Malware masqerading as genuine programs - basic question

A question I’ve been wondering about for a while: can firewalls in general, and Comodo in particular, distinguish between, for example, the genuine iexplore.exe and a nasty of the same name or indeed anything bearing the name of one of the trusted components in the Comodo database?

I assume there are some clever recognition procedures otherwise as soon as such a piece of malware gets on the computer, the game is over.



I believe it would, because as soon as i replace for example game.exe with the no-cd patch game.exe Comodo gives me a warning as soon as it starts up with: The cryptographic signature has changed, also this program tries to acces the internet, act as a server and download a file, this is very suspicious…

True even in the case that some malware managed to position itself with the same filename in the same folder as a legit app, Comodo would detect a change in the cryptographic signature. Plus it’s hard for malware to substitute Windows’ legit apps, Windows protects its important programs (even notepad.exe) from this kind of attack. For example if you were fool enough for trying to manually delete some core Windows file you’d see it restored into existence in no time out of the blue. Atually malware trying to disguise itself as legit apps can be told from the original because it’s had to install itself in a different directory. Like, windows\system32\whatever.exe is legit, windows\whatever.exe is malware.

Think so. :stuck_out_tongue:

Another common way to spot such things is by the misspelling of the filename, for example a legit program is windows/system32/svchost.exe. Not only may you find malware by the same name in a different filepath (as Japo mentions), but also with a different spelling - such as svhost.exe (note the lack of the letter “c”).