CIS misses some samples often, a reinstall fixes it

Hi

Once in every two or three weeks, I get to see this strange thing. I come across some virus sample, as usual, I submit it to Comodo Labs, check it with Virus Total, Valkyrie. Suddenly I see that the sample shows as detected by “Comodo” in Virus Total, but no matter what settings I choose, how many times I update, it does not get detected by CAV on my system with the same or newer bases.

The only thing I am left to do is to completely uninstall CIS and reinstall, re download full bases. Yes, it solves the issue and the sample gets detected now.

I happen to come across this weird behaviour three or four times for now, both with CIS 5.5 and CIS 5.8 (running on Win 7 x64, I did not check this with x86 version). I have also seen some other members posting the same issue (Naren, for example) many times.

Every time this happens, I submit the samples to Comodo Labs through forum, informing the issue in detail. Still, I could not get any info on why/how this happens.

Please look in to this issue, as I am now starting to worry, whether my CAV is really working or not since I do not know if it is catching all or missing some until I check and compare some random sample with Virus Total results.

I do not know whether to file a bug report for this or not, since this is completely random behaviour and can not be easily reproduced every time.

I would really appreciate if someone can really help sort out this weird issue.

I hope this time this issue is taken seriously by the Devs & they give info here if they are looking into this prob as to why it happens, why the strange behaviour by CAV?

Thanxx
Naren

Siva, sad no one is interested in this critical prob. Melih dont believe in AV’s & his team dont want to give much attention to the AV. Now I have started to think this AV just has an interface but is not flexible & good in its core protection. Devs must give same attention to the AV like they give to D+ their beloved one, only then it will improve & become a strong product & win users, otherwise it will always remain an average AV, worthless to install.

Thanxx
Naren

This antivirus gives the best explaination for using something like defense+, and an on demand scanner from someone else as a second opinion.

And also explains that dont install an AV from the company whose CEO thinks AV’s are passe.

Either they should treat the AV like all the other components, ex - D+, & make it strong & flexible or should drop it from CIS.

Thanxx
Naren

:-TU
I like those words. That’s true.

Today, I came across the same thing. I had two samples which are being shown as malware on Virustotal but my CIS says that they are clean.

This time I tried it the other way. I have removed all the entries in the “Trusted Files” list.
‘WOW’, it now detects those samples.

This must be really a big bug.

I have already cleared a bug report for such a scenario, but it does not have a reply… :embarassed:

I still do not understand how “Trusted Files” list which is supposed to be a “D+ module” component, effects the “Antivirus” scan.

Whatever it is, it needs an immediate fix.

Every time I do a custom scan, I made it habit to clear the “Trusted files” list before starting the scan. Other wise, the results could always be wrong. Really painful, isn’t it? :embarassed:

Its not a bug but design. If I am right, CAV doesn’t scans the files in trusted lists.

Thanxx
Naren

Too bad cause there are lots of trusted malware…although I don’t know who or what put them there…

I do not think so.

It does scan files in “Trusted files” list too, it only skips the files in the “exclusions list”. But, the danger is that it does not seem to identify them.

For example, if I have ‘3’ files in a folder and scan the folder with CAV, it shows ‘3’ files scanned and ‘0’ threats. Where as if those files are added to “exclusion list”, it shows ‘0’ files scanned and ‘0’ threats.

Naren,

Everytime you have a problem, even with downloading the bases, i am checking it out and explaining. Despite this fact, you are still making up stuff such as what you wrote above.

Now instead of fabricating scenarios, simply provide the sample and explain what you think it is wrong. Check the forum and you will see how we immediately fix critical issues.

If you added those files to Trusted list or chose IGNORE and submit as false positive etc. after scanning, they are NOT going to be detected for sure.
Trusted file MEANS trusted file. So they will NOT reported as virus.

Pls provide me the sample you are referring and let me see what is going on.

[at]Egemen:

I did not add it to “Trusted files” list, and I did not add to to false positives either.

All I did was: I scanned the folder with those samples first. They were undetected. I then scanned them online with Virustotal and Valkyrie, posted the results in “submit malware…” fourm. After a day, when I again checked the same files with Virustotal, I found that Comodo engine detects them as malware. I then scanned the folder again and again and could only get ‘0’ detection.

This has happened to me almost 6 times for now, with many different samples.

The first time when I posted this I was asked to reinstall CIS, and it solved the problem.

The second time, I was advised to check for the files in Defense + “Trusted files” list, then I did and was surprised to see those files there. I then filed a bug report on this issue.

This time, I just cleared the whole “Trusted files” list to get them detected.

I would like to ask you humbly to explain one thing in detail.

Are “CAV exclusions” and D+ “Trusted files” the same?
How does D+ “Trusted files” list effect CAV scan? Are they not for D+ only ? Aren’t D+ and CAV two different modules ?

If a file is not detected one day and it gets to the “Trusted files” list (surprisingly), and it’s detection is added to bases later, will it be the policy of CIS to not detect the sample?

I do not think the issue is specific to any particular samples, still I am giving the links to latest sample here for your reference. Hope it helps you solve the issue.

https://valkyrie.comodo.com/Result.html?sha1=87321a15977476f8d003cba767bdcac97789b114&&query=0&&filename=blastclnn.exe

http://www.virustotal.com/file-scan/report.html?id=c91bf8b6d1fa8cd437c01187a0ee0a439681d81b3e99292ab430c786eb91d433-1321116210

I had this problem with a piece of malware that was trusted, don’t worry, it wasn’t a high risk.

I kept rescanning it for a few days, waiting for it to be detected, but it wasn’t. Then I cleared the trusted files list and rescanned and it was detected right away.

@SivaSuresh
Were those samples you are referring to trusted at one time by Comodo?

Specific samples are all this is about. So while talking about such issues we need details. And we need a reproduction.

If you are able to reproduce this behavior with a CURRENT sample, pls immeidately contact with me and send me the sample.

I can not reproduce what you are saying with the links you gave.

@ Egemen

I could reproduce this issue by scanning with an old database and then again doing a scan with the latest bases. (I think I could explain it in detail in my previous post)

To be more specific, it happens with most of the samples, not at all sample specific in my opinion.

I am using CIS 5.8 x64 on Win7 x64 latest release and the issue was there from the beginning of CIS 5.8 first beta.

Note: Can you please answer the questions in my previous post ?

Not by TVL, not manually added by me, but they are some how getting in to the list when we do a manual scan of the samples before they are actually detected by CAV.

I already answered your question: Trusted files are trusted files. They are never going to be reported as malware. Trust is not only for D+ but for firewall, AV and sandbox as well.

Exclusions are files that are skipped.

The sample you are referring is detected as malware and i dont see behavior like you said right now. However lets make sure we have the same settings

1 - Are you using all default settings? Have you changed anything?Have you changed D+ to clean PC mode or anything? Tell me all the changes you did.
2 - How am I going to reproduce this issue?Please tell me step by step as if you are recording video.

If you dont add these files manually, then there is ONLY 1 way these files to get to trsuted files,

1 - Cloud marks this sample as safe(Which is not a case of you sent the corrent sample)
2 - This file is dropped by a trusted installer(Well we will see if this is the case if you can explain how we can reproduce this issue exactly)

If you provide these, i can see what this is about.

First of all, thanks for the confirmation.

  1. Now I stand corrected and understand that Naren was right about this. The trusted files are not being scanned for malware. Although I am not comfortable with this fact, it is how it is.

  2. No they are not dropped by any trusted source. Actually I found those samples using killswitch in an infected system, copied them through pendrive to a local folder on my desktop.

I did not make any big changes except changing CIS from Internet security to Proactive security. In D+ settings “create rules for safe applications” is checked on.

  1. I think I have explained the process to reproduce the issue in very detailed manner in my previous post. In case you did not get it clearly,

a. Scan the folder with CAV with an older bases.cav which does not identify the samples.
b. Now, scan the same folder with CAV with a newer bases.cav which has definitions added for these samples.
c. CAV reports the files as undected, you will be surprised to see those samples in “Trusted files” list.
d. Clear all the trusted files list, scan again, you can see that they are detected now, with the same bases.cav.

The issue is not 100% reproducible but I can say it is 85% reproducible, since it happened to me with 25 samples just exception of 3 samples out of 28 samples I tested for last one month. To remind you again, this is only happening on my machine with CIS x64 installed, I could not reproduce it even for once on my laptop with CIS x86 installed.

Hope this helps.

Sure. Older bases.cav: Can you please give me base versions that reproduces this problem? For exmaple, which old base version have you used?

4 days old…for this sample.