Chinese signed malware VS CIS 5 RC2

tommymacangel · September 6, 2010, 6:38pm

Hi all

i give you a link to test somes chinese signed malware which seems to give hard time to RC2.

Someone can test it?

Byebye, have fun and take care!

Link to live malware removed

kazza5 · September 6, 2010, 6:41pm

Malware is malware no matter were it comes from all av’s should detect some of it it’s no excuse not to and ignore it.

slangen · September 6, 2010, 6:45pm

:-\

[attachment deleted by admin]

tommymacangel · September 6, 2010, 6:47pm

http://camas.comodo.com/cgi-bin/submit?file=ea7219e9861eda27606317e95e04967ef82c8b5d5cd766ddfabbb98a65e88a90

cvsa · September 6, 2010, 6:55pm

what does cis cloud say ? >:-D ;D

jovan111p · September 6, 2010, 6:56pm

Comodo detect nothing! :-TD

Johny7 · September 6, 2010, 7:23pm

Well its true but only if you hit Allow!

andyman35 · September 6, 2010, 7:26pm

Hi tommymacangel.

Please don’t post any links/attachments relating to live malware as per forum policy:

lordraiden · September 6, 2010, 8:03pm

Any developer have the link and is working on this?

I try it yesterday and I found that only makes shourcuts and a toolbar in IE, no running process any file start with windows. Anyway they should take a look

Citizen_K · September 6, 2010, 8:09pm

Just checked the CIMA analysis. Publisher is “Beijing Gigabit Times Technology Co., Ltd”. It is not on the local Trusted Software Vendors list of v5 RC2. Is this the name of the signature the executable is signed with?

If it not has been sent to a Comodo staff member or another mod could it be sent to me? Send me a pm.

bequick · September 6, 2010, 8:12pm

Yes, this is the name.I’ll send you a link on PM.

andyman35 · September 6, 2010, 8:14pm

Already done.

Adonis · September 6, 2010, 8:14pm

May be it gives hard times to comodo AV (it’s not the best time now for its detection level) but CIS as suite should still block it even without users participation, cause they should be automatically sandboxed

Citizen_K · September 6, 2010, 8:34pm

Thx. All 3 of y’all for sending.

jovan111p · September 6, 2010, 9:22pm

I still have link if someone need!

salmonela · September 6, 2010, 9:24pm

I don’t like the fact that “local trusted vendors list” is bypassed in favor of cloud beh. blocker, I think only info from cloud should be provided and clear prompt… and ask-checking-determination-AV prompt from cloud if program is signed and in local list of trusted vendors but not yet seen in the cloud… also some malware are aware of CIMA sandbox but that is another and OT story…

CIS logic need to be changed here for particular case IMO

farshard · September 6, 2010, 10:07pm

it says scanned online and found safe

[attachment deleted by admin]

lordraiden · September 6, 2010, 10:13pm

http://camas.comodo.com/cgi-bin/submit?file=96c52cc748779f09fb6226b52067c91b76ec696e207317043c89aba34d0a019c

For CAMAS is suspicious, so maybe is because the CLOUD is not working 100% we have this kind of problems.

http://www.virustotal.com/file-scan/report.html?id=96c52cc748779f09fb6226b52067c91b76ec696e207317043c89aba34d0a019c-1283811071

Adonis · September 6, 2010, 11:55pm

In virus total Comodo detects it and even giving a name to this malware ???

ahmedhhw · September 7, 2010, 12:13am

Well I realized that RC2 not good at detection but vertion 4 is good and the beta was amaizing (In virus total they use v4)