hi all before i install this virus when it comes full dose it detect this virus. Win32.Polipos its a p2p virus i sometimes use p2p so was just curious if it detects this virus. if it dose its whey a head of avg free which is what i’am using know. (:NRD)
is not anyone going to answere if it detects this virus as i would love to make the switch get back please its been views 40 times. no has a answere some has to. thanks
I’ve respnded to your PM and will also post my reply here:
I’ve checked the database and can’t see a virus under this name or any of the other names it goes by.
I’m sure Comodo will add it soon as they have a number of ways of collecting new samples such as this.
Also, the reason CAVS is a beta is because it does not have all the definitions it needs, yet so you should be aware of this before switching.
It’s simple. Not that they don’t have samples (i’ve sent them two Polip samples to replicate, so they certainly have them) it’s the scan engine thats not capable of detecting polymorphic viruses (not sure if it can detect any of these at all in current state). I don’t know what kind of upgrades will be done in next versions of Comodo, but current one is left in cold for polymorphic viruses as far as my knowledge goes…
Hi cruiser, this is indeed a polymorphic virus. It will infect .exe and .scr files.
Don’t forget, it has variants and it may need other removal tools as well.
Also to note, not everyone who reads these post are willing or not able to help, and in fact if we come across them, we will answer if possible. On the voting polls, there may be 300 views but only a few votes…just an eg…
Hope this helps…
Just to note on this, many have this issue, not just Comodo. Norton, and many others won’t detect or remove it and many are left to format their drives. Polymorphic viruses change their signature to be undetected by anti-virus applications. There are removal options as well but even look to other forums and many have failed with online detections by norton, avg , and many others. It will be in some terms be detected but then not , as it changes and remains on the drive. Perhaps even having hundreds of varients. The best protection is making sure the user doesn’t download or use programs for downloading that are virus ridden risks to begin with. There is no flaw in the scan engine, this is simply the virus and how it acts.
Polymorphic viruses are the least problem for Symantec… If the AV is capable of emulating the code required for detection of poly viruses it doesn’t really matter in which state of mutation that virus is at the moment. This is just one branch of malware that simply requires scan engine advanced enough. Just pattern matching and static unpacking is far from enough in these days…
What I mean here is (and I do agree to a point) the scan engine isn’t behind, many have to develop the polymorphic engine aside from the macro. Developing a polymorphic scan engine is time consuming to say the least. Symantic won’t remove all the variants and states so. This is a problem. While detecting the virus and polymorphic patterns, it still slips through the proverbial cracks in many ways. When an engine can detect and detain all variants without user intervention, then it is sophisticated. So what I mean here is , while they have a somewhat decent polymorphic engine, it’s only about 60% effective. Others who use Norton\Symantic and others, have failed to detect all variants and delete them as well. Back to point, I do see what you would mean about Comodo anti-virus engine. I don’t know if it has polymorphic capabilites or not and I (no offense to Comodo) have Vcom fix it utilities with antivirus, so I do not use it.
Polymorphic viruses are packed/encrypted viruses. The payload of the virus is encrypted. So before you execute the infected program, how do you know its infected unless you unpack/decrypt it? Well you don’t! This is why you need to write unpackers… so that you can first unpack it, to reveal what it is hiding and then scan that to catch the virus.
have an emulator that allows the infected app to execute itself in a an emulator and unpack/decrypt itself and reveal the payload for the scanning engine to find the virus.
as the last line of defense (in case if this is packed/encrypted with something thats so unique and has many anti-emulator techniques), you let it execute and try to catch it in memory.
CAVS do have these capabilites. We don’t have all the unpackers we should, we are working on getting them all though as we add them you will see our detection rate improving. However with our HIPS inclusion we will prevent infection and protect you anyway.
Thank you Melih,
I am terrible at explaining it seems as I should have been more detailed \mentioned the unpacking \encryption method. (:TNG) I truly didn’t know what Comodo had for this but now I do obviously. I truly feel bad about not using Comodo AV but have bought Fix it for 6 years now and always trusted it (not that I wouldn’t with comodo you understand) I am looking for a reason to not use it, lol but perhaps they will fold up or not have a good version next time… Of course I will never have any other firewall or antispam other than Comodo. The poly mentioned above is a nasty it seems and I think was started in March but supposedly has one heck of an encryption method as well with many variants. Why don’t these people get a job instead? loll. I’ll never understand.
Well, this is exactly the issue! Go ahead, take a virus/malware encrypt it with exeencryptor or some other packers and run a virus scan with the best AV you think there is! They won’t catch it!
for the techie heads: modify the packer routine and pack a virus yourself and see if the AV catches it!
Nope they won’t!
And this bugs me! You are always behind trying to catch up!
Instead we decided to put HIPS, so that instead of us trying to catch the bad guys when they do a damage, the table is turned agains them now Its so easy to have a new variant of an old virus by simply hand modifying the packing routine, voila you have a new virus that AVs don’t catch, until AV vendors come up with a fix! I ain’t subscribing to that methodology! Its old and no longer effective at protecting the users!
I choose to innovate and protect my users!!! (:NRD) (remember that’s my mission (:KWL))
You go Melih!!! hoot hoot! lolll. (:CLP)
I agree, and why I stated that the poly engines are only about 60% effective on other anti-v. Although this is a statistic and if I went by many other anti-v users, I would say 30% being generous.
Many are stuck reformatting , trying to manually get rid of this ■■■■ even though other anti-v companies brag that they have this great polymorphic ability which was actually produced in 95 and modified. Hype, all hype. And to all those who create viruses, etc…I hope they get 50 mother in laws!
I don’t know but i’m getting a feeling that not much of you guys know what polymorphism actually is. And it has NOTHING to do with packers at all. :o We could roughly say it’s an encryption but i’d rather use “code reorganizer” or “code mutator” instead. Code itself looks different after polymorphic engine “mutates” it, yet it performs same actions as before. So file is not packed or encrypted… Parite, Zmist and Polip are just few of such. And CAVS can’t detect any of these as far as i know…
you all make good points i think im still going to go with cavs when it out beta as it seams prety darn good also i just quit p2p stuff i dont need some nasty virus.
That means they’d have to be polygamous, marry 50 wives and have 50 mother-in-law variations!
With all of this poly they’re going to want a cracker…
Oh, and to avoid the mother-in-laws they would themselves become shape-shifters… or in other words polymorphic. ;D
From the book called Art of Computer Virus Research and defense":
"Polymorphic viruses can create an endless number of new decryptors that use different encryption methods to encrypt the constant part (except their data areas) of the virus body.
Some polymorphic viruses, such as W32/Coke, use multiple layers of encryption"
Polymorphic viruses are all about modifying the packer/encryptor not the virus body. So as long as you have a good unpackers that can handle this, failing that a good emulator, then you should be able to catch the virus if you have the signature. The issue is not the virus payload mutation but the packer/encrypter morphing.
this is different than likes of metamorphic ones where the virus code itself mutates. and here is how that book defines metamorphisism
“metamorphic viruses in the shortest possible way: “Metamorphics are body-polymorphics.” Metamorphic viruses do not have a decryptor or a constant virus body but are able to create new generations that look different. They do not use a data area filled with string constants but have one single-code body that carries data as code.”
Yes, i mixed up metamorphic with polymorphic. Doesn’t really surprises me as i was writting the message at 3 AM in the morning… It was about time to go to sleep…
oh dear… too late to do anything
All I can say is that I am learning hell lot of things from this forum. I seriously had not a clue about what were you people (Melih, Paul and RejZor) talking about. Nevertheless, I’m learning.