This came up after I reported some files from UltraVNC as a false positive in the false positives board:
After the malware database is updated these will not be false positives, but they will still all be presumablely identified correctly as ApplicUnsaf.Win32.RemoteAdmin.WinVNC.(something).
I’d like CIS to treat this entire malware class as safe, since to me it’s not malware. It wouldn’t bother me if it showed up in the log, but I don’t want a realtime alert for it. Whitelisting by file location doesn’t work well because it turns up in lots of different places on different machines and drives.
I suggest the user should be able to configure different behavior for malware classes. This could take many forms, and I’m anxious to hear your ideas. Offhand it could be as simple as a checkbox under Scanner Settings that says “Report remote admin utilities as malware”, or it could be more complex, allowing the user to set a whitelist by malware name pattern match, like ApplicUnsaf.Win32.RemoteAdmin.WinVNC.* or ApplicUnsaf.Win32.RemoteAdmin.* under the Exclusions tab, maybe as a dialog under Add->File Groups.
Another approach to this same problem would be whitelisting by hash, as discussed in this thread:
https://forums.comodo.com/anti_virus_wishlist/whitelisting_by_signature_hash_of_false_positives-t32744.0.html
This is not as convenient, however, if I simply want to tell CIS to ignore VNC programs in general, since there are dozens of different ones that I use, and they’re often releasing new versions.