1. The full product and its version:
COMODO Internet Security 8.0.332922.4281 BETA 2. Your Operating System (32 or 64 bit) and ServicePack revision. and if using a virtual machine, which one:
virtual machine : virtualbox 4.3.6 r91406
I have seen this on both windows 8.1 x32 fully updated and windows 7 x32 3. List all the configuration changes you did. Are you using Default configuration? If no, whats the difference?:
Default configuration 4. Did you install over a previous version without uninstalling first, or import a previous configuration file?:
Clean install 5. Other Security, Sandboxing or Utility Software Installed:
No 6. Step by step description to reproduce the issue. Or if you cannot reproduce it, what you actually did before it happened, step by step:
1. Take an unknown application and run it. 2. It will be sandboxed, detected by Viruscope, and quarantined. 3. However, note that although a file has been quarantined the original is still sitting in the original location, although it is no longer running. 3. Next open quarantine, locate the detected application, and delete the application from the quarantine. 4. Next choose Reset Sandbox. 5. Then once again run the unknown application. 6. This time the application is terminated just after it starts. There is no Viruscope popup, or any detection warning at all. It just isn’t allowed to run.
7. What actually happened when you carried out these steps:
Viruscope does not correctly quarantine this file. Also, after trying to run it again, it is not allowed to run, is not quarantined, and there is no popup. 8. What you expected to see or happen when you carried out these steps, and why (if not obvious):
Viruscope should be able to properly quarantine detected files. Also, if a detected file is rerun the file should be detected and quarantined yet again. 9. Any other information:
A video which demonstrates this issue on Windows 7 can be seen here:
Let me see if I am correctly understanding this. Please let me know if the following steps are correct.
Take an unknown application and run it.
It will be sandboxed, detected by Viruscope, and quarantined.
Next open quarantine, locate the detected application, and delete the application from the quarantine.
Next choose Reset Sandbox.
Then once again run the unknown application.
This time the application is terminated just after it starts. There is no Viruscope popup, or any detection warning at all. It just isn’t allowed to run.
Exactly, well, if was detected by Viruscop if I opened the quarantine find application exists but does not actually move the application to the quarantine.
Maybe this is two of bugs in viruscope
Do you mean that Viruscope would detect the application and say that it had quarantined it, but that the application still exists on the real computer? Therefore, it only quarantined a copy, while leaving the original behind?
Thank you. I have edited the title and the first post. Please let me know if everything is correct. Also, I downloaded the sample, and will attach it to the tracker when I submit it. For future reference, please do not include links to pages which contain download links to malware. It’s safer if you just send it to me in a PM, although I do have this one.
Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.
Developers may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.
The devs have responded that this is apparently intended behavior. Below is the explanation they provided.
This is behavior by design because:
After launching the malware it opens explorer.exe. explorer.exe then creates some registry keys and deletes the malware itself. If you click on the ‘Clean’ button on the Viruscope alert, Viruscope reverts all activities, but can not move the malware to Quarantine because the malware was already deleted via explorer.exe.
The malware that is launched in the Sandbox via right click launched in virtual mode, and was moved to Quarantine because the real malware file is present on the PC but in the virtual machine the malware file is deleted by virtual explorer.exe.
I will therefore move this bug report to Resolved. Please let me know if you have any questions.
I still think that there is a problem in viruscope, I was watching YouTube and found a video explaining the same issue in a better way.
After running the sample in the first time, are placed in a virtually sandbox The sample was deleted from the desktop , After running again is not working viruscope and the sample was run for a moment in time.
I think that the developers may be mis-understood issue
Okay, I just watched the video, so let me see if I now correctly understand the issue.
Have CIS in default configuration.
Download a malware which is not detected by signatures or heuristics, but will be detected by Viruscope.
Run that file. A Viruscope alert will pop up, from which you should select Clean. The file will be correctly quarantined.
Then download that same malware again and run it.
This time it will not be identified by Viruscope, although it will still be correctly run Fully Virtualized.
The main problem I see is that Viruscope did not correctly flag the malware file again after it was redownloaded after the first detection. It seems to me that the malware was able to perform whatever actions it wanted. Isn’t that what he showed when he looked at the actions taken by it. Thus, I believe that may have just been a malware which performs the actions it wants quickly and then kills its own process. Is there a reason you believe that to not be true?
Thank you. In that case I think it’s best if you create a new bug report for this. Sadly, this issue is somewhat different than the one I originally forwarded. Thus, in order to avoid any further misunderstandings, I think it’s best to create a new topic for this.
In the new bug report please copy in the steps I posted above. Also, if you can locate a new malware file which shows this same behavior, please send me a download link to it so I can include it with the new bug report.