I don’t have this sample… (sorry… :'()
But S.Korea Security News has said this information…
[The malware had Valid-digital-sign that “Fasoo.com, Inc”]
Of course, “Comodo Trusted Vedor list” has a “Fasoo.com, Inc”.
Can ‘Comodo Behavior Blocker’ do block this malware? or bypassed?
I hope that ‘Comodo 2014’ will be solved this.
Always. Thank you. :-*
ps. The hackers try to bypass the Whitelist protection system.
ps2. My english is bad ;D ;D ;D
If there is a malware that is signed with a certificate that is in Comodo’s Trusted Vendors List, then it will be allowed with no questions asked unless you configure CIS in another way, for example setting firewall to Custom ruleset and setting HIPS to Paranoid. Even if the program has signatures in the AV it will be allowed because TVL > AV in CIS (Which I hate)
So Comodo needs to remove ‘Fasoo.com, Inc’ from the TVL, that is if they find it to be a malware etc.
(At least the above is what I learned from the Opera incident)
You could turn of the TVL yourself if you want to, you can also remove Fasoo.com, Inc from the TVL.
[at]Melih, Please make an option to make AV > TVL rather than TVL > AV, this is really needed to combat these cases. Also, could you comment on how long it takes for you to remove a vendor from the list once a case like this appears? Or do you perhaps have another idea of how to combat these?
I like the freedom of options, I don’t mind it being on by default but some people might want TVL to override the AV and now suddenly they ask Melih to revert the changes, so options satisfy most people.
I couldn’t turn off the TVL for usability… TVL is so usability&comfortable&easy ;D
If i remove the ‘Fasoo.com’ vendor in Whitelist, when I use the ‘Fasoo.com’ applications the vendor is registered again… Automatically. :o
(I think ‘Trusted Vendor List’ is using the ‘Comodo Cloud’ like ‘Trusted Files’)
Already, I removed all TVL vendors. But MS,Google,ATI and others that i’m using application’s vendors are registered automatically by Comodo Cloud.
(I think this is Good)
Maybe ‘HIPS+safe mode+verbose mode’ will be block this but… it has usability problem for newbies.
(Of course, I can use HIPS. and I’m using.)
ps. I believe COMODO Experts. And it will be solved. ;D ;D
ps2. English is difficult!! I should be born in USA or UK.
I guess TVL>AV helps reducing FPs, right? So I think Comodo should keep default what they think would be best for majority, options are always welcome for expert users.
Mother malware: VirusTotal
(This sample has been submited by someone. Comodo detected it “UnclassifiedMalware” :-TU)
(At the beginning, Comodo couldn’t detect it. :o Many thanks ‘someone’ ;D)
Child malwares: VirusTotal
(time.exe sample has a same Digital-sign) VirusTotal
.
.
Thank you. ;D
ps. Hackers really love VeriSign. >:-D
ps2. Requestion! Can “Comodo B.B” do block this sample? ??? ???
ps3. “Fasoo.com” is South Korea Secure Company. >:-D
Sure it helps reduce false positives, however think in a situation like this:
Situation where AV > TVL (false positive) - The user notices that the file he or she tries to run is giving an anti-virus alert, if the user still trusts the file the user can ignore the alert and add the file to the exclusions, if the user is unsure then he or she can come to the forum and ask, if the file is said to be malware - remove, if the file appears to be FP - exclude it.
Situation where TVL > AV (malware) - The user somehow runs a malware and CIS allows it to run and now it’s game over.
Personally I’d like AV > TVL however understand why people would want TVL > AV, which is why I still agree with an option.
HIPS in safe mode won’t help you, safe mode means that all files with a signature in the TVL will automatically be allowed, hence the malware would be allowed if it’s using a signature in the TVL.
Currently, if the signature is still in TVL then no it can’t, because BB allows everything in TVL, the vendor needs to be removed from the TVL, or at least that signature or whatever it is called.
SSL Certificates from Symantec Powered by VeriSign - Products ...
www.verisign.com/Traduire cette page
Symantec™ Authentication Services powered by VeriSign provides solutions that allow companies & consumers to engage in communications & commerce ...
Symantec(Norton) owns Verisign
Without a whitelist in general, you’ll have a TON of pop-ups from HIPS. The average person will not like that one bit. Having TVL to keep popups to a bare minimum works as long as TVL is always being aggressively checked. Nothing will ever be hacker or scam proof which is unfortunate, so their has to be a reasonable trade-off
