I’m testing CIS v5 on VMware Player v3.1.3.
Today I downloaded “anti-malware-pro-v04.exe” file from malc0de.
On-demand AV scan finds nothing (7.jpg)…Cloud scanning is enabled and Heur is set to Medium; DB is 7093.
VirusTotal scan reports 7/43 detection rate (3_1.jpg ; 3_2.jpg).
This file uses valid SecureSoft digital signature (4.jpg) and is recognized as Safe application by Comodo (5.jpg; 8.jpg). Trusted files list is empty.
AM Pro rogue is normally installed (1.jpg ; 2.jpg) and later detected by MBAM (6.jpg).
CIS is in Proactive Security configuration
AV=Stateful, FW=Safe Mode, D+=Safe Mode, SB=Untrusted
You can find this piece of malware in attached .zip file.
If you need any additonal info, don’t hesitate to ask.
Thank You and best regards.
Please do no attach possible malware on the Forum attachement removed by Moderator
may I ask what settings your AV had in heuristic? Have you tried with high?
CIS won’t ask if something has digital signature; this option is marked by default (look at the attached pic).
I find it strange that CIS letting this through due to digital signature. I will take this file for analyses. do you mind if I take your pics?
With On-demand Heur set to High CIS also doesn’t detect it (yet).
Even when I untick option “Automatically trust files from trusted installers” the rogue can be installed. ???
You can do whatever you want with this files. There are no copyright logos.
EDIT: I see that Mod has removed the sample. If someone needs to test I can send it via PM.
A question. I know this thread concerns Comodo AV but gotta ask.
Concerning anti-malware-pro-v04.exe: It got by Comodo AV, but was it sandboxed. Did Defense + catch it? Was it trusted and what settings do you use - trust, partially trust, limited or untrusted?
These are questions I ask only because I’m still in the process of looking for the strongest settings on my computer. With Comodo AV, I have heuristics set to medium right now.
[quote]I took the malware file before the mod removed it . I have sent it to the malware research forums.
[/quote]
i already reported this files 2 week ago, still no detection im sure comodo still infect his users im not surprised, really !
yes , this issue starting to be annoying and very dangerous !
I was testing cis5 versus a bunch of malc0de.com’s malwares ( I downloaded about 200 samples! - proactive profile - SB untrusted ) , and my testing showed me that :
1- the comodo antivirus is weak in detection, and needs improvements.
2- but still no malware not even one! can compromise the system thanks to the sandbox! and defense+ , yes , some malicious temp files got dropped but they couldn’t do any harm to the system :-TU :-TU
3- the big problem is the valid signatures! , I found like 4 or 5 malwares with valid signatures that comodo trusts !! :-TD , and of course the automatic sandboxing didn’t work and the system got infected.
unfortunately I didn’t save them to report them to comodo for lack of time , but if one of the developers or mods got some time to test the malc0de.com’s malwares , he will definitely finds them and get this serious issue solved.
I hope that comodo will take care of this important issue soon just to keep cis5 solid as always …
Can you please tell us what malwares have valid signatures? Can you tell us the name of the signature holder?
Please don’t post links to or attach malware in your post. Instead submit them to Camas and provide the url of the Camas analysis pages for the Comodo people.
Only thing to do is when you find one submit it to Comodo to create signatures. First thing CIS does is check whether something is malware. The TVL is later in the vetting process.
ok , this is an example of what i was talking about in my last post , I searched a little bit on malc0de.com lists and I found this a minute ago , it’s not a signed one but it’s white listed and scanned online and found safe! so the sandbox was disabled when i execute it and the system got infected …
Since you are well versed in running nasties on your virtual machine, would you (or have you) tested that malware inside Sandboxie?
Is this the kind of malware that just installs itself when the computer is re-booted?
Or does the “noob” have to actually choose to run it?
Or is it the kind where, no matter what the “noob” clicks the malware runs?
Sorry for all the 'noob" questions - I’m a noob - so sue me. ;p
Frankly, as much as I adore CIS, I consider Sandboxie my “First line of defense”.
HeffeD