Add extended "Adware detection / cleaning" capabilities to CAV / CIS

Isn’t the following function of the AV component already doing what is requested here?

Detect potentially unwanted applications-Comodo Help

[b]Detect potentially unwanted applications -[/b] When this check box is selected, Antivirus scans also scans for applications that (i) a user may or may not be aware is installed on their computer and (ii) may functionality and objectives that are not clear to the user. Example PUA's include adware and browser toolbars. PUA's are often installed as an additional extra when the user is installing an unrelated piece of software. Unlike malware, many PUA's are 'legitimate' pieces of software with their own EULA agreements. However, the 'true' functionality of the software might not have been made clear to the end-user at the time of installation. For example, a browser toolbar may also contain code that tracks a user's activity on the Internet. [b](Default = Enabled)[/b]

Hi captainsticks,

the AV component failed at this, indeed.

Ok, let me go further into my former example:

On April 18th, I posted the following “online installer” and it’s further downloaded components to be (hopefully) “blacklisted”.

WondershareVideoEditor360_Win-Downloader.exe

It was available for download at freeware.de for exactly one day (being a “giveaway” action).

In fact, it was rather one of those “pre-installers” giving additional install choices.
It self-destructed (!) immediately after the preinstall / install procedure.

This (pre)installer / downloader was not recognized by Comodo, of course, so one had to explicitely “allow” it.

Since freeware.de is a rather popular and old site, let’s say “trusted?” here in Germany, I presume a lot of “inexperienced” users would have also allowed it. To test what nasty things it would possibly do to my PC, I did so, I played naive and I dared.

Since this site (unfortunately?) seems to be “trusted” by a lot of “inexperienced users” they would perhaps not have deselected the additional offers to be installed as well.
And even if they’d had deselected ALL of them, some of them would’ve left traces / roaming files nonetheless (I also tried that variant and some of it succeeded).

Amongst the files that now were installed by the “preinstaller” / downloader were the ones I already posted (and even some more).

One of them was called:

serv.exe

Detected by 11 Antivirus Programs on April 18th, not by Comodo though.

Ad-Aware Trojan.Spy.YPK 20140418 AntiVir Adware/AgentCV.A.3743 20140418 BitDefender Trojan.Spy.YPK 20140419 Emsisoft Trojan.Spy.YPK (B) 20140418 F-Secure Trojan.Spy.YPK 20140418 GData Trojan.Spy.YPK 20140418 Ikarus Spyware.Bup 20140418 MicroWorld-eScan Trojan.Spy.YPK 20140418 TrendMicro ADW_AGENT 20140418 TrendMicro-HouseCall ADW_AGENT 20140418 nProtect Trojan.Spy.YPK 20140418

Dangerous or not? Who’s to decide?

So I reported it here at the forum to be blacklisted, on April 18th.

An update (June 23rd !) on this file, now being called bup.exe (identical signature, by the way!) gave 12 results (still not detected by Comodo though) :

Ad-Aware Trojan.Spy.YPK 20140623 AntiVir Adware/AgentCV.A.3743 20140623 BitDefender Trojan.Spy.YPK 20140623 Emsisoft Trojan.Spy.YPK (B) 20140623 F-Secure Trojan.Spy.YPK 20140623 GData Trojan.Spy.YPK 20140623 Ikarus Spyware.Bup 20140623 MicroWorld-eScan Trojan.Spy.YPK 20140623 Norman Suspicious_Gen4.GFTOZ 20140623 TrendMicro ADW_AGENT 20140623 TrendMicro-HouseCall ADW_AGENT 20140623 nProtect Trojan.Spy.YPK 20140623

Dangerous or not? Who’s to decide?

So what had I done?

I had allowed the installer, rather call it “preinstaller”, (i.e. let CIS treat it as “installer”, as most novices would probably have done) and CIS allowed all this stuff to create lots of weird things on the PC in consequence, without detecting a single one of it as explicitely “malicious”. Had to use about 10 different malware scanners and lots of manual registry twiddling / folder search until the PC finally got rid of all that stuff again. Now let me guess that many novices would have had to setup their OS totally new from scratch?

Ok what’s the point? Imho CIS should’ve blocked those malicious files even with a novice user failing in his decision, that is: agreeing on them to be installed if he trusted the download site which indeed claimed “100 % virus free” for any of their software, including this one.

Comodo did not detect any malware, just reported “unknown files” until allowed by the user.

Any novice user might’ve guessed: Ok, as it’s a special, yet declared “safe” installer for today, it just might not yet be recognized by CIS as “safe”, so I’ll tell CIS to accept it, because tomorrow the offer will be gone… 88)

More than two months later (!) he might still be infected without (ever?) knowing it, just because having made one single “wrong decision”, i. e. having once and (probably) forever allowed a presumably “virus checked” software downloaded from a presumably “safe, virus checked” site.

If Comodo had in fact detected those malicious files as “malicious”, there wouldn’t have been any need to “ask” the user for any kind of allowance. It should have blocked and quarantined them right out of the box.

qmarius would’ve added the following, methinks:

If CIS had been immunizing the system against this kind of nasty before trying to install this software, there’d have been no possibility whatsoever for this thing to be installed, even with a user trying to naively “allow” and “trust” it.

Kind regards, REBOL.

I think the issue here is that the functionality to detect PUP is already added to CIS. Therefore, technically this wish has already been fulfilled. However, you are saying that the effectiveness of the detections is not as sensitive as it should be.

I think the best way to handle this would be to pursue this for the files which are not detected, but which you believe should be. For example, please post a link to the topic you created for submitting this one. This way it can be investigated further.

Does this sound okay to you?

Thanks.

Well, Chiron,

the link I already gave in my second post in this thread.

https://forums.comodo.com/av-false-positivenegative-detection-reporting/submit-malware-here-to-be-blacklisted-2014-no-live-malware-t100707.0.html;msg755294#msg755294

Problem is, of course, still about CIS detection possibilities concerning this kind of

“I-am-just-a-friendly-adware-laden-download-helper-installer-with-some-shady-trojan-download-capabilities-integrated-for-free-WARE”. Or whatever you’d like to call all those In-between–almost-everything-WARE.

So even if there’d be an immunization function integrated into CIS, as qmarius kindly suggested in addition to my wish, this problem would not totally be solved, I guess, as immunization itself mostly depends on databases as well, as does detection functionality.

As I already stated (more than once), I’d like to see CIS having full capabilities of detecting ANY *-ware whatsoever. And then LET THE USER DECIDE FOR HIMSELF by selecting / deselecting anything in case he REALLY wants to keep some particular *-ware on his system or not (including even so-called “harmless” things like Google Toolbar, indeed)… Just like AdwCleaner does. I like that little prog, and had to use it quite more than once during last year, i. e. everytime when CIS’ CAV module had “failed” (even if by intention) to detect such things.

Kind regards, REBOL.

PS: Why not simply ask XPlode team to somehow collaborate with COMODO on this?
Maybe they’d allow COMODO to integrate AdwCleaner as an additional / optional module for free? Just a thought. Thanks.

Maybe you can contact them via the forum:

http://forum.general-changelog-team.fr/viewforum.php?f=53

Kind regards, REBOL.

MorphOS REBOL, please create a new submission topic particular to the adware you are describing. Then, once that is created, post a link to it in your reply.

Thanks.

I will do so, if desired, Chiron, but that won’t really change that CIS inherent problem (or may I call it “intended *-ware friendly attitude so far”?) itself for the future, am I right?

The original installer, as I already stated, CAN NOT be downloaded anymore / anywhere (“great one day only offers”, you know?..), but it may still lurk on some systems out there, and new variants of all kinds will appear frequently “in the wild”, I am totally sure. Awaiting users response anytime they “detect” some nasty by themselves/after having been hit by such a nasty (as much as some of us, including myself, seem to love contributing by asking for things to be white-/blacklisted) is not a serious solution for a serious security company as COMODO - just for an example- is, don’t you agree with me on this?

The only solution I can see for the future is to adapt (as of now) others’ (maybe they’re still regarded outsiders, specialists or something, I don’t care, they’ve got my deepest respect) “strategies” regarding -Ware. Let’s give it a name? Ok. How about "Any--Ware" with the obvious exclusion of any real, worthwhile Software?

This won’t (and shall not) kill “adware” as such, yet it has to be given into the USERS hands to scan for and, BY THEIR OWN DECISION, uninstall ANY kind of that - sorry, just my opinion, at times dangerous - CRAPWARE. 88)

Thanks for reading.

Kind regards, REBOL.

The problem is that it is a very fine line for many products. Sadly, since scanning for PUP’s is already added to CIS, the only approach which I can see to take is to report any which you believe have been missed. Then, the best way to do this is to create a new topic for submitting it. That way you can bump it, and draw attention if you feel a mistake has been made.

Would you mind if I moved this Wish Request to Rejected as the functionality you have requested has already been added, but may need to be tweaked for greater effectiveness?

Thanks.

Erm…, let’s be honest, not THAT much of a “fine line” anymore? Staying informed (rather not by the mass media) might be the very key for making certain decisions?

I DO, in fact, LIKE (not on FB, though, I won’t do that) ONE word here, to be more exact: “SADLY”. It’s obvious that certain *ware is being handled as friendly ware by CIS. Nice, but that’s really taking certain decisions out of the hands of Comodo’s users. I am not amused in any way by that momentary status.

No, Chiron, I have to disagree with you on that (sorry again). That’s NOT the best way, honestly NOT.
Comodo COULD (and should! ;)) care about those concerns. I’ve been criticizing Comodo rather seldomly in the past, as you might know by now. Yes, that is a rare thing for ol’ Comodo “fanboy” me, ain’t it?
This time I do, though. (I won’t use the word “dare” this time )

Yes, Chiron, I WOULD really mind if you did that. Because of why? Well… The “functionality” I have allegedly “requested” has NOT been added YET. NO, it’s not about “tweaking” or just “enhanced malware detection rates” (a thing CAV might severely be in need of, btw, but that’d be another, rather old topic ;)). I am NOT talking about that. It’s more about ethical principles.

Know what? Any US based software is being regarded as totally UNTRUSTABLE at this very moment by LOTS OF PEOPLE over here in Europe, and while I’m still trying to hold the very flag way up for Comodo by trying to make Comodo PROVE that their software still DOES CARE for their Users’ security AND privacy (against even mainstream media publishing otherwise concerning US based software companies), both of which are DIRECTLY correlated nowadays, you tell me to just name a handful of files I don’t trust. Sorry, but it’s about MUCH MORE than that. Yes, SAD to have to say so, but that simply cannot be denied. Even Snowden cannot be denied, even if one wanted the memory of him to vanish forever in the clouds of never. Every honest company / software provider / (wo)man has to RETHINK himself / herself / itself in these our very times. If NOT, there ain’t an acceptable future regarding humans being online. And Internet itself will be a weird thing of the past fondly remembered in near times. You think I’m joking? I am not.

Thanks for reading, Chiron. And, if you please, RETHINK the above.

Kind regards, REBOL.

Btw., I’d really like to hear Melih’s opinion on that.
He’s the one I trust the most at Comodo. (pardon me, Chiron, I do regard you as trustable and very honest, even if our opinions sometimes seem to differ somewhat).

I understand your frustration, but please do understand that there are criteria which must be met in order for a topic to be forwarded as a Wish. I am not trying to censor you, or silence this issue, but I cannot see this Wish Request meeting this criteria.

Thus, I think the best approach, for what your main concerns are, is to create a new topic in the Feedback section. That is the best way to find support, and discussion, about an issue like this.

I will therefore move this Wish Request to Rejected, as it does not meet the criteria needed for potential added enhancements to the CIS software.

Thank you, and I hope you understand (at least to the extent that you understand that while perhaps valid this does not fit the criteria).