Mal Script that Creates Unrecognized Scripts Treated as Unrecognized by D+

Malicious Script that Creates Unrecognized (Malicious) Scripts are Treated as Unrecognized by Defense+

NOTE: The provided malware samples are a .js and .bat file. The malware is launched using 1.js. The malware is a screenlock ransomware.

Can you reproduce the problem & if so how reliably?:

Yes. This issue is reproducible every time - at will.

If you can, exact steps to reproduce. If not, exactly what you did & what happened:

1: Right-click 1.js and select “Open with Command Prompt”
2: Anti-Virus module will detect file as Malicious; select “Allow Once” - do same for each subsequent Anti-Virus alert
3: HIPS will alert to Explorer.exe attempting to execute 1.js; select “Allow”
4: 1.js creates additional Unrecognized scripts and files
5: Defense+ runs malicious 1.js (and created scripts and files) fully virtualized - instead of blocking 1.js

Alternatively, one can disable AV, HIPS but leave Cloud and Autosandbox enabled.

One or two sentences explaining what actually happened:

A malicious script, 1.js - with a Comodo signature - was executed. It creates additional malicious scripts and files in the AppData\Low\Temp directory. These additional scripts and files are Unknown\Unrecognized by Comodo. Upon execution, Defense+ runs malicious 1.js as “Fully Virtualized.”

One or two sentences explaining what you expected to happen:

By the auto-sandbox rules for malicious files, 1.js - when executed - should have been “Blocked.” More importantly, when a malicious script creates additional scripts and files, they should automatically inherit the malicious rating and all be “Blocked” as well.

Even though user “Allowed” through AV and HIPS alerts, Defense+ should immediately have “Blocked” malicious file, 1.js - and not “Run Virtually” for Unrecognized rating of child processes.

If a software compatibility problem have you tried the advice to make programs work with CIS?:

Not Applicable

Any software except CIS/OS involved? If so - name, & exact version:

None

Any other information, eg your guess at the cause, how you tried to fix it etc:

Defense+ does not apply “Malicious” rating to any scripts or files created by a malicious file; created scripts and files do not inherit the “Malicious” rating from a malicious parent.

B. YOUR SETUP

Exact CIS version & configuration:

version 8.2.0.4508; configuration “Proactive”

Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:

All per Proactive configuration; AV, D+\HIPS, Autosandbox\BB, Firewall

Have you made any other changes to the default config? (egs here.):

Additional 64-bit protections enabled

Have you updated (without uninstall) from CIS 5, 6 or 7?:

No. Clean OS and CIS install.

 [b]if so, have you tried a a a clean reinstall - if not please do?[/b]:
 
 Not necessary

Have you imported a config from a previous version of CIS:

No

 [b]if so, have you tried a standard config - if not please do[/b]:
 
 Yes.  Identical result.

OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:

Windows 8.1 x86-64, Always notify when make changes to system, Administrator, no VM

Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
a= None b= None (Clean install OS and CIS)

SAMPLES ARE PROVIDED for TESTING to CONFIRM report.

Password: infected

[attachment deleted by admin]

Hello,

I think I have discovered what is happening:

  1. Download fie that is malicious and detected by AV module signature
  2. When file is first introduced to system it is rated as “Unrecognized” in the local host File Rating database and uploaded to Comodo Cloud for analysis
  3. Execute file
  4. AV will generate malicious file alert
  5. Select “Ignore once” in AV alert(s)
  6. HIPS will generate “Unrecognized” file alert
  7. Select “Allow” in HIPS alert(s)
  8. Sandbox will apply “Unrecognized” [based on local host File Rating] auto-sandbox rule = “Run Virtually”
  9. After some time has passed, the Comodo Cloud will update the file as “Malicious” in the local host File Rating database
  10. Repeat Step 1
  11. Sandbox will now apply “Malicious” [based on updated local host File Rating] auto-sandbox rule = “Block and Quarantine”

In short, a file detected by AV signature as malicious does not immediately change the local host file rating from “Unrecognized” to “Malicious.”

The delay between a file’s rating in the local host when it is first introduced to the system and a file rating update from the Comodo Cloud, means CIS will apply different actions dependent upon whether:

A. The file is executed before a file rating change from the Comodo Cloud; or
B. The file is executed after a file rating change from the Comodo Cloud

This process makes perfect sense; alternatively, consider when an “Unrecognized” file is returned by Comodo Cloud as “Trusted.”

Can someone please confirm this process?

Please close bug report.

Best Regards,

HJLBX

If you want, I can still process the report. A video might be necessary.

Thanks.

Hello qmarius,

It’s not a bug… although it can be confusing and be mistaken as a bug.

It’s not a bug - BUT the way this situation is handled by CIS is not the most secure in the case that:

  1. A file is rated on the local host as “Trusted”
  2. A “Malicious” signature exists, but the Cloud has not been updated yet

The real issue appears to be that creation of malicious signatures and the Comodo Cloud are not well-coordinated.

In that case, if the user over-rides the CIS AV alert by choosing “Ignore” then the file will be allowed to run as “Trusted.”

In most cases if a file is installed on the system and rated as “Trusted” then it probably has already done damage. However, my suggestion below would add one more protection in the case cited above and no damage\loss has been done yet.


For whatever reason(s), some files for which a Comodo signatures exist, are not yet rated as malicious in the Cloud.

Currently, the local host rating will not change to malicious until updated from the Cloud.

Instead it would be more appropriate to submit a feature request:

Upon execution of any file - for which a Comodo malicious signature exists - then CIS will immediately update its local host rating for that file to “Malicious.”


Best Regards,

HJLBX

In that case, moving to “Resolved” section.

Thanks.