Malware, CIS & VT

khanyash · October 19, 2011, 4:19pm

http://www.virustotal.com/file-scan/report.html?id=adf4fcac3a55d876610ed08e4a41a7abae2e09e51137d8c7306c8e601c509e3d-1319039333

As you can see in the link above, CIS detects this malware. But on my system with the same database CAV is not detecting it. This type of issue I have mentioned quite a few times & asked Devs why this happens but no one cares.

If anyone would like to test, I can PM the malware.

Valkyrie is also not detecting it, and again as usual advanced heur in Valkyrie is not working.

https://valkyrie.comodo.com/Result.html?sha1=b1206b9467766249ab331ec74c602af1f7ce4ecc&&query=0&&filename=asf.exe

Thanxx
Naren

Edit - This one is digitally signed by Eorezo & Eorezo is in TVL in CIS.

But I have D+ disabled permanently so I think it being in TVL should not affect the detection.

Edit - I scanned this malware with CCE & it detected it.

Note - CCE scanners are good. I also scanned 7 fresh zeroday malware which are not detected by CAV but CCE detected all 7 malware.

Chiron494 · October 20, 2011, 1:33am

Did you already post the link here?

Szadout · October 20, 2011, 8:17am

if the file is signed with a signature from tvl av will not respond (probably it is something like protection against fp - we have it in the list, it should not be evil >:-D)

remove this signature from the TVL and probably this will change

rhgtyink · October 20, 2011, 8:43am

The one submitted to VT is unsigned;

Additional information
sigcheck:
verified…: Unsigned

Szadout · October 20, 2011, 8:59am

I checked on another file with this signature

virus total gives incorrect information

http://www.virustotal.com/file-scan/report.html?id=b38158f4772dd65195bbdebc11e6ef5780b5d438e56b81bda581efbff5f2518d-1319100153

publisher…: EoRezo
copyright…:
product…: EoDesk3d by EoRezo
description…: EoDesk3d by EoRezo Setup
original name: n/a
internal name: n/a
file version.:
comments…: This installation was built with Inno Setup.
signers…: -
signing date.: -
verified…: Unsigned

and information from system for this file:

rhgtyink · October 20, 2011, 9:38am

Can you PM me the link to this one?

Szadout · October 20, 2011, 9:59am

done

rhgtyink · October 20, 2011, 10:31am

Vendor has been removed from TVL.

khanyash · October 21, 2011, 9:52am

Manual Scan will also not detect the signed malware in TVL?

Thanxx
Naren

khanyash · October 21, 2011, 9:54am

VT is wrong. The sample was signed. I had checked & the Digital Signature was Ok.

Thanxx
Naren

Peter5 · October 22, 2011, 12:33am

I have seen this too in my computer.

When an executable is first run it is checked first against the local blacklist and only then against the local white list.

http://help.comodo.com/topic-72-1-170-1708-Unknown-Files---The-Sand-boxing-and-Scanning-Processes.html

So i clearly do not understand why this happens.

If it is like Szadout is saying then the process is local whitelist and only then local black list (to evade FP). But what about “stateful” in the real time scanning? Does it not scan every single file (under 40 mb) basically every 30 minutes? That is the reason that i do not use the scheduled or manual scanning.

Really would like to see a clarification about this issue.

AyeAyeCaptain · October 22, 2011, 8:38am

Nice to see, would be nice if Comodo took action against them/others who let this happen/do this as well! >:-D