Check out the AV False Positives Thread!!!

Nickoo has posted Fake AV’s, Rogues & Adwares digitally signed & trusted by Comodo. Check out the AV False Positives Thread!!!

Thanxx
Naren

Can’t see it, can you please provide link to the thread?
Thanks :-TU
Edit, I see it:
https://forums.comodo.com/av-false-positivenegative-detection-reporting/malware-not-detected-2010-t49281.0.html;msg451023#msg451023

Comodo is going to do something against this in a future?
or is going to be normal find malware digitally signed become trusted?

Nickoo has mentioned that those malwares are digitally signed & trusted by Comodo.

Have you guyz checked out if those malwares are really digitally signed & trusted by comodo???

Thanxx
Naren

Digitally signed malware is a global problem with everyone, not just Comodo.
Digitally signed files help to reduce popups as they are “trusted”, but when a malware is digitally signed, it becomes difficult to combat this threat.
If you download a file setup.exe and is signed as nVidia, it’s hard to tell if it’s something from nVidia or malware…

Hello, some of these are digitally signed but they are not trusted by Comodo and if I run theme will be sandboxed by Comodo.

But some samples are digitaly signed and trusted by Comodo, it’s different!

Thanks.
Nickoo

[attachment deleted by admin]

The difference is that Comodo allows this files to run outside the sandbox and make any change in the system. I wonder if the trusted files digitally signed are scanned by the AV never, with every update, or just the first time.

Fake AV & Security Suite is whitelisted means Comodo whitelists AV’s & Security Suite. I think theres no need to whitelists AV’s & Security Suite except the most famous & genuine ones.

No people install 2 AV’s or Suites except 1-2 ondemand scanners so no need to whitelists AV’s & Security Suites except the most famous & genuine ones.

Thanxx
Naren

So 1 digitally signed file is trusted by Comodo, right???

My belief is that it is a compromise of security for more usability, less popups and less blocking of safe files. What malware does with this technique is what I would call an exploit…
Uncheck “run trusted installers outside of sandbox” and problem solved…

And if the malware is not an installer?

;D
Checkmate…
I trust files extracted aren’t trusted either…

Somehow vendors who were trusted by Comodo are also creating rogues. This must have been missed when Comodo investigated them before adding them to the list. They have promised they will investigate more thoroughly from now on and are reevaluating the TVL right now.

Rogues and fake AV’s are difficult to identify, but they shouldn’t be trusted. If anything they should be in the grey area between detected malicious and known safe. Maybe there just needs to be a greater separation between these two lists.

Also, wouldn’t un-ticking “automatically trust files from trusted installers” in the Def+ sandbox setting, stop a signed malware AV from installing?

Hmmm… So you’re saying that those of us that don’t like the concept of trusting a vendor merely because they had signed installers are in fact correct?

Well, I hate to say I told you so… :stuck_out_tongue:

It should… But then, IF files inside installer are signed too, then who knows what might happen. Maybe they would install?
My opinion is that restricted/sandboxed installer would not get far with installing because it’s rights are dropped… :-X

I thought that option only trusted the files that are dropped by an installer that is already trusted.

Maybe I’m wrong, but I’m not sure how to disable the TVL without manually deleting them all.

Don’t. When the update is issued, simple restart will remove affected vendors automatically…