AV scanning engine question/problem

Comodo Internet Security - CIS Resolved/Outdated Issues - CIS
1

Ok, here is my problem and maybe one of the devs can chime in. I have a folder with over 3000 malware that is undetected by comodo. Now, I have scanned this folder with comodo DB 1215 and heuristics on high but it does not find anything else. When I run the a scan with avira on this same folder and comodo is on stateful, comodo starts popping up red boxes as avira is going over some files. What this means is that comodo does have the signatures but the AV engine cannot find them. What is going on?

Let me know what you think. ???

2

hmm… interesting… it seems like on access is catching it but on demand is not… (i might be wrong…i asked the guys to take a look)

Melih

3

accualy if its in a rar file, all the malware needs to be in the root of the file for Cavs to read it not in a folder inside the rar. thats from my testing

4

I did the scan again and this time I quarantined what it found. Of course it found it inside of the avira scan files but here is the screen shot.

[attachment deleted by admin]

5

Hi Guys,

Few weeks ago I had the same experience.
I scanned the folder using CIS on-demand scanner and nothing was found. But on-access scanner of CIS detected viruses (actually worms) when the same folder has been scanned by DrWeb CureIt.

At the moment all these virus examples are removed from my computer. But please let me know, if you need them for testing (I’ll try to find them on the computer, which was “the source of infection”).

6

I hope this gets figured out because it concerns me, maybe some tweaking needs to be done to the scanning engine.

7

most likely it does need some tweaks, if you want to send me your CIS config i can test it on my virtual machine see if it happens to me also.

8

wait what? what do you want me to send you? ???

9

Your CIS configuration file

Misc > Manage My configurations > export configuration

10

Why don’t you try this->Remove Avira and scan again with comodo :)My seventh(not sixth) sense told me this ;D

11

Hi Languy,

1 - What is your operating system?
2 - Does this happen in other PCs with this specfic set of malware too?
3 - If you can reproduce this all the time, would you be willing to have an EasyVPN sesion with me o that i can closely diagnose it? Please PM me for this.

Egemen

12
  1. Windows Vista
  2. I don’t know yet, but I will try it on my other PC tonight.
  3. We will see if I can if that is the case, I will contact you, thanks
13

Ok I just tried on my other computer and it has the same reaction, sent you a PM egemen

14

I did find what i think is a diffrent bug, heuristics scan before DB on my test machine, how did i notice this
I scaned a file and got Heur.Packed.Unknown then i turned Heuristics off and got a trojware.w32.something, so why does Heur scan first?? ???

I will see if i can do it again. just tested and yes i can do this multiple times on diffrent system also.

15

still in talks with egemen but here is a video I made that shows how I reproduce this problem, check it out guys.

http://www.megaupload.com/?d=S215VF97

password = comodo

16

hmmmm

Im still trying to copy that on my virtual machine with the malware i have and using your configuration languy99

still I cant copy it but i will try to nerrow down the perameters thanks to that video. ;D

Edit:
Must be a vista problem i only have XP to test it on

17

I did the same thing on my other computer with XP SP3 on it and it did the exact same thing.

EDIT Check your PM

18

I FIGURED IT OUT !!!

Ok here is the deal, avira is somehow about to scan password protect archives (zip/rar), and comodo is not. I had some ZIP files infected with worms, but I didn’t have the password for. I cracked them and once I extracted them to a folder on-demand easily found them. So, I don’t know how avira does it but it does. Maybe comodo should look into having something like this too.

I knew it would not beat me. ;D

19

Dont tell me avira can scan inside password protected archives, I know comodo cant.

Yes they should, i hope version 4 can have a setting to scan in password protected archives and in encrypted files (make this option optinal since it takes to much CPU)