CIS on Virustotal detects file but not CIS on computer [WBZ]

The bug/issue

  1. What you did:
    Did a scan of a folder filled with malware with heuristics on high. No malware was found. I then checked the files on virustotal and some were even detected with actual detection names (ie not heuristics).

  2. What actually happened or you actually saw:
    I checked the files on virustotal and some were even detected with actual detection names (ie not heuristics).

  3. What you expected to happen or see:
    The detection should have been the same with heuristics on high and cloud scanning enabled.

  4. How you tried to fix it & what happened:
    I checked my settings. For manual scanning everything was selected and maximum size was set to 9999.

  5. If its an application compatibility problem have you tried the application fixes?:

  6. Details (exact version) of any application involved with download link:
    Virustotal links to the samples in question.

I can also provide you with the actual files, or CIMA links if you prefer.

  1. Whether you can make the problem happen again, and if so exact steps to make it happen:
    It happens every time I scan these files.
  2. Any other information (eg your guess regarding the cause, with reasons):

Files appended. (Please zip unless screenshots).
I have attached a hijack this log so you can see the programs running.

  1. Screenshots illustrating the bug:
    See links above.
  2. Screenshots of related event logs and the active processes list:
  3. A CIS config report or file.
  4. Crash or freeze dump file:

Your set-up

  1. CIS version, AV database version & configuration used:
    CIS Premium 5.0.162636.1135
    AV Database version is 6540
    I have it configured as described here. The real-time scanner is disabled and for the manual scanning every box is checked and the heuristics level is set to high. Just to be clear. Enable cloud scanning was checked.
  2. a) Have you updated (without uninstall) from CIS 3 or 4, if so b) have you tried reinstalling?:
  3. a) Have you imported a config from a previous version of CIS, if so b) have U tried a preset config?:
  4. Other major changes to the default config (eg ticked ‘block all unknown requests’, other egs here. )
    Described in my article.
  5. Defense+ and Sandbox OR Firewall security level:
    In general it is set to proactive security. Defense+ and Firewall are in Safe mode. Antivirus is disabled. Sandbox is enabled.
  6. OS version, service pack, no of bits, UAC setting, & account type:
    Windows 7 x64 fully updated. UAC is disabled. Account is admin.
  7. Other security and utility software running:
    No other real-time scanners besides CIS. See log file for any other processes.
  8. Virtual machine used (Please do NOT use Virtual box):
    Not a virtual machine

[attachment deleted by admin]

can you provide me those files so I can check them against my system? TY

Thank you for the bug report.

Moving to format verified.


I recall Melih commenting somewhere, cannot find it, that VT does not have v5 console scanner yet. It needs to be written for Win 2k.

That would mean VT scans with v4.x.

Here are following two possibilities:

  1. Sample was malware but at the same time was safe also but via cloud and safe sign may not be part of bases.cav, as CIS uses cloud it may not detect but console scanner can as it doesn’t not use cloud.

  2. Sample was signed and signer was in TVL, CIS uses TVL but console scanner does not.


Note: We have submitted VirusTotal CIS V5 console scanner which has cloud enabled, awaiting their integration completion response.