CAV does not unpack some .exe files, runtime packers

I was recently testing the latest ESET 5 Beta and happened to scan my flash disk for viruses.

It showed me 150 viruses of 13 different variations, which was a surprise for me as I already scanned it 2 min ago with CIS fully updated.

I have already unchecked scanning archives in both CIS and ESET, so both the AVs are not surely extracting any archives.

I noted the results, and found that the total number of scanned files is not the same with CIS and ESET.

ESET showed 58,023 files where as CIS only showed 28,987 files.

I observed the files marked as virus and found that they were contained in .exe files (ESET showed them as files contained within .exe files, some of them were rar sfx archives and others were runtime packers).

I copied those .exe files and extracted them to a folder using 7-zip (which successfully extracted all those .exe files without fail). Then I scanned the folder with CIS, it then showed 82 infections of 7 variations in that folder.

So, what I could understand is that CIS did not/could not unpack those .exe files and therefore it did not identify them previously. Where as ESET unpacked them during scan and therefore it detected them.

Is unpacking .exe files not completely implemented in CIS ? or
CIS can not unpack some kind of .exe that other AVs can do ?

Note: I have submitted all the samples (original .exe files and the files from the extracted foler) to Comodo Labs through forum, CIS now detects more samples from the extracted folder, but still does not identify any of the original .exe files as virus.

My understanding is that if those files were run, that main exe file would extract those inside and would be caught by Comodo anyway as they are unknown…
I wouldn’t worry about it…

Philosophical differences maybe?

  1. CIS focuses on stopping malware at the point of execution - not arrival. That’s why it doesn’t have email, p2p, HTTP, LAN traffic, etc, protection, like ESET.

  2. CIS is good at grabbing your attention but apart from ‘whitelisting’ relies mainly on the user to determine what should be blocked, allowed, etc.

  3. Not sure if it is because of above or not but CIS tends to identify packaged malware by the wrapper rather than by the contents, unlike ESET.

There’s not much use in wasting more computer resources on HTTP scanners or unpackers if it’s gonna get caught anyway on execution.
If AV does not have av sigs for that packed exe, then it’s wasted resource as it will not detect it anyway.
So upon execution, D+ will catch it anyway.
If there’s sig for that packed exe, he will catch it anyway during execution.
While it’s there sitting quietly on a system, it is not a threat yet. On execution, it is.

my point: no point in devoting resources to preemptive strike capability as defense capability is strong enough and light on a resource. I am sure you would agree with me in terms of speed and performance of a product.
As for those things, the devs could add additional options to be checked in AV settings for those that wish to have those scanners and unpackers, fine with me, just make it optional! :-TU :slight_smile:

If we are waiting for the realtime scanning of CIS to catch those files ‘inside some containers’ upon execution, we then never need an on demand scanner component all, all files on my computer are inert unless they are executed, so I do not need to scan my computer at all…Is this what you are saying? The full system scan and context menu scan do not make any sense for you… do they?

CAV is supposed to clean files not just running in memory but anywhere on my disk, before they get into memory and try to do anything stupid.

So, I do not feel it as a waste of resources, rather I would call it a functional capability, presently missing in CIS.

Secondly, I do not understand how people always rely so much on D+, and make such statements, neglecting the importance of Antivirus part in CIS. (Not just aiming at GakunGak, it has been the common trend of Comodo forum members just to highlight D+ and neglect CAV, may be it is the philosophy of CIS devs…)

Regarding the performance and scan speeds, ESET took less time to scan the same flash disk (It actually scanned more files, for that matter) compared to CIS, which clearly indicates that scanning speed does not necessarily have a negative impact because of a thorough scan, as other AVs are doing it already without any damage to performance or scanning time. It is a matter of improving our scanning engine…

It would ne nice if it is configurable under CAV settings whether to unpack runtime packers and self extracting archives during scan or not… :-TU

I’m not sure I fully understand.

  1. Even if the “Scan archive files” setting under “Manual Scanning” is checked, CIS won’t scan archives that have the extension .exe ?

  2. If the “Scan archive files” setting exists under “Manual Scanning”, couldn’t it at least be an option under "Real Rime Scanning’?

BTW. The waste of resources argument is hard to take seriously when there are other products which do include real-time scanning of archives, email, http, etc, and yet still manage to get away with lower or equivalent RAM use (the huge CIS database doesn’t help here) and inflict a lower performance hit than CIS.

I could be wrong, but “archive files” are probably reserved for zip, rar, iso, bin etc… files…

Don’t you think that CIS architects and engineers didn’t think of that?
They went with what is practical and useful. No need to have 2 or 3 things for same purpose.
Then a program gets bloated. Each and every component in CIS has a specific role and each and every one
complement each other.
And it’s not just the point of having low ram usage, it’s also having less disk I/O read/write usage …
Which does matter way more than ram…

That is exactly what I mean by “lower performance hit”.
“CIS architects and engineers” are to be commended for pursuing “what is practical and useful”. I mean them no disrespect but my point is that they are not achieving the lack of “bloat” despite their intentions.

May I kindly ask what do you consider to be bloated or unnecessary in CIS?
Just curious… I don’t see parental control [that thing is to hide popups not to keep kids safe], anti spam, tune up…

Parental Control, if implemented correctly (like in ESET, Kaspersky,K9) is a must add to a Security suite. It would not be fair to not implement it just saying that it bloats the suite…

I do not see any point in saying that it only to hide popups (actually Adblockers do that).

I meant Comodo popups, not ads.
IMO, CIS is as good as it is now, if parental control software should be made, it should be made independently!

The CIS database is bloated but the rest of the program is pretty lean. I only used the word “bloat” as a reflection of, “Then a program gets bloated.”

I thought I had spelt it out clearly enough but if I must be blatant, here goes. ;D

If CIS doesn’t include protection against specific malware vectors (email, p2p, whatever) and on-access unpacking and scanning of archives and compressed executables because they aim to keep the impact of the program on a PC to the minimum but then in actual use CIS I/O, system load, etc, is at best no more and in some areas, greater than other vendor’s products (two which come to mind being ESET Smart Security 4 and avast! Internet Security 6), regardless of how righteous and lofty their aim may be and how hard they are trying, the “every component in CIS has a specific role and each and every one complement each other” model is not delivering the goods.

By not being infected for 1 or more years is SURELY delivering the goods.
HTTP/P2P/E-mail are being dependent on sigs and/or heuristics.
As you know, sigs are not useful UNTIL there is a fingerprint signature for malware.
That’s where BB and HIPS comes in. They intercept what is being run.
With sandbox, you don’t need those ADDITIONAL scanners.
As soon as the file is being RUN, it WILL be caught and restricted.
File just sitting there doing nothing is not a threat…

I will AGREE that having on demand scanner that can pierce thru archive levels up to 20 or more is useful, I still vote for it to be optional and for user to chose.

Executables packed/protected with runtime packers/protectors, unpack in memory… so that’s not the case

Thank you for correcting me! :-TU
So, CIS would not intercept them while unpacked in memory?

Mostly, that’s just marketing… i.e. an infected e-mail attachment can be detected by the real-time filesystem scanner when you save it… same thing for P2P downloaded files…

3. Not sure if it is because of above or not but CIS tends to identify packaged malware by the [u]wrapper[/u] rather than by the contents, unlike ESET.
And that's [b]bad[/b], because you can also pack legit files. However... some years ago I did many tests about AV unpacking capabilities... ESET was on average... Kaspersky was one of the best...


Thank you.

Little demostration - YouTube :slight_smile:

Watch full screen