CIS AV Quarantines a Legitimate File [M1964]

1. What actually happened or you saw:
Quarantine a shortcut which contains the following parameters:
C:\Windows\system32\cmd.exe /c start Skypee\AutoIt3.exe /AutoIt3ExecuteScript Skypee\googleupdate.a3x explorer “%CD%” & exit

2. What you wanted to happen or see:
When Quarantine is performed involving a legitimate system file (eg. CMD.exe), it should first analyze if parameters contains another executable and/or script. Therefore, either the executable “Skypee\AutoIt3.exe” and/or its script “Skypee\googleupdate.a3x” must be quarantined.

However, the “CMD.exe” file was quarantined which later removed after the manual purge (requires a system restart).

3. Why you think it is desirable:
Properly identifying potential virus is essential, especially if it involves important system files being utilized in the process. AV program should avoid actions that may result in unstable system.

4. Any other information:
Windows 7 64-bit / CIS

Thank you for submitting this Wish Request. I have now moved this to the WAITING AREA.

Please be sure to vote for your own wish, and for any other wishes you also support. It is also worthwhile to vote against wishes you think would be a waste of resources, as implementing those may slow down the wishes you would really like to see added.

Thanks again.

Ordinary users simply perform quarantine for any suspicious files / programs they find. So the CIS program should be smart enough to avoid unnecessary effect to the system.

Like liosant suggests, preferably Sandbox (or HIPS) of CIS should “analyze” and block these.

Adding to my notes, the actual virus files are “Skypee\AutoIt3.exe” and its script “Skypee\googleupdate.a3x”.

So the quarantine function will be useless in this case.

Another example of the shortcut where the file “dekstop.ini” loads the instruction to “wscript.exe” (and who knows what it can do).

(from an actual infection, detected as Malware@#2rbajl9n5kk3o)
C:\Windows\system32\wscript.exe //e:VBScript dekstop.ini “Microsoft”

In case you find a new variant having similar approach and decided to put it in quarantine, the file “wscript.exe” will be targeted. So again, another innocent file will be held in prison.