How to cheat heuristics

Well known that Comodo Antivirus reacts to files with dual extensions, if heuristics is enabled. But it appears, that this check can be easily circumvented. There are two similar executable files with double extension in attachments (MD5: 5DCFFE0ECCE2018316A79BAC90CCBA4C), but one of them (test2) antivirus passes.
P.S. This is not a malware, just a test that I wrote myself to illustrate the bug. You may unzip and run them. They will run in sandbox.
UPD: I made bug report for this issue here.

[attachment deleted by admin]

The dual extension heuristic can be circumvented by adding space between the two extentions as running the file will show. It will open a command box and it will show:

This is test!!!
Heuristic of Comodo AntiVirus
don’t recognaize dual extension
if space is used between extensions
press any key…
Press any key to continue . . .
CIS will see dual extension when it looks like filename.txt.exe but not when it looks like filename.txt .exe.

Edit: added not after but. Now it says what I intended.

But this is dual extension too, that more difficult to see if there are many spaces

[attachment deleted by admin]

That’s what I was saying. Spaces cause it to overlook the dual extension.

Could developers fix this? :P0l

I think this is worth a bug report in the Bug Reports - CIS board following the format as described in FORMAT & GUIDE - just COPY/PASTE it!.

Reporting of bugs is strictly moderated to make sure Comodo gets clear bug reports. So, please make sure you closely follow protocol. That way your report will be seen by Comodo staff.

What’s the point of dual extension check if you don’t include check for whitespace sequence as well?!

Asking the question is answering it here, I suppose.

A better question is “What’s the point of dual extension check” ?

I have a few program that update by replacing some prog.exe with some prog.tmp.exe (renaming in the process) (I believe that utorrent is one if I remember)

The result of this, is that the dual extension heuristic is responsible for at least half of false positive on my machine. I cannot really white-list that file because it’s in some random folder in %temp%, and probably the hash of the file would be very different from one to other.

NOW IF The dual extension heuristic would apply only to files one was trying to EXECUTE.
IE: be aware this is not a txt file, but a .exe: do you still want to execute ?
Then I’d find the feature useful.

The point is that malware can use the dual extension to hide the fact that it’s an executable…