Malware using signed signatures [Merged topic]

Hi, guys!

Here is another one…

Malware uses digital signature and is trusted by Comodo.

gg. ;D

Changed the title to be more informative.

I think that Comodo’s trusted vendor list needs to be changed into using a more fool proof method. (:NRD)

Better yet - The current model should be scrapped.

As Comodo should know (being an issuer of security certificates), validation <> trust. Just because a file is signed does not automatically make it trustworthy.

To operate on the basis that a signed executable is trustworthy is a flawed premise that will (and has) back fired.

This is precisely why I use GeSWall on my PC with comodo, because there are always different things that can go wrong when you have a whitelist that is not specific to a signature, IE like how signature based antimalware programs detect threats. This is the only sure way to identify trust with a file, and any other way is flawed and can be used to an advantage by malware. (:NRD)

and it’s detected by comodo antivirus as ApplicUnwnt.Win32.Agent.~I !

if u can collect all this signed and trusted malwares in one topic , I guess it will be easier for developers to fix it asap.

thanks in advance

No, it’s not detected yet. That’s why I made this topic.
This is situation just like in my post about PCClearSophos rogue.
VT says that CIS detects it but actually it doesn’t! ???

[attachment deleted by admin]

I’ve already posted some samples which are undetected and they are on TVL.
Dear staff, i’m still waiting for reaction :).

You probably have more change to get staff’s attention in the Malware Research Group forum. You (re)submitted them less than 24 hrs ago. When needed bump the topic there; or try sending a pm.

that is weird indeed , can u send me this sample so i can test it?

Hi siketa, really appreciate your effort.
I hope that Comodo’s development team can work out a long term solution to fix the problem regarding malware using signed signature.

Thanks, guys!

I’ll keep trying to find holes in our beloved CIS so devs can improve it. :wink:

Thanks siketa,
malware research group also is trying to find some malicious files with DS which can bypass Comodo.



The devs are aware off the issue regarding files being on the trusted list/signed but have also a signature assigned in the AV. I brought this up and Ronny pointed me to something Umesh stated.

I know it doesn`t sort out the whole signed malware issue because if there is no signature it will still go through, but at least they know the issue and are looking at ways to mitigate it!


p.s. I`ll point Umesh to this topic if nobody has allready…

This is being looked into.


yes , and also some users just use the firewall without the av ( like me ) , regarding the cloud scan , I think that the cloud feature will not help with the trusted files ? , plz correct me if I’m wrong.

hello umesh

thanks in advance , plz look into this one also

it’s not a signed one but it’s white listed and scanned online and found safe! so the sandbox was disabled when i execute it and the system got infected …

and as u can see it on virus total says it’s detected by comodo as a TrojWare.Win32.Trojan.Agent.~LVF !! , I don’t have a clue how this could ever happen
can u please tell me why it’s not detected by the cloud ?

I agree, personally i think the option to disable the TVL should be brought back, the main trouble as i see it is to make a product with good usability for the masses (very few alerts) yet still not let malware in.
The panacea of a security software, will it ever be created?