I have suggested that a cpu management should be added where you can choose the amount of cores that should be used and how many % it should use of the chosen amount of cpu cores. I hope that future versions or that the final release will be optimozed for multi cores.
Regards,
Valentin N
Why does the DACS.AV_Vendor result of a particular file is shows different when compared that same AV_Vendor from virustotal
[attachment deleted by admin]
I would ask exactly the same question…
Besides this, how frequent is the file resubmitted to scanners? I mean, the verdict of the antivirus depend on virus definitions updates. How long does it take to the files to be rescanned and a new verdict sent?
Looks like a difference in settings, all VT detections are Heuristic/Generic.
And as CDE doesn’t flag these I guess to prevent FP’s.
Thanks Ronny.
What about this bellow?
This is extremely interesting project from Comodo Team, but as it touches upon my field I’d like to ask several questions.
The diagnostic tools have to operate with file system at as low as possible level at present time. To perform registry parsing and to fine hidden services/drivers is just a question to coders, but it is neccessary to obtain correct information about what’s going on on the file system. Possibly I didn’t examine Comodo’s products for a too long time, but I итумук heard about strong antirootkit engine made by Comodo Team. So the question is: what is the level of file access in CCE? Does anybody perform the test of removing active ZeroAccess, Black Energy 2.1, Mebroot, TDL 3.75 и TDL 4.03 using this tool? Unfortunately I have a lack of time now so I cannot do it by myself but if anybody is interested - please PM me for droppers I have mentioned. I’d be happy to help.
What is the procedure to cure file infectors, i.e. Virut, Sality etc?
What about self-defense? As long as CCE is not very popular it’s not a problem, but in active future malware will start trying to kill appropriate drivers, executables etc - using file names, names of resources, names of active interface windows etc. So does it crypted/protected in any way now? And what about working in Windows safe mode - sometimes it is almost only way to boot and perform something. Does all necessary drivers load normally in such mode?
And again: all this is very interesting and I will surely try to test it, but unfortunately I am really very busy now.
Fair enough but I guess all have default settings :-\
The CCEKrnl.dat driver directly creates file objects for specific partitions. I see some “FAT” and “NTFS” checking code in CCE.dll, so it must be looking at the file system structures itself, like RootkitRevealer.
What about self-defense?
That’s always pointless, which is why no decent anti-rootkit program (with the exception of IceSword) has it. The most a program can reasonably do is to camouflage itself by picking random names for everything (window titles, service names). For machines that are infected badly, use the bootable CD version (which doesn’t exist yet).
And what about working in Windows protected mode - sometimes it is almost only way to boot and perform something.
You mean safe mode? I’m pretty sure it works.
That's always pointless, which is why no decent anti-rootkit program+1 I agree Why make it more complex then it already is, It's unneeded code and totally unneccessary. I would consider it as bloat
Thanks for reply. As distinguished gR1 from KernelMode forum has provided some info about CCE testing results I can reply to your arguments. As well as something from personally me 
Looks like there is a misunderstanding between us. Actually Windows Explorer, FAR and Total Commander also has some “NTFS” and “FAT” checking modes. But unfortunately it cannot find infected drivers and some hidden objects during active infection
I don’t agree with you. To use random names with resource objects and file names as well as to use bitmap as interface windows names do not require too complicated code. But this simple steps helped much in Baggle and Palevo issues I know LiveCD is pretty good universal solution - but what about netbooks? What about updating databases on LiveCD? As far as I know now CCE downloads about 200 Mb during update It’s not very clever to download and burn LiveCD image every week just to be updated
BTW using LiveCD completely disables the need in atirootkit and complex technologies to overcome rootkits hooks. If CCE is intended just for such cases - it is better to start with simple LiveCD antivirus. 200 Mb - ouch, lloks like it is signatures for all virii without being packed!
Yes, I meant exactly safe mode - sorry, English is not my native language.
Are you absolutely sure? As far as I know CureIT by DrWeb Team is the only antivirus solution which starts normally in safe mode. Kaspersky Virus Removal Tool AFAIK starts normally too at first sight - but it doesn’t load some drivers. So I’d like to double check in the case of CCE.
And now - results of testing from above mentioned gR1:
Doesn't have MBR scanning at all (or I just didn't see it) so it's useless against MBR infectors, at least in its current state. Tried ZAccess against it: detected the infected driver (but not the loaded max++ module). Instead of disinfecting the legit driver it deleted it, which could potentially be disastrous.So it looks like in present state CCE is useles against Mebroot, Mebratis, Stoned, Whistler, TDL4 and other bootkits as well as against ZeroAccess, TDL3 and other modern rootkits. Too bad - because for deleting simple malware there are some well-known and proven techniques based on ComboFix and AVZ.
You mean CCE? I haven’t ever scanned with CCE before, so I have no idea. I’ll take your word for it.
I don't agree with you. To use random names with resource objects and file names as well as to use bitmap as interface windows names do not require too complicated code.
Exactly. That’s what I was saying - using random names is as far as most people go with “self-protection”, and it’s a good thing. But protection from termination is going a bit too far.
Are you absolutely sure? As far as I know CureIT by DrWeb Team is the only antivirus solution which starts normally in safe mode. Kaspersky Virus Removal Tool AFAIK starts normally too at first sight - but it doesn't load some drivers. So I'd like to double check in the case of CCE.
I haven’t tried it, but that was my guess, because I can’t think of any reasons why CCE wouldn’t work in safe mode.
wj32, CCE I meant Comodo Cleaning Essentials.
Concerning self-protection against termination - ha, malware cannot stop every processes in system. Usually it detects some antivirus programs according to names I have mentioned and tries to kill it.
Surely it is pretty enough for self-defense function and there is no need to go deeper.
I didn’t actually understand what you said about “Windows Explorer, FAR and Total Commander”. My reasoning was this: if CCE didn’t parse file system structures itself, it wouldn’t need to care what file system a partition is using. But it has checks for “NTFS” and “FAT”, so I’m assuming it does read raw disk data.
Concerning self-protection against termination - ha, malware cannot stop every processes in system. Usually it detects some antivirus programs according to names I have mentioned and tries to kill it. Surely it is pretty enough for self-defense function and there is no need to go deeper.
If malware has loaded a driver, it can do anything. And what’s the point of putting in self-protection if it’s only going to stop user-mode-only malware? Better to not have it at all.
I will not go into technical details but there are a number of ways to find out what is going on on the disk. It could be simple usermode API call - in this case the program will obtain almost the same as Explorer will do. It could be direct work through I/O ports of controller - in this case nothing can be hidden, but we have to write own OS to work with all controllers and to parse file systems. Everything other is between this very points.
[/quote]
I didn’t ask about supportes file systems, I have asked about the level of access. Some newest antirootkits uses copy of port-driver, some other - builds their own disk devices stack. What about the subject?
You are right - and not. It really can do anything but it will never kill all processes. The main aim of almost all malware is to do something hidden - build botnet, send private data, steal passwords and card numbers. It will never cry “KABOOOOM! YOU ARE INFECTED!!! HAHAHAHAA!” because the user will immediately tries to do something against it. So the process to be killed will be sorted - and according to what at your opinion? 
Of course kernel-mode malware is the most complicated case. But as I have mentioned telling “the only way in this caes is to use LiveCD” is simplу giving up and this niche is already taken by antivirus vendors with their own LiveCDs solutions. But this solution is limited because of continious repacking/crypting malware to remove signature detection.
As I believe if somebody will build up the product to diagnose and remove as much malware as possible without LiveCD - it would be excellent. And there are some good results: we have TDSSKiller from Kaspersky to remove the most modern rootkits, we have above mentioned AVZ and ComboFix, MBAM, OSAM etc - but there is not something combined one so it is necessary to use several tools in each case. I thought Comodo decided to do something combined - but according to you it is simple usermode analysis tool and every complicated case will obtain standard answer “please use LiveCD”. But the answer as I told you is already very popular.
And we forgot about file infectors. What in this case? Delete all infected files?
And I still hold another ace - GPCode, XORist, RectorCryptor etc
hey gjf
welcome to the forum man
3. What about self-defense? As long as CCE is not very popular it's not a problem, but in active future malware will start trying to kill appropriate drivers, executables etc
am merely asking here, will that be any different from the self-protection all COMODO uses??
if, so, how did you know?? and if not why ask?? ??? and would you mind please saying how did you find out that COMODO, isn’t popular???
I am just concerned because I just decided to down load it , and give it a try ,
PeaceWave, I have discussed here only Comodo Cleaning Essentials issues. It is not popular just because it is beta
I have no idea and I haven’t discussed the same issues in other Comodo products. So I believe you’d better ask about them in other forum topics.
As for CCE and any other same product I would not recommend to use it routinely while it is in beta stage - you can simply destroy the system. So if you are planning to test it - OK, it is very good, but if you are planning to use it in your work - it could be a very bad idea.
I have answered this question several times already. My statement about the file systems was support for my conclusion that CCE reads raw disk data. I stated that the CCEKrnl driver creates its own FILE_OBJECTs for partitions.
You are right - and not. It really can do anything but it will never kill [i]all[/i] processes.
I didn’t state that malware is going to kill all processes. Why would it do that? My point is that whatever self-protection is put in place, you can get around it (to a reasonable extent). For example, the most effective anti-termination technique I’ve seen is to set SystemThread to TRUE so that NtTerminateThread refuses to terminate the thread. But you can still get around this by queuing an APC and calling PspTerminateThreadByPointer from there. This might not be the most recent example, but it’s a good one.
wj32, sorry - I have missed your explanation concerning FILE_OBJECTS. I have to write here and work simultaneously - pardon me!
I am not sure this will can help overcome recent threats. If you are the beta tester I can send you proofs.
As for termination - sure, you can use PspTerminateThreadByPointer and even other thecniques - but how you will get wich thread/process you have to terminate?
You don’t have to send me anything, I believe you completely. Although I’m not a security person, I’ve seen some pretty advanced rootkits… Hypervisor stuff is scary…
As for termination - sure, you can use PspTerminateThreadByPointer and even other thecniques - but how you will get wich thread/process you have to terminate?
If service names, file names and window titles are random, then I guess it will be harder than usual. But I’m thinking, why not scan the address spaces of processes, looking for signatures, just like an AV?
Actually this would be the only way But I think it will eat too much resources - hmm, not very easy! And in bad hands can cause even BSOD
Sure we can go deeper and deeper up to polymorhic code, but as I said - why? Random names are easy way and is quite effective. Not 100% - but nothing is perfect.