About the priority for the "file rating" and the TVL

Comodo Internet Security - CIS News / Announcements / Feedback - CIS
#1
  1. I checked the file by the file rating.

The result is that it is a bad file.

661×588 65.2 KB

http://cima.security.comodo.com/report/5202096fbff1c1c1c4b82a41d584568d79b5eada.htm

  1. I double clicked on it.

The file was not sandboxed by BB.

1024×707 96.8 KB

  1. It created an autorun entry.

1024×738 57.3 KB

  1. It contains a digital signature.

  1. If I disable the TVL, it will be quarantined by the “file rating”.

716×647 35.5 KB

6.Priority:
TVL > file rating

#2

Maybe it is FP.
What does other engines from VirusTotal say about this file?
BTW, I have also noticed that TVL has priority over AV detection.

#3

It can download and install Rising Antivirus in the background.

#4

Well, that is good, isn’t it?
;D
Have you reported it as a potential FP to Comodo lab?

#5

File needs to be checked by Comodo lab to see if it’s really safe (it seems anyway).

#6

Another one

http://cima.security.comodo.com/report/5b1a1d9adab82ad9048d06537cf6bfc481cad1f0.htm

2013-01-24 17:22:59 c:\virus\jo123187364434\jo123187364434.exe .Heur.Suspicious@1 Quarantine Success

It contains no digital signature.

#7

I think this could possibly be because it’s heuristically recognised as suspicious.

But one would think it would be much more sensible to sandbox it

Could you make an issue report please?

Best wishes

Mouse

#8

The false positives are fixed.

Hello,

This is to inform you that false-positive with xf1590825.exe (SHA1: 5202096fbff1c1c1c4b82a41d584568d79b5eada) has been fixed. You can update to AV database Version 15031 of Comodo Internet Security Version 6.0.260739.2674 and confirm it.

Regards,
Florin Gogoseanu
Comodo Antivirus Lab

Hello,

This is to inform you that false-positive with jo123187364434.exe(SHA1:5b1a1d9adab82ad9048d06537cf6bfc481cad1f0) has been fixed. You can update to AV database Version 15031 of Comodo Internet Security Version 6.0.260739.2674 and confirm it.

Regards,
Florin Gogoseanu
Comodo Antivirus Lab

#9

This example may have been caused by false postives, but the general issue remains?

Did you ignore an AV alert before or when you double clicked it?

A suspicious file should get sandboxed or quarantined, or the user should be asked, I would think

Best wishes

Mouse

#10

I think the “TVL > file rating” can reduce false positives.

#11

I think so too, but at what risk? Should this be a setting?

If sandboxed most files now run OK

What do others think?

(Did you get an AV alert when or before you double clicked?)

Best wishes

Mouse

#12

At that time, I did not install the AV.

#13
  1. I right clicked on a malware, and run the scan.

811×592 64.7 KB

  1. The result was

656×603 116 KB

  1. I added the file to the trusted files.

745×649 79.4 KB

  1. Then the result became

  1. And the same result is for the realtime scan.

  2. Conclusion:
    The trusted files are not scanned by AV or they are trusted by AV.

“My antivirus killed the system.”

The above one may not occur for CAV users.

#14

Yes, for better or worse, any files in the trusted files list, or signed by a trusted vendor, will not be scanned. This has been the way CIS has worked for a while now and is, at least in my opinion, largely a good thing. Yes, there is the problem of signed malware, and I do have some ideas about that, but it also means that it’s not possible for CIS to have a false positive on a windows file and destroy your system.