Can anyone tell me if Comodo’s white-list database is being continually updated and modified? Or does the white-list database stay the same until a newer version of Comodo is installed?
I believe its updates regularly.
I don’t see any point in doing it at version release!!!
That’s interesting, because there’s some implications that Comodo may have added a rogue software to this white-list database, and hence Defense+ was bypassed.
Can anyone tell me how a program is added to the white-list database?
The white list only gets updated with new releases of CIS iirc.
The list gets made by Comodo employees and is helped by the files uploaded from the My Pending files lists of users.
What makes you think a rogue software is on that list?
Thanks for the reply. I (and several others on Wilders) are trying to work out why 3 rogue software “bypassed” Comodo’s Defense+ here:
http://malwareresearchgroup.com/forum/viewtopic.php?f=20&t=80
Note that I can’t reproduce this bypass, but some are saying it’s because the white-list has now changed etc.
Also, can anyone tell me what happens if a malware program gets a digital signature from Comodo - will Defense+ automatically trust it?
What do you mean with digital signature? Can you give us the url of the topic at Wilders?
Like you know, it’s well known that anyone can buy these digital signatures right? So if a malware writer buys it, and signs his malware program with it, will Defense+ trust this program?
Here is the link, but unfortunately, the thread is littered with rubbish. It will take you a long time to read through all of it:
The certificates you are referring to are DV certificates for https connections that got Comodo in the news several times. They are a different animal than the certifcates used to validate a trusted publisher, like Adobe, Symantec, etc…, that are being used in the My Trusted Software Vendors list. CIS comes with a list of Trusted Software Vendors but they are checked by Comodo. That list is safe.
Here is the link, but unfortunately, the thread is littered with rubbish. It will take you a long time to read through all of it: http://www.wilderssecurity.com/showthread.php?t=251113I will check the link later and get back to you about it.
Forget what I wrote before this post. I made the wrong assumption there.
For now the following. I downloaded Reggenie and installed it. It is not on the safe list because D+ said the application could not be recognised. That applies to both the installer and the executable. Also Reggenie is not on the standard My Trusted Vendors list as provided by Comodo.
safelist gets updated on daily basis. The Sig db also has whitelisted sigs as well as blacklisted sigs.
thanks
Melih
It doesn’t matter what CA issued the cert used to code sign an application.
When a digitally signed executable that is not safelisted is launched it will be trusted only if the vendor specified in the cert is featured in Trusted vendor list (Defense+ Tasks > Common Tasks - My Trusted Software Vendors).
The trusted vendor list can be either disabled or edited according to user needs.
User can remove vendors from the Trusted Vendor list or add new vendors by having CIS read the cert from the executable.
Invalid certs will not be added. eg: PC On Point certificate issued by Verisign cannot be manually added because expired in 2008.
The safelist instead can only recognize specific executables and each time a vendor release an new version of an application it will not recognized as trusted until the safelist get updated to detect the new version as well.
They tested “applications with their default settings (out of the box)”. http://malwareresearchgroup.com/forum/viewtopic.php?f=20&t=80
That means:
COMODO - Internet Security - This configuration is activated by default, when both Antivirus and Firewall components are installed, i.e. the complete installation. Firewall is always set to Safe mode. But according to the malware scanning results performed during the setup process, if no malware is found, Defense+ is set to Clean PC mode. Otherwise, the default is Safe mode. In this mode,
-
Image Execution Control is disabled.
-
Computer Monitor/Disk/Keyboard/DNS Client access/Window Messages are NOT monitored.
-
Only commonly infected files/folders are protected against infection.
-
Only commonly exploited COM interfaces are protected.
-
Defense+ is tuned to prevent infection of the system.
In the topic on the MRG board site admin Mike states the following regarding certificates being used:
If you ask me there are two basic types of rogueware:
Real rogueware- which really don’t perform any functions except for false alerts, changing your desktop settings, are usually distributed by unknown vendors and not listed at download sites. They usually use temporary homepages with the intention to scam users to buy a product that doesn’t really function. Their software is never digitally signed. Those are the types that are commonly detected by security software. They use Active X Controls in Internet Explorer to do drive-by installs and also use spam email to distribute. However you won’t find any online ads for these products but they can be found by doing an online search.
Other rogueware- which will perform the intended function, but are much less efficient than other real software. Sometimes these types are more dangerous because they will delete needed registry keys or remove false positives needed by your system. They are commonly found at many download sites and they usually keep their homepage updated with fake reviews to scam users. They are usually distributed by online ads and spam emails and can also be found in online search results.
Most of their software including all files in the program folder (dll files) have digital signatures. These type of software have to be manually installed by the users, therefore are not considered to be malware by many security software vendors.Mike.
Thanks for pointing this out as “COMODO Internet Security (All Features Enabled)” later mentioned in that topic was far less descriptive in this regard.
As the defaults for the complete install do not include Executables extension list in My Protected Files it is likely that it was the that AV blocked the installations of 57/60 samples.
It also clarify that MRG criteria for rogue include also applications that perform the intended function but are deemed “not efficient”.
Other rogueware- which will perform the intended function, but are much less efficient than other real software.
If anyone is willing to test them using a VM PC On Point, Advanced Audio DJ Mixer, FTP and Download helper can be all found on Softpedia.
pconpoint.exe SHA1 a42d9e3bea8a40a2de337359d503091b053be6ae Digitally signed by vendor PconPoint.com
sdfh.exe SHA1 324eb3ff70792a1961cde97639c0180072a55ceb No digital signature
sdam.exe SHA1 411475bfe46b0cb8e81f6e504d8d734993bb5f0f No digital signature
I tested them, i already PM’ed Egemen yesterday.
As for results. All 3 do get passed the Default Configuration (Internet Security). And there not on the safe list.
Did you check also if they didn’t perform the intended functions and were only meant to fake them?
let me test that 
EDIT: seems one of the files droped are on the safe list 
but the exe’s arent, so in a way it still bypasses the defualt config.
That’s interesting. Does this mean Comodo could make a mistake and add a eg. rogueware to the white-list? If it’s added to this safelist, does this mean Defense+ will not give an alert when it’s run?
Also, does this mean the daily updated safelist is being communicated to every CIS user? If so, could there be an option to enable/disable this in future releases? Also, could there be an option to ask the user if he wants his safelist updated or not?
I didn’t realise that the safelist was being updated behind my back haha! By the way, is the safelist stored “in-the-cloud”? Or does every user who has installed CIS on their computer have a (safelist) file that is continually being updated?