Another bypass ?

Hi, guys!

I’m testing CIS v5 on VMware Player v3.1.3.
Today I downloaded “anti-malware-pro-v04.exe” file from malc0de.
On-demand AV scan finds nothing (7.jpg)…Cloud scanning is enabled and Heur is set to Medium; DB is 7093.
VirusTotal scan reports 7/43 detection rate (3_1.jpg ; 3_2.jpg).
This file uses valid SecureSoft digital signature (4.jpg) and is recognized as Safe application by Comodo (5.jpg; 8.jpg). Trusted files list is empty.
AM Pro rogue is normally installed (1.jpg ; 2.jpg) and later detected by MBAM (6.jpg).

CIS is in Proactive Security configuration
AV=Stateful, FW=Safe Mode, D+=Safe Mode, SB=Untrusted

You can find this piece of malware in attached .zip file.

If you need any additonal info, don’t hesitate to ask.

Thank You and best regards.

Please do no attach possible malware on the Forum attachement removed by Moderator

[attachment deleted by admin]

Hey siketa

may I ask what settings your AV had in heuristic? Have you tried with high?
CIS won’t ask if something has digital signature; this option is marked by default (look at the attached pic).

I find it strange that CIS letting this through due to digital signature. I will take this file for analyses. do you mind if I take your pics?


[attachment deleted by admin]

With On-demand Heur set to High CIS also doesn’t detect it (yet). :frowning:
Even when I untick option “Automatically trust files from trusted installers” the rogue can be installed. ???
You can do whatever you want with this files. There are no copyright logos. :wink:

EDIT: I see that Mod has removed the sample. If someone needs to test I can send it via PM.

I took the malware file before the mod removed it ;D. I have sent it to the malware research forums.


the problem is “SecureSoft” somehow get to the comodo list of trusted vendor >:-D

I think they have already made at least two major TVL updates since CIS v5 has been released. 88)
And it’s still not completely reliable… :-\

Melih, that would be -20% on December’s earnings for all in “TVL division”, right? >:-D

That setting means that any files created by a trusted installer are also trusted…

thanks for adding that :slight_smile: HeffeD

as i pointed out in this forum antimalware pro 2011 bypass comodo.
thanks for this siketa!


A question. I know this thread concerns Comodo AV but gotta ask.

Concerning anti-malware-pro-v04.exe: It got by Comodo AV, but was it sandboxed. Did Defense + catch it? Was it trusted and what settings do you use - trust, partially trust, limited or untrusted?

These are questions I ask only because I’m still in the process of looking for the strongest settings on my computer. With Comodo AV, I have heuristics set to medium right now.

CA: 88)

[attachment deleted by admin]

[quote]I took the malware file before the mod removed it . I have sent it to the malware research forums.
i already reported this files 2 week ago, still no detection im sure comodo still infect his users im not surprised, really !

they are checking it :slight_smile:

yes , this issue starting to be annoying and very dangerous !

I was testing cis5 versus a bunch of’s malwares ( I downloaded about 200 samples! - proactive profile - SB untrusted ) , and my testing showed me that :

1- the comodo antivirus is weak in detection, and needs improvements.

2- but still no malware not even one! can compromise the system thanks to the sandbox! and defense+ , yes , some malicious temp files got dropped but they couldn’t do any harm to the system :-TU :-TU

3- the big problem is the valid signatures! , I found like 4 or 5 malwares with valid signatures that comodo trusts !! :-TD , and of course the automatic sandboxing didn’t work and the system got infected.

unfortunately I didn’t save them to report them to comodo for lack of time , but if one of the developers or mods got some time to test the’s malwares , he will definitely finds them and get this serious issue solved.

I hope that comodo will take care of this important issue soon just to keep cis5 solid as always …

Can you please tell us what malwares have valid signatures? Can you tell us the name of the signature holder?

Please don’t post links to or attach malware in your post. Instead submit them to Camas and provide the url of the Camas analysis pages for the Comodo people.


is SecureSoft going to get kicked out of TVL or is there another way to deal with digital signed malware?

Only thing to do is when you find one submit it to Comodo to create signatures. First thing CIS does is check whether something is malware. The TVL is later in the vetting process.

ok , this is an example of what i was talking about in my last post , I searched a little bit on lists and I found this a minute ago , it’s not a signed one but it’s white listed and scanned online and found safe! so the sandbox was disabled when i execute it and the system got infected …

and on virus total it says it’s detected by comodo as a TrojWare.Win32.Trojan.Agent.~LVF !! , I don’t have a clue how this could ever happen

Umm, use Sandboxie?

Since you are well versed in running nasties on your virtual machine, would you (or have you) tested that malware inside Sandboxie?

Is this the kind of malware that just installs itself when the computer is re-booted?
Or does the “noob” have to actually choose to run it?
Or is it the kind where, no matter what the “noob” clicks the malware runs?
Sorry for all the 'noob" questions - I’m a noob - so sue me. ;p

Frankly, as much as I adore CIS, I consider Sandboxie my “First line of defense”.

How long will it normally take for the process to initial an update of TVL?