I like to test my defense systems and CAV against new virus I download from sites listed in the net. Quite often scanning the file with manual scan (cloud enabled) whit newest definitions does not find the malware. But launching the file makes the cloud scanner alert pop up. I press clean and thats it.
Afterwards when I scan my machine with Malwarebytes Antimalware it can find several componets including the original .exe-file in the roaming folder. Why is that in there and has the cloud scanner really prevented the infection or just removed the original malware file?
It sounds like CIS may fail to remove something when it is cleaning. Do you have a reproducible scenario here?
Your system is not infected when the file is just sitting on the hard drive. When using the sandbox the file would run but should not be able to cause harm. If the file does not run in memory after a reboot you were not infected; the sandbox contained it.
These malicious files seem to be always be sandboxed and restricted. MBAM tens to found some registry keys and a file in the roaming folder, no active processes.
I can try sen you some more information next time I do my tests. I always returs my system to clean state wit Time machine after testing.
I retested it. With manual scanning CIS does not detect the malware but after launching it CIS says that an infected file is found and I pushed the clean button. The file was also restricted by D+.
After reboot I ran Malwarebytes flash scan and it found a trojan vile netprotocol.exe that was a copy of the original in appdata/roaming .folder. Checked the file with VirusTotal and the major players (not Comodo) regocnized it.
So Comodo can let infected files in the machine although it seems to be very unlikely they can really do any harm.
Do you have cloud scanning enabled for the manual scan? I think it is switched off by default for manual and enabled for the Residential scanner.
After reboot I ran Malwarebytes flash scan and it found a trojan vile netprotocol.exe that was a copy of the original in appdata/roaming .folder. Checked the file with VirusTotal and the major players (not Comodo) regocnized it.
So Comodo can let infected files in the machine although it seems to be very unlikely they can really do any harm.
The Comodo sandbox allows files to be dropped in various places. That is because the sandbox has a double function it limits malware enough not the able to start with Windows or make changes to the sytem and also run regular programs successfully when sandboxed.
That’s why scanners may find files on the hd after a reboot. As long as the file is not running memory after the reboot then the system was not compromised. And yes, it does look sloppy…