Manual Scan of CCE & CIS latest cannot quarantine this malware. CCE mentions failed to quarantine. CIS detected it & didn’t mention failed to quarantine but the file was still in the folder.
It was just a folder full of malware scan.
I dont know if CIS Realtime also fails or not.
If anyone can check I will PM the malware.
I have confirmed this on Windows 7 x64 via manual scan. It detects the file, attempts to quarantine it, and then leaves the results window blank as if it had removed all threats. However, the file still remains.
Strangely enough, scanning a second time is able to remove the file, although it was detected with a different signature. I have attached a pic of my scan logs.
This is odd.
Edit: It turns out that Naren sent me a file which is slightly different than the other. This is the file I tested. Here are the VirusTotal results for it:
[attachment deleted by admin]
I sent you 2 files, they seems same with different file size.
Which one you tried? Whats the file size?
Here is the VT links for both the files
Size 865 - VirusTotal
Size 793 - VirusTotal
Chiron, I guess you tested file size 865, right?
So File Size 865 - At your side CIS detected it with 2 different names in 2 tries as seen in your logs.
1 is sality
other is malware[at]
CCE detects this file as sality & Comodo at VT also detects this file as sality
File Size 793
CCE detects it as exactly the same name as malware[at] in your logs for file size 865
Comodo at VT detects it as TrojWare.Win32.Agent.~fd
kjdemuth - A member here to whom I also sent this file mentioned CIS detected this file as win32.mIRC trojan
The file you sent me, sexy.exe, is detected by comodo firewall scanner. It is classified as win32.mIRC trojan. It runs spoolv.exe and installs a hook. It then attempts to modify device\NSI and device\AFD\endpoint. Hope that helps for you.
Why the same malware with the same database is detected with a different name by CIS in system & Comodo at VirusTotal?
At times the detection name even differs from one system to other, why?
Not really sure. Is it the same malware your using? If so then it might be keeping up with the sigs. When something is first classified it starts as either unknown malware or heuristic. It changes when the sigs come out for it. The sigs might change for that piece of malware and hence the name change.
The malware I sent you was recognized as MIRC Trojan as you mentioned & at that time here on my system it was detected as sality.
That same malware yesterday on my system was detected as malware@ & at VT as Trojan Win32.
Thats the difference in detection name for the same malware, why??
Can any mods test these malware with CIS 6 Beta & CCE in CIS 6 Beta?
I still have the samples & can provide/PM them.