False positives and exploits which are undetected

Security Products & Services Comodo WebInspector - CWI
21

We plan to release new SI version 16th of August.

22

thanks for the response. can you say what the planned changes are going to be in the next release?

23

Yes, the main one that users see:

  • minimization the number of FP;
  • improvements of Recent Detection information.
24

thanks for the info!
looking forward for the next release. The SI team has made a great product. great job

25

http://siteinspector.comodo.com/public/reports/228125

This is a safe file in comodo white list.

http://siteinspector.comodo.com/public/reports/228132

This is a safe file with digital signed signature.

[attachment deleted by admin]

26

thanks for your reply, fixed

27

Exploit ----
TrojWare.Win32.Trojan.Java.dcv[at]174069857

http://siteinspector.comodo.com/public/reports/233478

28

http://siteinspector.comodo.com/public/reports/244910

fp

29

http://siteinspector.comodo.com/public/reports/271346

malware

30

http://siteinspector.comodo.com/public/reports/357204

malware

31

Exploit not detected

http://siteinspector.comodo.com/public/reports/53048

VT report of url and jar file

http://www.virustotal.com/url-scan/report.html?id=0f07e04d3b0408044af0308f8d8e1f8c-1325138654

http://www.virustotal.com/file-scan/report.html?id=df593bed82ad4f1699644c3bc41b323bf8fa1079721accbaa3636176af36faaf-1325142259

32

Undetected
http://siteinspector.comodo.com/public/reports/58634

VT report of site and .css file
http://www.virustotal.com/url-scan/report.html?id=81b0b8f917ff8f5d5e6003868261be98-1325275952

http://www.virustotal.com/file-scan/report.html?id=bdd90aa63bc982d4b59ff5eec2364924afb675d5b96991f28cf2253ddd055661-1325279556

33

Undected Exploits

  1. http://siteinspector.comodo.com/public/reports/110244
  1. http://siteinspector.comodo.com/public/reports/110245
34

Hello,

I would like to report some suspicious URLs that were emailed to me in spam emails.

Here are URL Scanner results that suggest that the URLs are suspicious:

1: http://zulu.zscaler.com/submission/show/5daa86365702c9faf56d966439bf2c32-1350755621

http://siteinspector.comodo.com/public/reports/6690440

2: http://zulu.zscaler.com/submission/show/f481a38274d60c32dc2294dcd2af7d7d-1350276234

http://siteinspector.comodo.com/public/reports/6690473

3: http://zulu.zscaler.com/submission/show/d7cdac5540d8afedddd9ce7c4f012fd8-1350276535

4: http://zulu.zscaler.com/submission/show/f5407dc6cd9869d76466342fa9425eb7-1350786923

http://siteinspector.comodo.com/public/reports/6690494

5: http://zulu.zscaler.com/submission/show/35375ba2fb0511b88eca1b85da211fd4-1350787045

Thank you,
-John Jr

35

Thank you for your feedback, goodjohnjr! As we can see reports include unresolved domains or redirections to them. Results of competitors based on SURBL Blocklist and GEO-policy (UA or RU zones are suspicious by default). We use other methods. It should be noted that php scripts can be redirected to other sites on each visit.

In addition, you can compare results with VT:

  1. VirusTotal

  2. VirusTotal

3.VirusTotal

  1. VirusTotal

  2. VirusTotal

36

You are welcome and thank you. :slight_smile:

I hate to say it but, since Comodo SiteInspector has existed I wanted to like it & I still do want to like it, but it has been the worst URL scanner that I have ever used/tested since I have been testing it since its beginning (it does so bad that it seems pretty much worthless since it literally misses 98% or more of URLS that I have tried/tested against it which are collected from Spam Emails/Email Sent From Hacked Accounts/Exploit & Malicious & Phishing Websites That I & Other People Have Accidentally Come Across/et cetera which other anti-malware companies have determined to be legitimate threats after I submitted them by email/to their URL scanners/to their forums/et cetera), things like Web Of Trust even easily beats Comodo SiteInspector & it does not even use a real-time malware scanner (that I know of) or anything but one or more block-lists & user ratings as far as I know); and SiteInspector has only detected 1-3 websites out of the many independently verified spam, scam, phishing, malicious, exploit, et cetera websites that I have submitted to it since its beginning.

I even use the Report As Malicious option a lot, and those links still do not get detected later even after reporting it there and/or by email to Comodo usually if ever.

I like the way that SiteInspector looks and the information that it shows, but its speed & detection abilities are terrible/horrible/the worst that I have ever tested/seen.

I seriously hopes that improves, it needs new block-lists and the ability to detect spam/scam/phishing/exploits/suspicious/malicious/et cetera websites better or at all and some heuristics/behavioral detection and website age/reputation ratings abilities or something.

Also Comodo DNS has done terrible in the tests that I have seen since its beginning, which is also sad to see, and I really do want to see them seriously improve; it is sad to see how terrible they perform in comparison to other Comodo products & other similar products in general, I have been watching/trying/testing them off & on since their beginning with the same poor results.

Sorry for the negativity but I am being honest as someone who wants to see Comodo succeed, and who is hoping to maybe one day return to using Comodo products again full-time in the future if things improve.

Thank you and good luck,
-John Jr

37

Hello,

I checked our website http://www.astatix.com with Site Inspector.

Here is a result:
_http://siteinspector.comodo.com/public/reports/14623926
For this URL I see the result:
Suspicious Activity: Suspicious

After clicking on “View Details” I see:
Suspicious URL behaviour was detected
Suspicious Network Connections. Found by Honey Client.

I am sure that it is 100% false positive detection.
Can you explain what is “Suspicious Network Connections”?

38

Hello, Astatix!
You were detected by our engine because you have link to file that is potentially dangerous VirusTotal

39

Thank you for your reply, but I think that it is not the real reason. Now I see the next results:

Blacklist Checking: Safe
Phishing: Safe
Malicious Activity: Safe
Malware Downloads: Safe
Suspicious Activity: Suspicious

You are speaking about executable file, but checked index page have no links to this file!

Also I see the reason of detection:
Suspicious URL behaviour was detected
Suspicious Network Connections. Found by Honey Client.

What is “Suspicious Network Connections”?

About worms.exe: it is a screensaver Funny Worms developed by us many years ago. It is about 100kb in size, but is not a virus, it is screen saver for Windows written in WinAPI. It is detected only by nono-major several anti-viruses. We contacted many of anti-virus developers about this file and they removed it from their databases.
Here is a description of this Funny Worms screen saver Funny Worms screen saver download. Free download screen-saver.
Also it listed on hundreds of websites, for example at download.com:
Funny Worms - Free download and software reviews - CNET Download

Also this screensaver has no access to Internet, so it can’t be a reason for “Suspicious Network Connections”.

40

We have inspected the downloaded file and make sure it is safe.
Link to the latest report here: http://siteinspector.comodo.com/public/reports/14651092?cache=true
‘Suspicious Network Connections’ alert means that the site had connections with suspicious sites with any content.