In principle I agree with you ! For me thats not a serious Problem ! Its my passion to analyse files !!! :a0 But for inexperienced users who dont know where and how they check files , this rare scenario can become to a serious problem !!!
I keep looking for such files !!! And YES do that and please report about your results !!! :-TU I need some sleep too !!! :a0 To much Filecode in my Head ! ;D
For a better and deeper explanation , if you want , please take a look at this older post from me :
[i]"In the last Days I did a couple of runs with CLT to reach the full score . Oddly, CLT was recognized as malware yesterday . Next I run CLT in Safe Mode with Auto-Containment OFF . CIS gives out a useless FP Malware Warning so I decided to click “Ignore” . I click on “Ignore” , Pop Up again , again , again … ! No Chance … ! “Interposed question” : WHY ? I knew this is a false positiv so i decided to click on “Ignore and send as False Positive” . CIS classified the file as “Trusted” and created some Rules . This Rules are not usefull for CLT , so I deleted the HIPS , Firewall and trusted File Entries . Then i started CLT . Although all the rules were deleted now , but CIS said nothing ! Hmm … i checked all Rules again . HIPS clean , Firewall clean , Filelist … :o Oh , the Rule was present again ! Another Interposed question : WHY ? But the Show must go on … ! I delete the Filerating Rule again ! Another run with CLT was started … No Pop Up’s , No access requests , nothing ! All Tests were done silently and some were passed , others failed ! Back to the Filerating Section . Oh NOOO , the Rule is back ! Now I classified the file manually as unknown ! CLT was started and BINGO , for each permisson request a Warning pops up and all Tests were passed .
So far so good … !!! So where is the Problem ? The Problem ( the Bug ) is : If a User classiefied a File as “trusted” , it is not enough to remove the Rule to delete the Classification . A User must set the file manualy as “Unknown” to accomplish this . If you dont do this , the “trusted” Rule comes back every time when the File was executed .
Another CRITICAL maybe Scenario :
A “typical” inexperienced User wants to run an unknown but digital signed , malicous file . The File was not detected from CIS-AV and was theoretically be able to bypass Auto-Containment and uses theoretically all the simulated techniques from CLT . Maybe the User is one of those People for whom a Sandbox remains an eternal mystery or he decides that the Sandbox is not necessary , because CIS has not recognized anything . So he classifies the file as trusted and execute the File . AV is the first Looser , Sandbox was bypassed , not used or Valkyrie fails . Now HIPS should come into the Game . But what’s happend now ? We remember the scenario from above , File was trusted so the malicous file runs without asking for access permisson and causes damage in the backround . And because it’s trusted , the User receives NO Information about that what’s happend .
If HIPS is third line of defense , i think it is not a good Idea to supress all Warnings just because the File was classified as “trusted” . Even if all other mechanisms of detection get fail , specific HIPS behaviors should always be reported . So the User have a last Chance to regognize that some things go wrong … !!!"
[/i]