Can CIS detect malicious Lua scripts

Hi can comodo internet security detect malicious lua scripts?.

Thanks.

good question

If the malicious lua script is a file on your computer then most likely yes, because a file on your computer has a hash and the AV works on hashes (mostly) So if the hash for the malicious lua script is in the database then logically it should be detected.

The above is just my best guess, I can’t be sure though since I don’t know how lua scripts work etc

Thanks, Can it also scan the contents/code of the file and tell if it contains anything there that is not safe, in the event the hash was not in the database. (thinking for new or not very known files).

I don’t know, I’m thinking that maybe heuristics can possibly do that? I mean, it would be technically possible but whether or not it actually does is another question which I can not answer.

The detailed answer will be found in the rules for sandboxing; ■■■■■ the rulebook and dig into that. :stuck_out_tongue:

The short answer is that nothing runs in a vacume on your system, i.e., everything needs permissions to access resources on your system. Resource access is defined according to 14 resource access names in D+ application specific rules. What D+ concerns itself with is defined by Monitoring Settings in D+

Nothing can execute on your system w/out something having permission to launch it. It can’t be launched without something having had permissions to place it where its being launched from in the first place; lots of hurdles to get over.

Moreover, CIS has heuristic abilities, i.e., it learns based on what it observes. Any file in the CIS AV defs DB is outright blacklisted. If an unrecognized file appears in the execution stream, it first looks to the cloud for blacklisting. Failing that, depending on sandboxing level, it may allow execution but observes what it does. It also depending on configuration will submit the questionable file to the Comodo threat-analysis servers.

If the unknown file does anything that alarms CIS - programmed threshold - it considers it to be malicious by default and locks it down by blocking said action. You must manually over-ride that to allow it by moving it from unrecognized zone to the trusted zone. If that is not done manually, after a certain amount of time, Comodo servers may determine the file is nothing to fear, and the file automagically becomes trusted. Previously unknown malware ultimately become incorporated into the latest CIS AV defs DB and will be available in the next update.

A file having a specific signature, i.e., hash, of known malware will exist in the CIS AV defs DB and if no other HIPS exists other than AV protection, should the file gain a foothold into one’s system, it’ll be interdicted as measure of last resort to prevent additional infection / damage.

Hypothetically w/ regards to malicious scripts embedded in web-pages, the same principle occurs in that CIS is observing the behavior of whatever the browser is doing. It will alert to malicious scripts that are executing even if the script is not standalone, e.g., JS file.

in shorts : or the database knows the malware or its behavior can be suspected ;and if none permission is given to run it ; none infection can enter … but here it is about lua … so there is not a special “program” on the cloud or included in cis for inspecting especially lua … ???