Comodo put malware into trusted file list when I added it to the AV exclusions

I am beside myself right now. How could malware end up in the trusted files list when all I did was add it to the antivirus exclusion list? Does excluding a file add it to the trusted files list??? Is this a possible bug in CIS?

If you add it to exclusions list then you are trusting that file; so What file are we talking about? and What program?

It’s actually a bit convoluted when you think about it;
You have a malware file you want to exclude but yet you don’t want to trust it? hmmm…

It makes sense. If I want to let Defense + handle the file (let it run sandboxed) without the Av detecting it so I can upload it to virus total. What’s so convoluted about it? I was trying to upload a drive-by-download malware that was running at the time when the AV caught it. I kept the sandbox on and tried to ignore the file when the AV detected it but a message kept popping us saying I didn’t have permission to open the file. So I added it to the antivirus exclusion list and disabled the sandbox hoping I would just get some D+ alerts that I could block. But instead Comodo took it upon itself to add the file to the trusted files list, so that it could execute when I tried to upload it.

And you say what I did was convoluted?

In a way, yes. Either you trust a file, or you don’t…

Anyway, it wasn’t adding the file to the AV exclusions list that added the file to your trusted files list, but your attempts to ignore the file from the initial popup.

If you wish to ignore something in D+, there isn’t such a thing as an exclusions list as there is in the AV. All there is, is the trusted files list. So when you click ignore, it adds the file to the trusted files list as this is the only way for D+ to ignore a file.


So should someone disable the AV completely without ignoring the file? How can someone gain access to a supposed malware so they can upload it without it being added to the trusted files list in D+ when it is excluded or ignored?

I really wonder about some official replies lately. Putting something to an exclusion list of an antivirus means, dont annoy me with detections. Why should it mean, let defense+ giving it all rights?
Car examples are funny, but compared to what i read here, it appears serious :smiley: . If someone presses the accelleration button, does it mean that the break should be disabled, as the driver wants to accellerate?

Your assumptions of what a person think, when the person presses a button, are totally out of place. A button has a function. A button is not a philosophical discussion.

Once i mentioned, when you send a file to comodo as false positive in the antivirus alarm window, it will be added automatically to trusted files list for defense+. And i got a similar answer. Sending something as false positive declares me as someone who trusts that file. Thats absolutely wrong! BECAUSE, maybe i was wrong with thinking it would be false positive. Maybe it was a hidden virus under the name of a usually fine program. And if it wasnt made trusted, i would have a chance to see what unusual things it would do.

In both described cases, functions of your antivirus put away security!

So, you literally tell, pressing a decision button in an antivirus window is valid for defense+? Telling the antivirus to ignore a file is the same as telling it to defense+? People actually read if its an antivirus or defense+ window. Based on that they make decisions!
Is it just me, or are the buttons and settings totally confused, when it is right what you say? Antivirus windows should handle antivirus things, defense+ windows should handle defense+ things.

When you use the option to submit a file to Comodo, it will be put on the trusted files list if the file is deemed safe.

The user did not specify which option was picked from the ignore menu. I’m suspecting the option was (probably by accident) Add to Trusted Files. Simply adding a file to the AV exclusions list will not add the file to the trusted files list, so it has to be the ‘ignore’ step which was the culprit.

Try it. WITHOUT cloud, without another allowed connection than the one which send the file. In other words, with otherwise blocked internet access for comodo.
Produce an antivirus alarm (with a harmless false positive!). And then choose “send to comodo as false positive”.
Then look at once in the trusted files list.

Feel free to tell me another result. But first test it, like i did. I wrote about it once. I dont have the antivirus installed. So i cant test it, and i cant say if its fixed. Courios about the facts.

Ok, if you meant “ignore”-step, that can be. But it sounded like the “ignore”-option-button in the antivirus alarm :wink: . Nvm then

It does still add submitted files to the trusted files list. Although the help file says it will add the file to the list if it is deemed safe, I’m assuming it adds the file anyway because you as the user are saying it is safe and reporting it as such. If not, I don’t know why it does this. :-\

Why would you add Malicious/Suspicious files to the exclusion list in preference to adding them to quarantine or unrecognized?

If you are excluding it, it is obvious IMO that you have classified it as safe (Logical).

Adding a file to the exclusions could also mean I don’t want the interference to the AV at this moment am I will assess it with D+ or sandbox.

Sometime you just want to suspend judgment.

Because this would disable the antivirus alert each time its accessed. I have allways files which should be able to perform, or like the opener described, should be able to be handled to be even uploaded to virustotal, without been intercepted by the antivirus (first of all as false positives).

Look, excluding from the antivirus is what all the defense+ benefit is about: If the antivirus can not catch a virus, defense+ is your line of defense. People trust in this sentence. Thats why they dont imagine they would disable defense+ with an action for the antivirus or by uploading a file as (seem to be) false positive.

at captainsticks (about logical :wink: )
I have another antivirus at the moment. When i put something in the exclusion list (what i somehow dont need) OR if i send a file as false positive to the company, defense+ is not disabled in front of this file. But if i use comodo antivirus, my comodo defense+ is/would be disabled towards the file (in your example allready when its been put in exclusions, in my example definitely after been sent as FP to comodo).
Funny conclusion:
Other companies antivirus is defending the principle of comodos default deny the most, while comodos antivirus is/would giving it up in these cases :frowning:

I can see where the help file and the ignore button options need to be worded more clearly.
Here in the original help file wording I have bolded the very important qualifying statement.

Selecting Ignore provides you with four options.
Once - If you click 'Once', the virus is ignored only at that time only. If the same application invokes again, an Antivirus alert is displayed.

Add to Trusted Files - If you click 'Add to Trusted Files', the virus is moved to Trusted Files area. The alert is not generated if the same application invokes again.

Report this to COMODO as a False Alert - [b]If you are sure that the file is safe[/b], select 'Report this to COMODO as a False Alert'. The Antivirus sends the file to Comodo for analysis. If the file is trustworthy, it is added to the Comodo safelist.

Add to Exclusions - If you click 'Add to Exclusions', the virus is moved to Exclusions list. The alert is not generated if the same application invokes again.</blockquote>The problem is it doesn't specify the additional action taken.

I would suggest that this

Report this to COMODO as a False Alert - If you are sure that the file is safe, select ‘Report this to COMODO as a False Alert’. The Antivirus sends the file to Comodo for analysis. If the file is trustworthy, it is added to the Comodo safelist.
is reworded to
Report this to COMODO as a False Alert - If you are sure that the file is safe, select ‘Report this to COMODO as a False Alert’. The Antivirus adds the file to your local Trusted Files and sends the file to Comodo for analysis. If the file is trustworthy, it is added to the Comodo Global Safelist.

The ignore button option needs to be changed from “Report this to COMODO as a False Alert”
to “Report to COMODO as False Positive and Add to My Trusted Files”
because that’s what it does.


Yes, at least it should name the action in the choice!

But been trusted is anyway something else than to be seen sure as false positive! It should not be mixed at all.
Example: I use an amiga demo program. It uses packers. Some antivirus programs (like comodo) are allergic to packers. If i would send something like that as false positive to comodo, i still dont want these things to have all rights (trusted). I just want to give them the few rights which are necessary to run it. And i want to keep the control of when they run. You can make funny things with these demos, lock the screen, let balls run and jump over the words on your desktop and other things. I smile, but i dont trust :smiley:

Only for the reason that i have the UNLUCK to get a comodo false alarm and want to tell it, i should NOT be forced to trust this file (mainly if its even silently “made trusted”)! The most misleading is, that there is an option to put the file in the trusted files list. So, if i dont choose this option, i would think, i would not choose this action! :slight_smile:

Somehow i am safer with another antivirus that doesnt interferre with comodos default deny :frowning:

I checked it just today that all my AV exclusions are being added to D+ Trusted files list…

I just exclude them to check them with Virustotal to avoid AV detection. I definitely know that they are malware and I do not at all want them to be able to run on my system…I was thinking that my D+ was protecting me even if I disabled AV…Strangely found it otherwise now…

Will this absurd behavior of Comodo be changed in the next beta or Final release?

really very serious issue…

How are you excluding them? I’ve just excluded several dozen applications through Antivirus → Scanner Settings → Exclusions, and none of them are showing up on my trusted files list.

I just tested this with beta 3 but excluded virii do not get added to the Trusted Files list. I am on a clean installation with configuration from beta 2 imported.

The first thing what a person see if a program triggers an alarm, is the window of the alarm. I know from experiences that you can easily get the alarm window again (each time you get to the file). So the person most likely will use a button in the alarm window, like i did, instead of searching first the exclusion list direct.

HeffeD tested the exclusion list itself. As this came up with another result, it points to be caused by a button in the alarm window of the antivirus what we see here.
We know also, theres allready a button which does more and different than intended (send as false).

It happened to me when I ran a full scan and excluded a folder named “virus” from scan, since I put my collection of samples there.

After the scan, when I checked the D+ Trusted files list, I could see files from this location listed there. I could not get how and when this happened so I can only interpret this as something happened during exclusion or during scan. I may be wrong but I could not figure out any other reason why they got into the Trusted Files list…

I was going to test this out with the Eircar test virus but then I remembered I switched to Avast. When eicar is accessed the antivirus will popup an alert, giving you options (if the program is not set to automatically quarantine viruses). If you ignore the virus once, or always, does it add it to the trusted files list? If you add it to the exclusions does it add it to the trusted file list?

Or it just slipped my mind. What happens when you send the file to Comodo for analysis and no suspicious action is found, is it automatically added to the exclusion list? I know that I did not see any option to add it it to the trusted file list. Like other posters have says before, I wanted the antivirus to not block or quarantine the file so I could let D+ handle it and see what the program was going to do. If I had D+ sandbox set to untrusted, the malware wouldn’t have been able to do anything anyways.