Well known that Comodo Antivirus reacts to files with dual extensions, if heuristics is enabled. But it appears, that this check can be easily circumvented. There are two similar executable files with double extension in attachments (MD5: 5DCFFE0ECCE2018316A79BAC90CCBA4C), but one of them (test2) antivirus passes.
P.S. This is not a malware, just a test that I wrote myself to illustrate the bug. You may unzip and run them. They will run in sandbox. UPD: I made bug report for this issue here.
The dual extension heuristic can be circumvented by adding space between the two extentions as running the file will show. It will open a command box and it will show:
This is test!!!
Heuristic of Comodo AntiVirus
don’t recognaize dual extension
if space is used between extensions
press any key…
Press any key to continue . . .
CIS will see dual extension when it looks like filename.txt.exe but not when it looks like filename.txt .exe.
Edit: added not after but. Now it says what I intended.
Reporting of bugs is strictly moderated to make sure Comodo gets clear bug reports. So, please make sure you closely follow protocol. That way your report will be seen by Comodo staff.
A better question is “What’s the point of dual extension check” ?
I have a few program that update by replacing some prog.exe with some prog.tmp.exe (renaming in the process) (I believe that utorrent is one if I remember)
The result of this, is that the dual extension heuristic is responsible for at least half of false positive on my machine. I cannot really white-list that file because it’s in some random folder in %temp%, and probably the hash of the file would be very different from one to other.
NOW IF The dual extension heuristic would apply only to files one was trying to EXECUTE.
IE: be aware this is not a txt file, but a .exe: do you still want to execute ?
Then I’d find the feature useful.