if the file’s license agreement allows this, over-write some irrelevant bytes in it’s executable file with a random string of equal length[/ol]

Implementing Solution 1 - Steps to get VC alert (recognition with option for reversal) using Explorer++
Explorer++ is an unknown explorer substitute found by Sanya.


  1. Please turn Cloud Lookups off in Advanced settings ~ file rating to prevent explorer++ being whitelisted
  2. Install explorer++ from here http://explorerplusplus.com/download

To get alert - text

  1. Check you have HIPS off, BB dis-abled and “detect programs…” and “show privilege…” also disabled (I don’t think HIPS off is needed but lets see!)
  2. Check you have Cloud Lookup off
  3. Run explorer++
  4. Run Killswitch and check explorer+++ is running as unknown
  5. In explorer++ navigate to explorer++ directory and select explorer++.exe
  6. From menu choose Edit ~ MoveTo and in move directory selection dialog navigate to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
  7. Press OK, you should get VC alert
  8. Choose ‘Ignore once’ if you want to repeat experiment, and re-start explorer++

To get alert - videos
Mine: here
Sanya’s here

Use Sanya’s test file, “Test Viruscope.exe” which has options
[ol]- Create custom file. This creates a test file with a name you select, which is a logged and reversible activity

  • Create preset file. This creates a test file with a preset name, which is a logged and reversible activity
  • Launch custom file. This will run any batch or .exe file you nominate with whatever name you choose. The batch file will normally contain commands to run other trusted or untrusted executables (eg regedit or explorer.exe) which you can then use to perform recognised activities or actions to be reversed.
  • Launch preset file. This will run a batch file you create with the name TestViruscope.bat, if in the same directory. The batch file will normally contain commands to run other trusted or untrusted executables (eg regedit or explorer.exe) which you can then use to perform recognised activities and/or actions to be reversed.
  • Launch Powershell_ISE
  • Launch Powershell_ISE script
  • Move self to autorun folder. This immediately generates a VC alert by moving itself to autorun folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup. This is useful for testing that VC is working on your machine
  • Move custom file to custom folder, please note you need to specify the destination filename too, not just the folder!
  • Read a file to test access restrictions
  • Run a custom command using cmd.exe[/ol]

To select an option, type the number followed by .

You can combine these options in any process run session by pressing enter again after selecting an option - ie when the appropriate message is showing. The test file will then show the menu again. For example you can use this to first ‘create a preset file’, ‘Move self to autorun path’ causing a VC alert, and thus demonstrate a reversal by deletion of the document you created.

Two functionally identical files with different hash identity (SHA) are provided, ‘Test Viruscope’ and ‘Test Viruscope 2’. This is so you can make one trusted (via Trusted Files) while the other is untrusted, allowing mixed processing chains to be created.

You can run each test file from itself, if you wish, or either from each other. For example to create a long chain of processes with the same or different file ratings.

N.B. Using the option to ‘Move Self to Autorun Folder’ will leave the executable on an autorun path so it will execute when you reboot.
Test Viruscope.exe - SHA1 FEFDE831901A866C824C2E1E9E6D4C3485AB941D Virustotal
Test Viruscope 2.exe - SHA1 6ACC34ADCF090B16B9F655C6325F1158652805B3 Virustotal

Please be careful when carrying out these experiments as user files created by detected unknown programs, or the programs they run, may be automatically deleted by reversals. So for example, based on my analysis of how VS is currently working, if you use your explorer or shell substitute to start an office program, create some files you want to keep, forget and then trigger a detection and don’t respond to the alert, the files will be deleted by the reverser. This is a bigger potential issue with a full Windows shell replacement, which is why I do not recommend using a substitute windows shell for this type of testing.Taking a full data backup before triggering detections is a wise precaution

There may of course be other ways. Please do report your experiences in testing using these techniques or any others you happen upon, below. Obviously please report bugs and wishes in the Beta bugs Board.

Best wishes


Do you want me to post an example of an unknown explorer substitute?

If you have one that would be great :slight_smile:

(Post link to download page, please, indicating build, not direct to download)


Are property VirusCope will have many false positive

Alright, one I’ve found is Explorer++ which can be found here: http://explorerplusplus.com/download

Thanks Sanya that will be very helpful to people.

@ All please do not submit this file for whitelisting :slight_smile:

Have the VC recognizers been update since the CIS 7 BETA was released? Just curious. Thanks for the info about how to test VC. :slight_smile:

No - there’s new code maybe but it is disabled ATM

And glad you want to test. Sanya found a good explorer substitute :■■■■ - see above

Okay. Comodo is really making big innovations though. Can’t wait to test the final version of VC. :slight_smile:

If you are getting false positives please report these as bugs. This is very important risk-wise, as the reversal process may involve file deletions.

You Bouktbar viruscope but did not show any alert

Why ?

Just to check. Does it move itself to an autorun path?

Interesting, do they do:

  • dynamic heuristics
  • process activity motoring
  • therefore potential ability to reverse any process, even a zero day one with no sig on file

If so could you post links which confirm?

Best wishes


Please see this test on the viruscope [video ]

http://www.gulfup.com/?c3ELvz :cry:

Actually this one is not a bug, if I have understood.
a) its a batch file - this is not yet covered by VS
b) its does not move itself to the autorun path, it ‘re-moves’ another file’s entry

Hope that helps


How to test this?

I downloaded, extracted & executed Explorer++. Tested both stable & nightly builds but no VS alert.
CIS 7 default but autosandbox disabled

Well reading the features I’m thinking to use this for real n not just testing purpose…

I’ve delete registry keys in the startup list but did not move viruscope

The test on Explorer++ but viruscope failed :frowning:

Please note anyone who runs this unknown process with cloud active.

Submits it, thereby it becomes known :slight_smile: