Completely Missed sample?

Hello I am not a tester just trying stuff out on a VM to check out the new beta when I got a piece of malware that wasn’t detected by CIS 5 Beta 2. It wasn’t detected by the AV no elerts from the D+ and it was not Sandboxed. I can Provide the file as well as screen shots. I just don’t want to attach it, becuase don’t want other people getting it and infecting themselves. I have submited it through CIS to comodo and also here is the virustotal report. On the Active process list it does say Suspicious but it seems to run freely.

I’ll attach the screen shots :slight_smile:

Comodo also left some files after a clean up test I did. (Different VM) Unfortunatly for this infection the files were already cleaned up or I could have submited them :frowning:

EDIT: Also noticed something strange the malware seems to be masquerading as bitdefender mangment console. Also attached screen shot for that.

[attachment deleted by admin]

can you please give me that sample.

Yea sure seeing as you are a moderator.

EDIT: I tried executing the malware outside of its original directory and it would not run on desktop. It would run sandboxed if it was just in the C:\Users\Test\AppData and C:\Users\Test\AppData\Roaming. It would not get sandboxed it is run from its original location. It did throw up a firewall warning a few times that I ran it from the folder, but only once and never again.

Excuse me, but first screenshot shows that Sandbox is disabled.
Yet, you are saying that it wasn’t sandboxed.
You can conclude why :-\

I have the sandbox enabled I double checked tried turning it on and off as well. I thought that was just a per process thing that would only be enabled for it being executed in teh sandbox. If my sand box is off it may just be a bug about it not turnign back on, but I tried running other files and they were sandboxed and the yellow sandbox alert poped up.

EDIT: Yea that is how it works and it is supposed to say disabled for unsandboxed applications I just triend it with sandboxing IE. If it were sand box it would say Untrusted/Partially Limited/Limited/etc. :slight_smile:

EDIT 2: It seems its making connections also so I took a screenshot of those.

[attachment deleted by admin]

OK I tested it out, in my test my sandbox caught it just fine.

I don’t understand, does the sandbox only protect certain paths. I’ll try restarting then try to run it again see if it catches it this time.

no, I tried it from the desktop and also from the path you gave me and it sandboxed it in both areas.

Deffinetly my mistake :-[ It seems I switched CIS to Clean PC Mode and then I forgot about it. Should have just followed Occam’s razor :confused:

Thanks anyway for reporting what you thought to be a bypass,it’s always appreciated. :-TU

Thank you, but im terribly embarrassed and to have wasted peoples time.

Thank you, but im terribly embarrassed and to have wasted peoples time
Seriously, don't worry about it. :-TU