Advanced options or actually usefull information

Hi & thank you for providing such an interesting protection for free.
However I have some gripe with how the anti-virus handle software with unknown trust status.

Here’s an example scenario in which Comoros asked me to take an action yet

  • No useful information is given to help me choose action (beside some oversimplified risk evaluation)
  • None of the action are really useful to help me get information.

Suppose I try to run some application from internet.
I also know the application have limited distribution (not popular / mainstream )
Given the context I have got the file and my experience, file is probably legit.
However I do not have 100% confidence and would like to use CIS as a safety net.
I run the application and have a CIS popup:

Risk - High
Ignore - Clean

So now how do I take a decision ?

  • Is it a heuristic or confirmed detection ?
  • If heuristic what rules have triggered it ? Is is simply a packed application ?
  • If confirmed on what criteria ? What does “high risk” mean ?
  • High level of damage or high probability of doing something … what ?

More importantly at this time i want to know

  • Does it do anything (change on system) far from it’s apparent functionality ?
  • Does it do automatic change on system upon execution ?
  • If left unprotected what change would stay - say after two reboot ?
  • Does it transmit any information over the net ? Safe server destination ?
  • Is it classified as a “malware” because of what it actually do ? - or what it can be used to do in some case ?
    IE “Hacktool”, security or homemade administration software

The last point is especially important for me because It look like I do not always agree with the antivirus about the definition of what is a malware. Having more details on the classification than “Unclassified” would greatly help me… even if I have to click on “detail” ->“even more detail” in order to keep the simplified user interface.

I will now see the choice I have:

  • Clean
  • Not an option, I identified the file as being probably legit
  • Ignore Once
  • Probably the best option, provided I have D+ to observe the unknown file.
  • Unfortunately it’s useless here, I keep having the same popup again and again.
  • Add to my own safe file
  • I cannot tag the file as safe for now, until I actually manage to run it.
  • Report as false alert
  • Unfortunately the only way to close that detection dialog.

Some actions I’d like to have

  • Ignore Once (one that actually really ignore the file for this execution !! )
  • Get a second opinion: using or other service
  • Access risk: Run this particular file in maximum security sandbox & log denied events
  • Step by step: Run this particular file in paranoid mode
  • Adjust heuristic settings
    especially useful for Heur.DualExtension & maybe packer detection.

One last thing: 36 threats detected so far

That statistic is missleading.

In my case it’s more like 36 anti-virus events that are logged about the same threats due to the inability of the antivitus to actually ignore a file when told so.

For those interested … in the end the file was harmless (by my definition) as it’s usually the case

I understand that I am “far” from the take no risk & clean scenario
but I’d like the ability to judge things from an objective standpoint if I doubt of the detection

maybe just a rigth clik option > “paranoid mode for this particular file and descendant” would be best for me.
a kind of reversed installation mode with more prompt.

I think this is a very good idea, as long as these options aren’t default. Still, giving the choice to show these extra options could be very beneficial, especially getting a second opinion. There could be the option to have it automatically uploaded to virustotal so you can see its score before making your decision.