I want to ask a question that troubles me since I installed CIS 5.0 beta.
Since CIMA is the basis of a cloud behavior blocking in CIS 5.0, can we trust it? CIMA should execute files in the virtual environment and technically it should have 99.9% detction of malicious files because it sees how the cloaked file behaves in a real machine. so how could it not detect this file?
Your concern is with detection. Where, given the nature of prevention, it should be with the prevention capabilities of CIS v5. All unknown files will run sandboxed until found safe. If CIMA misses a malware the malware will still run sandboxed.
Remember it is never CIMA that deems a file safe. That is done by analysts:
So, even it CIMA is totally messing up it will never tell anything is safe. Unknown files will keep on running in the sandbox.
When it comes to preventing malware a HIPS is still better than a behaviour blocker. So, I am not quite sure where you get the 99,9% condition from.
Other than that it is good to look for discrepancies to see if there is room for improvement.
Also report this malware in AV False Positive/Negative Detection Reporting board. And please only post the url’s to CIMA and VT when submitting it there; there should no malware be posted in that board (read the stickies).
But sometimes installers can not run in the Sandbox without crashing/failing/etc, so then you need to run it outside of the Sandbox to install the program and if the HIPS & AV & Firewall miss some malware while running such an installer Un-Sandboxed; then the Sandbox is rendered useless in this situation (but the Sandbox can be helpful in many other situations). (I had some malware bypass CIS in this way.
I am happy that CIMA (Not in CIS yet), Sandboxing, Comodo DNS, and Cloud Scanning is now in CIS; the more layers the better usually, when properly balanced.
