Its not based on the file name, I have tested that, Its based on the code in the file, If the code has 2 extensions it get the name Heur.Dual.Extensions.
Now get back to topic please, or make a thread for this.
Hi OmeletGuy,
Can you please clarify what do you mean by getting back on topic?
The question was about the detection and the answer by Ronny was about the file name double-extension
In addition I’ve seen the similar question(s) somewhere else in the forum
Can you please tell what do you mean by “the code has 2 extensions”?
I am really interested since I am kinda writing programs for a long time …
probably I am missing something about the “double/triple extension code” 
My regards
By get back on topic, i mean your taking about CIS in the CIMA thread.
Actually i cant real tell you much about that (don’t know much about it :P) All I know is that a exe that has Dual Extensions can execute something on one system and something else on a different system. Thats why its so dangerous.
Thats as much as i know, but i maybe wrong. :-\
PM Umesh asking what Dual Extensions is, he will know exactly.
Thanks for reply OmeletGuy ,
I don’t need to PM Umesh regarding this since I know that for sure:
That must not be the issue of being detected by Heuristics!
If you tested that, please PM me the code you mentioned and I know how to test that.
(you can add a few words about the method of your test - that will be appreciated, but not really necessary)
Not that there is no such thing as “double-extension code” and I know how to write programs (please do not get me wrong - that is not a conformational talking) - that is a real big issue I can see here
As for the other sources I mentioned earlier
«Harmful file flagged based on doule extension»:
https://forums.comodo.com/empty-t9143.0.html
Heur.Dual.Extensions :
https://forums.comodo.com/empty-t45006.0.html
https://forums.comodo.com/empty-t42911.0.html
https://forums.comodo.com/empty-t42148.0.html
https://forums.comodo.com/empty-t42313.0.html
…. and so on… That is definitely wrong – that must not happen ever.
The usual answer is:
Dual extensions are usually used by malware to disguise as genuine files. There is generic detection
That is not an answer at all!!!
Yes, you are right “Dual Extensions can execute something” as you said … and I posted the most common example above … so what?!
The names does not matter in relation with AV heuristics analisys
The name of the detections does not matter much as well … as we know…
Call it anything - like: “You.Are.■■■■■■■” - it means as much as “Trojan.Agent.Backdoor.Opened.In.Your.BackYard.And.Horse.Is.In.Your.FrontYard.Eating.Grass”
;D
Again none of the security should do that as result of the “Heuristics analysis” !!!
It could be different additional service based on file names only, but not a Heuristics … excuse me…
Cheers!
My test was to prove that detection isnt based on the name of the file, so pick any exe and add .tmp.exe or exe.tmp to the end of it.
Thats all i did, and got no detection for it, so its not name based, therefore it must be something in the code.
I renamed pidgin-portable.exe to pidgin-portable.tmp.exe and scanned it: Heur.Dual.Extensions.
Thanks JoWa,
“Good” stuff … Yeah!
… I am working with Pidgin Portable …
I was talking to Guys like half an hour ago, cause they are on ICQ and I don’t use it
That’s what I was saying above about renaming files like that … and my “guess” even not using Comodo’s AV was correct
... Would Comodo trigger the detection when on rename simple text file and call it “textFile.txt.exe” ???… in such situation probably even file type will not be analyzed??? Why not? Is that's what's going on? WoW!!!
This thing if a pure laughter … - do we need Heuristics for that ?
What kind of “Heuristics” is that?
Cheers!
=======
Sorry man,
That is a contradiction to your previous sayings - you said that you tested the code(!) that somehow has “double-extension”
and that what “puzzled” me (not)
Now you are stating something different and that is just about the “names”
and JoWa got the opposite result
I have to refrain myself from writing more … but I hope that you understand that the issue is serious and we must not allow ourselves… such a “freedom of speech” when answering questions to less experienced users…
… oh!! well… enough said
Cheers!
No. (I renamed a text file and scanned it.) 
Thanks JoWa,
I’m glad to hear that … much better than with Pidgin 
but still not good enough … if you know what I mean
Cheers!