A way of testing viruscope recognition and reversal

Well done Sanya. So there was no recogniser.dll in the main CIS directory?

If so it must either be an installer or an updater bug I guess. Any idea which?

Actually on my system it is in the recognisers/proto_v1 directory. Strangely in v6 there was a recogniser.dll in the main CIS directory.

Indeed there was no .dll (I checked several places like main Comodo folder and the Comodo folder in ProgramData etc)

It’s probably not an installer bug because I know I’ve had the file before, it doesn’t necessarily have to be an updater bug either, I think it might happen whenever I do a snapshot restore but I haven’t tested that theory yet and I won’t be until I actually need to restore a snapshot.

Is virus cup will support files BAT

Not yet. In future almost certainly yes.

Thank you for the information

Have edited the first post with a how to do it guide for using explorer++ anything I have missed guys? (Will add a point on checking for recognisers when we understand what caused the problem)

Mr Ahmad if you use the guide in the first post, can you make it work?

I just made a program for this specific purpose, I guess you could see it as eicar for Viruscope. 88)

Instructions:

[ol]- Download attached TestViruscope.zip

  • Extract TestViruscope.exe from TestViruscope.zip
  • Make sure the file is called TestViruscope.exe (otherwise it won’t be moved as it is hard-coded)
  • You might need to run it as administrator (otherwise it might not be allowed to move itself)[/ol]

Code for those who are interested:


#include <iostream> 
#include <iomanip>
#include <string>
#include <fstream>
#include <sstream>
#include <Windows.h>

int main() 
{
	// Move self to auto-run
	system("move TestViruscope.exe \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\\" ");
	return 0;
}

Yes I know that’s a lot of headers but honestly it was quite some time ago I tried programming and I have no idea which ones are needed anymore. ;D

If file becomes whitelisted for some reason then it’s easy for me to update it by just changing the “// Move self to auto-run” to that plus something else and then just recompile it and voila new hash and then unknown.

TestViruscope.exe (x64) - SHA1 C5C2AA9B2714AB52BA5975C8EB51AAD993E498EE Virustotal
TestViruscope.exe (x86) - SHA1 37ADAD07CCFA820CEC15D1288DFBDCB16EAE9BE4 Virustotal

Please remember that the file will be left in C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\TestViruscope.exe if Viruscope alert is ignored, hence it will run whenever you start your computer unless you remove it!

[attachment deleted by admin]

Great Sanya :-TU
BTW Is it designed for both x32 and x64?

Many thanks Sanya :wink:

I have no idea… ??? I wasn’t able to get 32 bit Dev C++ working on my system so I used Orwells 64 bit Dev C++ … If someone could try it on 32bit and see if it works that would be great, if it doesn’t work… I have no idea how to fix it but I’ll try. ;D

Edit: It seems to be 64bit only, I’ll see if I can fix that.
Edit 2: Currently doesn’t look so good, the compiler is supposed to use 32bit compiler but for some reason skips it…
Edit 3: Got it! Attached a 32bit version to this post and my other post.

TestViruscope.exe (x86) - SHA1 37ADAD07CCFA820CEC15D1288DFBDCB16EAE9BE4 Virustotal

Edit 4: Could those who try it report back if it works or not and if Viruscope shows alert?
Edit 5: Also the actual code is the same as the 64bit version, the only difference is the compiler used.

[attachment deleted by admin]

Works perfectly fine for me :-TU

Updated my test application.

Release 1.0.1.5

Changes:

  • Changed the name to include a space and show whether it is intended for 32 or 64 bit Windows.
  • Started with version information.
  • Added icon.
  • Removed unnecessary headers.

Test Viruscope 32.exe - SHA1 9E01470702C69C6FBCEFE98C140A5905D876448C Virustotal
Test Viruscope 64.exe - SHA1 EA79B2E277C6EBF31069290363BC150B2199D8D7 Virustotal

[code=32 bit]
#include
#include <windows.h>

int main()
{
// Move self to auto-run
system("move "Test Viruscope 32.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\" ");
return 0;
}



[code=64 bit]
#include <iostream>

int main() 
{
	// Move self to auto-run
	system("move \"Test Viruscope 64.exe\" \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\\" ");
	return 0;
}

[attachment deleted by admin]

Thanks Sanya

This is a very good way of triggering VC alerts to test reversal etc. :■■■■ :■■■■

I guess it’s a complement to the use of explorer++ as you could use explorer++ (if needed in construction with files run by it) to perform most recognised action sets, and so to test all recognisers. Where as this one is currently limited to one.

One possibility would be an unknown .exe file that took another file or files (preferably files) to run as a parameter. That would get over the problems with files needing to be unknown, and one would be able to test recognition of any action set performable by any run files (eg say explorer++ and regedit).

(Just setting you a challenge :slight_smile: )

Best wishes

Mike

I’m thinking about making it able to test all the recognizers and then lets the user define what method to test at launch, but given my limited programming knowledge that’s quite of a challenge and I’m not sure I’d be able to update it to test new recognizers as they come.

The main reason I created the program was to speed up the testing and make it easier.

What I could do is make the application give the option of running a bat file with the same name, then you could specify different things to do in the bat file and because it would be started by the test application then the actions done by the bat file should be reverted if the test application is reverted… At least that’s what I think? ???

Basically what you see in the code is what I remember of programming, everything else I need to re-learn… and I didn’t get very far the first time to begin with!

Edit: Also I’ll stick with only 32-bit application for future versions, simply because it will run on both 32 and 64 bit systems and it doesn’t really make any sense making a 64-bit program, just takes more time.

I suspect there will be too many recognised activities for that to be practical, unless you have lots of time? There may be several 10s or maybe 100s of activities in the end. I’d suggest a .exe that can run other .exes (several at once). This should work because activity sets are recognised across process trees.

Batch files are not recognised by VC yet.

Basically my idea is that you would start the application and get a list of different methods, then you can press 1 and enter for method one which would be the current method of testing, pressing 2 and enter would do another method for example the registry thing. Basically it wouldn’t run them all on launch but rather let the user decide what to test.

Could you explain more in-depth here? I don’t know how to make a GUI so all ideas must be possible through CLI :wink:

I could try making something that starts all applications in the folder the .exe is in, however I believe that it should only start applications with certain names, for example it could start ViruscopeTestFile*.exe? Would that be good enough?

I figured that if an unknown executable launches a batch file then that would be monitored too, but perhaps I’m wrong.

Any file may have a parameter list associated with it eg iexplore www.google.com

So I suggest something like

Runit.exe “c:\fred.exe” “c:\program files\mary.exe” …etc

Obviously you can use an OS or many other utilities. But if you make one, it can be kept unknown, simply by arranging to compile into it a text string you change or some such. (Any change in the code that is passed through the compiler will affect the sig).

figured that if an unknown executable launches a batch file then that would be monitored too, but perhaps I'm wrong.

Worth checking, though you’d think they’d use it in recogition if they could do that.

Do you get VC alerts if HIPs is on by the way?