CIS antivirus need improve detection by signature not by hash

Henrique_RJ · June 9, 2016, 10:42pm

One example …

ImgBurn is the CD/DVD burner ( he has the OpenCandy adware ).

The installer is detected by CIS antivírus but when I unzip it no more is detected.

So CIS antivirus is lousy at detecting malware already installed on system.

Thanks

qmarius · June 9, 2016, 10:59pm

No need to unzip. You can add 00s at file end with a hex editor. :-La

Henrique_RJ · June 9, 2016, 11:05pm

This only confirms that it detects by hash and not by signature.

At least they could have lifted the hash of OpenCandy dll

look

.

Citizen_K · June 9, 2016, 11:41pm

Comodo is working on generic signatures so it detects both on file hashes and signatures. That’s nothing new under the sun here.

I tried unzipping but that doesn’t yield Windows excecutables only files that make sense for an installer. Hence why CIS won’t find Open Candy (OCSetupHlp.dll which will be started by rundll32.exe). This also makes your test case non valid.

I downloaded the installer from Softpedia and there is no Open Candy in the list of installed programs, nor is it found by Super Antispyware and Hitman Pro. Apparently there are multiple versions of the Image Burn installer on the web. Open Candy will be detected by the AV during installation.

Henrique_RJ · June 9, 2016, 11:48pm

Sofpedia no has OpenCandy but Major Geeks yes.

qmarius · June 9, 2016, 11:58pm

It means that what they’re using is inaccurate. Sometimes it happens.

~ a journey with more 00s at file end :

Citizen_K · June 10, 2016, 3:45pm

Open Candy if memory serves me right would be picked up by them. Later I scanned with MBAM which also didn’t detect it. MBAM logs shows it has picked it up once before.

Henrique_RJ · June 10, 2016, 10:40pm

Comodo is working on generic signatures ?

Whow do you know ?

Citizen_K · June 10, 2016, 11:47pm

That’s been going on for quite some time now. I don’t have the quotes handy but it’s happening.

sAyer · June 23, 2016, 1:24pm

Most installers that use Open Candy depend on internet access to download the dependencies. The OCSetupHlp.dll is the down loader. If any application say ImgBurn or other is blocked from outgoing access during installation it will skip the Open Candy download and install normally without Open Candy. So technically OCSetupHlp.dll is for general purposes not malware, but the payload it downloads and installs is. There are older versions of files that contain the whole setup, but newer applications that I know of download the files during the installation process which then presents you with the Open Candy license agreement. So simply block such installers from outgoing connections and problem solved.

Edit: This is off the topic of the OP but none the less should be pointed out.