They have to. CIS 5 is not a GA (publicly available) product yet - it’s still a BETA. VT only use released products.
Ewen 
Hi All,
Sample in question is signed by “Beijing Gigabit Times Technology Co., Ltd” and it is in our Trusted Vendor List in cloud. Although sample is also detected by one of our generic signs as you have noticed in VT link.
The reason that why sample is detected by Comodo in VirusTotal but not in CIS, Comodo AV scanner in VT does not use Trusted Vendor List and it is only used by CIS and thus that difference.
We are evaluating “Beijing Gigabit Times Technology Co., Ltd” and get back with our findings.
Thanks
-umesh
Hi All,
As promised here are details of investigation.
How “Beijing Gigabit Times Technology Co., Ltd” got in to Trusted Vendor List?
This company has a famous product Super Rabbit (http://www.pc2.cc/sr.html) and as you can see it is signed by “Beijing Gigabit Times Technology Co., Ltd” and that’s how it got into Trusted Vendor List.
Why IEProt is being flagged as malware in VT ?
This setup in question in VT, changes home page without user consent and there is no GUI?
So it falls under Adware category and detection of such application is genuine.
But in case if user is shown explicit option that home page will be changed, it will not be called Adware.
Gigabit has an official version where they explicitly ask user that home page will be changed and that setup is available from:
http://www.pc2.cc/angels4.html
I have enclosed image showing snap where they show user option if he would like to change home page.
The text has wordings " “设置高安全级别的导航网站114fa为首页 114fa.com收集整理了80%中国网民每天都访问的网站”", which translates to “Set high security level navigation site 114fa as home page, and 114fa.com collected 80% sites which Chinese netizens have visited each day”.
Now it seems Gigabit has distributed this setup in question to many vendors who may use this setup and change home page without explicit consent from user, which is not good and company’s policies can be questioned.
So in summary:
- We have a genuine software doing job it promises and taking user consent
- Same software is bundled with other vendors and they may do silent installation, which is bad part but again gigabit is responsible for it in our views.
Considering above facts, we have removed “Beijing Gigabit Times Technology Co., Ltd” from Trusted Vendor List from cloud.
A signer can be validated against past but not about future and this is one of those cases.
Thanks
-umesh
[attachment deleted by admin]
Hi,
question : I have disabled the Cloud Scanning options (in AV and in D+). In this case will CIS 5 detect this sample as malware (or at least as Suspicious) ?
Thanks
thanks for the update umesh, makes total sense to me.
[ot]It’s still RC.[/ot]
[ot] It’s still a toe-may-toe - It’s still a toe mar-toe [/ot] 
Hover over CIS’s systray icon… see it? Beta. I think it was put there especially for you.
OK sorry for the link Andyman.
For me (proactive mode, rest default on xp sp3) when i have try this malware (i have not tested all exe of the link):
- add a chinese toolbar on IE
After wait time and reboot:
- change the IE startpage to chinese as umesh said
- seems to add a bootstart process ‘AngelAsst.exe’ which is ‘trusted/intaller’ by CIS
- maybe (but no time to verify) add some registry key on true system
And that, without any alert from CIS (or may be only a FW alert).
I don’t trust this process agenlasst.exe:
http://www.google.fr/search?hl=fr&q=angelasst.exe&meta=&aq=f&aqi=&aql=&oq=&gs_rfai=
Also i don’t remember have seen a question even in chinese language that ask me to change my IE start page…
Have a nice day
I think we need more prompts, you can pick colors: blue, green, magenta…
CIS cloud found file digital signature is safe, however unique file is yet to be analyzed, what do you want to do? sandbox, allow, block
CIS cloud found file digital signature is safe and unique file is safe, do you want to add digital signature in list of trusted? (Yes) allow, (no) block, (no) sandbox
CIS cloud found file do not have digital signature, however file is well known and trusted, what do you want to do? sandbox, allow, block
CIS found file is in your local trusted vendor list, however unique file is not yet analyzed in the cloud, what do you want to do? sandbox, allow, block
…
Hi Camille,
As we have removed it from Trusted Vendor List in Cloud, even if you have it enabled, it will still be detected as was shown in Virus Total link.
Thanks
-umesh
I think automated decision is better (I image my sister ou wife: ??? what is ‘cloud’ what is digital signature? etc lol what i should do??).
Very true, but also salmonela rights, including that all algorithmics detection starts at the weakest spot - the trusted list, because guys with brains, writing the most harmful malicious, puts signature on their works - upward trend evident. All of this price, for the pursuit of less stress on the user’s computer and the cloud server, with minimal user interaction. On my glance, the digital signature should be the final point in deciding whether to add the file to a local trusted list, after checking CIMA and AV. We’ll have to find other ways to reduce the interaction (I think if spend time, possible think of to the current level of interaction), but with the problem of this weakness may be forgotten.
Best regards, Alex.
I think that cloud whitelist and sandbox were made to reduce the number of pop ups. And now you want to increase it. I don’t see any tragedy . With cloud whitelist changes to it made in cloud and ultra fast. That’s the advantage of it, that vendors can be added and removed very fast.
I think a more reasonable apprach is to strengthen the intelligence in the cloud instead of passing back the decision process to PC users.
Good point!
Totally agree
I deliberately started a thread on global supply, do not disturb the road map Comodo. :). It is very easy to simply criticize and comment on, spend time, think of how to fix what you are criticizing (for myself doing) I have no doubt that developers will this just be glad if you come up with a solution without disrupting their development policies.
https://forums.comodo.com/beta-corner-cis/cis-2012-or-better-cis-briliant-t61120.0.html
Best regards, Alex.
because guys with brains, writing the most harmful malicious, puts signature on their works -Guys with brains do not make malware ;)
Maybe I’m wrong but i think you just need a valid certificate and “special tool” (encryption) to sign your *.exe
I think signed zero day malware can be more prevalent in the future… Personally i like the norton way based on reputation: new *.exe + unknown *.exe (not in the white list)+very few user= “warning” since we known the file safe or not, it’s radical
egemen said that we will have it in the upcoming versions
Thx for info, that will be very nice
JUST a question:
i have tested that:
http://www.virustotal.com/file-scan/report.html?id=6b5219b6175f3666bfe5fccb12f40efafe321e0bb228ac3980912112d3aa09e9-1283855905
At default setting, clean install, sp3:
- The exe is sandboxed
- FW pop up acces to www => allow
- after few time=> another popup (D+) appears: a thing want to access to “pseudo com” spooler service (that is an improvement compare to RC1)
IF i allow the “spool access”, of course, a TDSS is installed 
, even if the original exe is sandboxed as partially limited.
As you can see (attach) in D+ explorer the *.exe which want to access to spooler service is marked as “suspicious/installer”.
So why the D+ alert about spooler service is not more clear (marked as dangerous behavior)? All users are aware about the fact that a tdss use spooler service??? may be not, and some users may think “ok it’s inside the sandbox” i’m safe… but NO if you allow the spooler service to access
You see what i try to said? 88)
http://img838.imageshack.us/img838/7426/comodotdssnext.th.jpg
