Hi captainsticks,
the AV component failed at this, indeed.
Ok, let me go further into my former example:
On April 18th, I posted the following “online installer” and it’s further downloaded components to be (hopefully) “blacklisted”.
WondershareVideoEditor360_Win-Downloader.exe
It was available for download at freeware.de for exactly one day (being a “giveaway” action).
In fact, it was rather one of those “pre-installers” giving additional install choices.
It self-destructed (!) immediately after the preinstall / install procedure.
This (pre)installer / downloader was not recognized by Comodo, of course, so one had to explicitely “allow” it.
Since freeware.de is a rather popular and old site, let’s say “trusted?” here in Germany, I presume a lot of “inexperienced” users would have also allowed it. To test what nasty things it would possibly do to my PC, I did so, I played naive and I dared.
Since this site (unfortunately?) seems to be “trusted” by a lot of “inexperienced users” they would perhaps not have deselected the additional offers to be installed as well.
And even if they’d had deselected ALL of them, some of them would’ve left traces / roaming files nonetheless (I also tried that variant and some of it succeeded).
Amongst the files that now were installed by the “preinstaller” / downloader were the ones I already posted (and even some more).
One of them was called:
serv.exe
Detected by 11 Antivirus Programs on April 18th, not by Comodo though.
Ad-Aware Trojan.Spy.YPK 20140418
AntiVir Adware/AgentCV.A.3743 20140418
BitDefender Trojan.Spy.YPK 20140419
Emsisoft Trojan.Spy.YPK (B) 20140418
F-Secure Trojan.Spy.YPK 20140418
GData Trojan.Spy.YPK 20140418
Ikarus Spyware.Bup 20140418
MicroWorld-eScan Trojan.Spy.YPK 20140418
TrendMicro ADW_AGENT 20140418
TrendMicro-HouseCall ADW_AGENT 20140418
nProtect Trojan.Spy.YPK 20140418
Dangerous or not? Who’s to decide?
So I reported it here at the forum to be blacklisted, on April 18th.
An update (June 23rd !) on this file, now being called bup.exe (identical signature, by the way!) gave 12 results (still not detected by Comodo though) :
Ad-Aware Trojan.Spy.YPK 20140623
AntiVir Adware/AgentCV.A.3743 20140623
BitDefender Trojan.Spy.YPK 20140623
Emsisoft Trojan.Spy.YPK (B) 20140623
F-Secure Trojan.Spy.YPK 20140623
GData Trojan.Spy.YPK 20140623
Ikarus Spyware.Bup 20140623
MicroWorld-eScan Trojan.Spy.YPK 20140623
Norman Suspicious_Gen4.GFTOZ 20140623
TrendMicro ADW_AGENT 20140623
TrendMicro-HouseCall ADW_AGENT 20140623
nProtect Trojan.Spy.YPK 20140623
Dangerous or not? Who’s to decide?
So what had I done?
I had allowed the installer, rather call it “preinstaller”, (i.e. let CIS treat it as “installer”, as most novices would probably have done) and CIS allowed all this stuff to create lots of weird things on the PC in consequence, without detecting a single one of it as explicitely “malicious”. Had to use about 10 different malware scanners and lots of manual registry twiddling / folder search until the PC finally got rid of all that stuff again. Now let me guess that many novices would have had to setup their OS totally new from scratch?
Ok what’s the point? Imho CIS should’ve blocked those malicious files even with a novice user failing in his decision, that is: agreeing on them to be installed if he trusted the download site which indeed claimed “100 % virus free” for any of their software, including this one.
Comodo did not detect any malware, just reported “unknown files” until allowed by the user.
Any novice user might’ve guessed: Ok, as it’s a special, yet declared “safe” installer for today, it just might not yet be recognized by CIS as “safe”, so I’ll tell CIS to accept it, because tomorrow the offer will be gone… 88)
More than two months later (!) he might still be infected without (ever?) knowing it, just because having made one single “wrong decision”, i. e. having once and (probably) forever allowed a presumably “virus checked” software downloaded from a presumably “safe, virus checked” site.
If Comodo had in fact detected those malicious files as “malicious”, there wouldn’t have been any need to “ask” the user for any kind of allowance. It should have blocked and quarantined them right out of the box.
qmarius would’ve added the following, methinks:
If CIS had been immunizing the system against this kind of nasty before trying to install this software, there’d have been no possibility whatsoever for this thing to be installed, even with a user trying to naively “allow” and “trust” it.
Kind regards, REBOL.