A. THE BUG/ISSUE (Varies from issue to issue)
Can U reproduce the problem & if so how reliably?:
If U can, exact steps to reproduce. If not, exactly what U did & what happened:
1:I ran the virus on the default settings for CIS (except that Viruscope was enabled)
2:After running the virus had spread all over the place on the external disk USB
3:The virus put shortcuts on My Apps, and is also opening any shortcut automatically starts the virus
4: After testing this I killed the process using Killswitch and choosing "terminate tree and reverse "
5: However, not all actions were undone.
One or two sentences explaining what actually happened:
The vbs file, although monitored by Viruscope and not trusted, was allowed to make actions which were not undone using terminate tree and reverse.
One or two sentences explaining what you expected to happen:
If monitored the actions for all files should be able to be undone if “terminate tree and reverse” is selected.
If a software compatibility problem have you tried the conflict FAQ?:
Any software except CIS/OS involved? If so - name, & exact version:
Any other information, eg your guess at the cause, how U tried to fix it etc:
After extensive testing on viruscope it appears that it does not support reversal of the extensions vbs and bat. bat has been tested more than once and by more than one sample, and the in each test the actions were not reversed. This is shown in the attached video.
Looking at the show activites shows that viruscope monitored the movements of each sample of the type of bat, vbs but when you work “terminate tree and reverse” of killswitch you find that it does not reverse any of the events that were left behind by the sample.
I think the reason that this bug may occur because this extension type works through other processes which are trusted, such as in this case wscript.exe, where the sample works through the implementation of commands through the process wscript.exe.
test inside sandbox (*vbs)
test outside sandbox (*vbs)
test outside sandbox (*bat)
B. YOUR SETUP
Exact CIS version & configuration:
Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
Default configuration (except Viruscope is enabled)
Have U made any other changes to the default config? (egs here.):
Just enabling Viruscope
Have U updated (without uninstall) from CIS 5 or CIS6?:
if so, have U tried a a a clean reinstall - if not please do?:
Have U imported a config from a previous version of CIS:
if so, have U tried a standard config - if not please do:
OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
In real system , windows 7 x64
Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system: