FULLY Cloud support for CIS or "lightly" AV scans also for trusted Files

1. What actually happened or you saw:

2. What you wanted to happen or see :

Either the implementation of full cloud support or the implementation of “lightly” ( based on file hash ) av scans also for trustworthy files for CIS !!! ( I am aware of the danger of false-positive alarms ) :wink:

3. Why you think it is desirable:

In my eyes , without a different solution for this kind of special “tricky” malware , users are not protected as it would actually be possible . Even if such a file is classified as harmful , if the TVL is activated then you will never have a detection .

4. Any other information :
NO :wink:

Can you scan that file with CIS to see if it is being detected? If it is detected, then the scanning of trusted files based on hash is already implemented.

My prediction is that Comodo trusts all files from a vendor, BUT they can still add detection for any file (even if the file is in the TVL) by either blacklisting a hash through cloud lookup or adding some sort of exception within the signature bases.

I think CIS also checks the file hashes even for trusted vendors for the file rating to work properly. From my understanding the file rating also serves as a cache, so file hashes play a role.

Scanning trusted files with the full database would require a significant amount of resources and it has high risk of FP’s, in exchange for a very minor protection increase, in my opinion it is not worth it and it would be better just to create a system where there are exceptions.

I see guys , you have changed your VT classification from MALICIOUS to CLEAN !!! :smiley: So ok … !!! Especially for this File the Problem is obsolete … !!! :wink:

Believe me ( tested many times ) … if you have a malicious File ( also with postive signature detection ) that have a valid digital certificate and the vendor is also classified as trusted , then you have absolutely NO detection for this File when TVL is ON .

I had a discussion with “Fatih” and “Futuretech” about that problem :

yousername … if you will , i can send you such a sample and you can test it for yourself ?! But now i have find such a new one because Comodo changed their analysis verdict ! :wink: Luckily , this type of files are quite rare !

Greetz … !!! :wink:

If so, this problem can be solved by simply tweaking the File Rating mechanism for it to detect any blacklisted hash as malware even if it is a trusted vendor, and adding an exception system within the scanning engine.

This particular case is really trivial, an application that bundles Google really isn’t malicious at all and is at best a minor annoyance. For PUP’s it is very subjective when there is no actual malicious or dangerous behavior. In this case ESET interpreted this file as a PUP, and Comodo doesn’t need to listen to their interpretation.

For the more extreme cases where a trusted vendor has software which is truly malicious and is more than just some random PUP, Comodo can simply remove the vendor from the TVL. Now there is the even more extreme case of a stolen certificate, but that is extremely rare and no practical setup would stop it. If there were a zero-day malware that came from a trusted vendor, in most cases signatures would still be bypassed anyways until Comodo can add a detection, so a light scan for trusted files won’t be of much value.

EDIT: and yes if you encounter a file which is in the TVL but is technically supposed to be detected then feel free to send me the file. This would hopefully answer the question you asked

In this case I dont analyze that File personally and i dont know if they listen to the interpretation from ESET , but first Comodo analyzed and classified this File as Application.Win32.Toolbar.~GOOGLE !!! As the TVL was deactivated , CAV also detects it and put it into the quarantine ! But some minutes ago , they changed it into CLEAN !!! I have screenshots !!! >:-D

I will do that … !!! But now , first i have to find such a new one , because Comodo changed their analysis verdict ! :wink: But as you said , luckily this type of files are quite rare !

Yes I am aware that they removed the detection. They might have listened at first, but decided it was not necessary.
Random PUP’s or toolbars shouldn’t be a concern if you pay attention during the install process, can also use Unchecky https://unchecky.com/ to do that for you.

I will continue the discussion after getting some sleep. Based on your tests TVL completely suppresses signature detections, because you had to disable TVL to get a detection. I would like to see that myself.

I may be able to replicate this by finding a PUP with a digital signature which is detected by Comodo. I will turn off AV scanning. Then, I will add the vendor of the PUP to the TVL manually. Then I will re enable the AV scanning to see what happens.

In principle I agree with you ! For me thats not a serious Problem ! :wink: Its my passion to analyse files !!! :a0 But for inexperienced users who dont know where and how they check files , this rare scenario can become to a serious problem !!!

I keep looking for such files !!! And YES do that and please report about your results !!! :-TU I need some sleep too !!! :a0 To much Filecode in my Head ! ;D

For a better and deeper explanation , if you want , please take a look at this older post from me :

[i]"In the last Days I did a couple of runs with CLT to reach the full score . Oddly, CLT was recognized as malware yesterday . Next I run CLT in Safe Mode with Auto-Containment OFF . CIS gives out a useless FP Malware Warning so I decided to click “Ignore” . I click on “Ignore” , Pop Up again , again , again … ! No Chance … ! “Interposed question” : WHY ? :smiley: I knew this is a false positiv so i decided to click on “Ignore and send as False Positive” . CIS classified the file as “Trusted” and created some Rules . This Rules are not usefull for CLT , so I deleted the HIPS , Firewall and trusted File Entries . Then i started CLT . Although all the rules were deleted now , but CIS said nothing ! Hmm … i checked all Rules again . HIPS clean , Firewall clean , Filelist … :o Oh , the Rule was present again ! Another Interposed question : WHY ? :wink: But the Show must go on … ! I delete the Filerating Rule again ! Another run with CLT was started … No Pop Up’s , No access requests , nothing ! All Tests were done silently and some were passed , others failed ! Back to the Filerating Section . Oh NOOO , the Rule is back !:frowning: Now I classified the file manually as unknown ! CLT was started and BINGO , for each permisson request a Warning pops up and all Tests were passed .

So far so good … !!! So where is the Problem ? The Problem ( the Bug ) is : If a User classiefied a File as “trusted” , it is not enough to remove the Rule to delete the Classification . A User must set the file manualy as “Unknown” to accomplish this . If you dont do this , the “trusted” Rule comes back every time when the File was executed .

Another CRITICAL maybe Scenario :

A “typical” inexperienced User wants to run an unknown but digital signed , malicous file . The File was not detected from CIS-AV and was theoretically be able to bypass Auto-Containment and uses theoretically all the simulated techniques from CLT . Maybe the User is one of those People for whom a Sandbox remains an eternal mystery or he decides that the Sandbox is not necessary , because CIS has not recognized anything . So he classifies the file as trusted and execute the File . AV is the first Looser , Sandbox was bypassed , not used or Valkyrie fails . Now HIPS should come into the Game . But what’s happend now ? We remember the scenario from above , File was trusted so the malicous file runs without asking for access permisson and causes damage in the backround . And because it’s trusted , the User receives NO Information about that what’s happend .

If HIPS is third line of defense , i think it is not a good Idea to supress all Warnings just because the File was classified as “trusted” . Even if all other mechanisms of detection get fail , specific HIPS behaviors should always be reported . So the User have a last Chance to regognize that some things go wrong … !!!"

[/i]

Here is a quote from the Comodo help page regarding the HIPS (File Rating Configuration, Virus Protection, Internet Protection | CIS Help | COMODO): “Trusted files are excluded from monitoring by HIPS - reducing hardware and software resource consumption.” It does more than just suppress the warnings for trusted files, it ignores it from monitoring completely. So the bug that you are describing is intended behavior.

In my opinion the scenario that you described is not critical. The user is hampering the core protection of Comodo, it is not Comodo’s fault if the user gets infected - this goes for any security software in my opinion. If the user doesn’t use a core component of a security software and also makes the security software ignore a file by excluding it, granting it trusted status, ignoring AV warnings, etc, the problem is the user not the security product. It is not the responsibility of any security product to protect when the user tells the product to not protect.

In Paranoid mode HIPS will monitor everything, but that would be too difficult for average user to use. But anyways such a scenario is not critical in my opinion. For home users, a worst case scenario would be some adware which is trusted by the TVL; true dangerous malware needs a trusted vendor to bypass Comodo or Comodo to whitelist a malware and those are not common enough to justify the performance impact and alerts you would get from the HIPS monitoring everything - HIPS is a nightmare for average users.

Hi Yousername ,

first i have a little present for you ! >:-D As you can see , unfortunately not so rare as we wish … ! I have sent you two download links . Two PUA´s , digitaly signed ( from comodo) , vendor is trusted and the files have a positiv signature detection from CAV ( if TVL is OFF )

Have fun … !!! :smiley:

Secondly , maybe my english is not the best , but i think you misunderstood me a bit ?! 88)

So … I quote you, i think this is the best … ! :wink:

Right !!! Which I have called “Bug” was more related to the creationing of rules , respectively the problems to remove them again . The second part of my quoted repost was more related to my poll and to this topic .

The user wouldn’t have no reason to run the file in the sandbox because the file is digitally signed and cav has also detected nothing ! Exactly that is the problem !!! The user doesn’t have to ignore anything , so that CIS doesn’t find anything at all !!! A File must be just classified as trusted ! And even if an analyst changes the file rating to malicious , if TVL is ON you will NEVER have a positive detection . Only If we have fully cloud implemented scans also for CIS, ( maybe its problematic for the CCAV Portfolio ) , [i][b]the user has a chance to discover and remove such a file .[/b][/i] As you said , the TVL is useful to save resources . [i][b]But in the first line the TVL is a security feature ![/b][/i] In my opinion it may not be , that an active TVL in connection with a certain kind of malware, can represents a potential security risk . If the TVL is OFF , CIS have to check all files with all his serurity components . And all this works good with NO hardware resource problems - technically it is the same thing . Therefore , i cant really understand why it`s necessary to disable all protection components for files that have been classified as trustworthy . For a “bad boy” , it would be a good starting point to try to bring such a file on a system that is protected by software from comodo .

The Paranoid mode is not necessary for my requirements . But HIPS in safe mode must be safe against all types of malware ! I could never understand why some people have problems with HIPS ! I like the HIPS ! But the CIA hate it and if i try to hack myself i hate it too ! :wink:

Best Regards !!!

Just tested the files you sent against both Comodo Firewall and CIS: Here are the results
I manually ran the files in the sandbox + block internet connection just to be safe:

Comodo Firewall File 1 (Cloud lookup on): File is trusted due to TVL. Did not try removing vendor however.

Comodo Firewall File 2 (CL on): File is unrecognized, not found in the TVL.

CIS File 1: (File is trusted due to TVL).

CIS File 1: (removed file from TVL, removed file list to reset file ratings, and disable cloud lookup so Comodo doesn’t use the cloud TVL): file is immediately detected by the local AV

Cis File 2: (File is trusted due to TVL, for some reason CIS had that vendor in the tvl but CF didn’t).

CIS File 2: (Cloud lookup off again, reset file ratings, remove vendor from TVL) file is detected in a right click scan.

So the TVL does affect detection. So what you are saying is that you want Comodo to scan all files in the cloud so there is no performance impact. That is an interesting proposal but I feel that there are better alternatives.

I think that whenever you find a PUP which is in trusted vendors (should be more serious or aggressive PUP like fake antivirus which are detected by mainstream signatures like AVAST/AVG, Bitdefender, Emsisoft, Kaspersky, etc., not a PUP which is only detected by companies which are very aggressive against PUP’s like Malwarebytes, ESET, Dr. Web), you should request for Comodo to remove the vendor from the TVL. I have seen Comodo remove vendors like Auslogics from the TVL before. For PUP’s I feel that removing the vendor from the TVL is a better and more elegant solution, or add a graylisted/blacklisted vendors (I know that Valkyrie has this implemented, hopefully CCAV and CIS can also have this feature implemented).

In the end I voted no for the cloud scan because:

  1. More elegant solution is to remove the vendor from TVL/ add graylisted vendors feature/add a system where there are exceptions to certain vendors. For example, an exception system can be to add a reputation system where high reputation vendors are not scanned while low reputation vendors are scanned, for example scanning graylisted vendors for infection. Or scanning vendors which are not commonly seen/have a low reputation for infection, for example Auslogics should have a low reputation because they can have some PUP’s, while Microsoft should have high reputation and not be scanned for infection.
  2. Signatures won’t save a user against most zero-day malware which is trusted anyways - even the best signatures and heuristics can only detect a few zero-day malware.
  3. This issue is mostly only affecting PUP’s which are not very dangerous - can be deselected during install or ignored with proper browsing habits, and they can be easily removed if not paying attention. Scanning all files in the cloud can use lots of network resources too.

EDIT: posted attachments

Hi Yousername ,

please apologize my late reply but in the last days i was very busy . Thank you for posting your results and also for the screenshots !!! :-TU

i think your idea with the rating system is quite interesting but not practicable for all types of malicious files . If you have a malicious file with a stolen valid certificate from a trusted vendor (good indeed ) and Comodo removes the TVL entry from this Vendor , so ALL other harmless Applications from this manufacturer would also be affected . For example related to detection and classification in Valkyrie and based on your idea also for CAV detection .

But with the general deactivation of all protective components for trusted files , the user has NEVER a chance to find such a file . This is a safety gap that must be closed !!! But i don’t know which is the best and most resource-saving method to solve this problem . I hope someone from Comodo thinks about that … ?!

I would like to say some words about PUA´s !!! According to my analysis experiences , the boundary between a PUA and a “real” harmfull type of malware is flowing . For example , some PUA´s have a spying behavior , change your browser respectively your securitiy certificates settings , or they update themselves to a newer version with new destructiv capabilities . So never underestimate a PUA !!!

Best Regards !!!

Remember that such instances of stolen certificates are very very rare and hard to perform. The only solution which doesn’t use too many resources for this is by tweaking the cloud lookup to block any blacklisted hash, even if the vendor is trusted. If the malware has a stolen certificate which is trusted in the first place, then it is probably a very very high level targeted attack which 99.9% of users would miss anyways. If a government or any high level agency wants to attack you, don’t expect a home product at default HIPS settings to protect you (or any product for that matter). Keep in mind I am not criticizing Comodo in this regard, I am just stating that nothing is bulletproof.

In terms of deactivating security components for trusted files, I really don’t think there is anything that Comodo can do about that for the default levels. For default settings, there needs to be a balance between usability and protection. I think Comodo allowing the user to choose a paranoid setup is pretty much as much as they can do reasonably, for now at least.

Regarding PUA’s, I am aware of some PUA’s being more nasty than others. In that case, if there is a trusted vendor which does spying behavior or other malware like behaviors like blocking security programs, in my opinion there is no reason to continue trusting that vendor regardless of whether their other products are clean or not. Implementing the graylisted vendors feature from Valkyrie would be a good idea also to inform that the publisher is known to deliver content which is not clean, and also give the user a chance to decide what to do with a graylisted vendor’s file.

And keep up the great work in finding PUA’s, especially those that are trusted! :-TU

An exception list that overrides TVL could be good option. Scanning every file that is in TVL still against all malware signatures could be overkill from performance point of view.

We will be analyzing further…

:-TU :-TU :-TU

yeah umesh , thank you for thinking about that ! A promising idea … !!! please make it real for us !!! 88)

EDIT : umesh , i have a question . When TVL is OFF , CIS have to check EVERY file against malware signatures database . so far right ? So please tell me , why could this be a performance overkill if TVL is ON ? Technically it would be the same or not ? In both cases every file must be checked against signature database .

Thank you !!!

Hi,

Correct.

TVL is enabled by default, so any user who disables will be the only user who would see performance impact. So if one of options you propose that even if TVL is enabled, let user see actual non-TVL rating of file, it will end up putting performance overhead on all users.

But if we decide to create a server side blacklist of hashes, it will be small and scanning through that for a given file will be very quick.

Thanks
-umesh

That would be , what I would prefer ! And thank you for your fast reply !!! :-TU :wink:

Thank you for submitting this Wish Request. I have now moved this to the WAITING AREA.

Please be sure to vote for your own wish, and for any other wishes you also support. It is also worthwhile to vote against wishes you think would be a waste of resources, as implementing those may slow down the wishes you would really like to see added.

Thanks again.

@ Futuretech , I thank you too !!! :-TU :wink: