New antivirus-disabling malware discovered!

Leo down at TPSC made this video about a demo-malware that can disable many different top-selling antivirus programs.

I would suggest that everyone here follows cruelsister1’s guide on how to remove the majority of names from your locally stored vendor list and disable cloud lookup. This particular malware has a legitimate signature from Zemana. I’ve been seeing a lot of malware in the news I follow that has legitimate digital signatures.

I really hope that CFW/CIS 2024 has the means to stop malware with legitimate sigs.

Edit: One issue I have is that Comodo is still very vulnerable to malicious users. The password protection of the settings doesn’t prevent a malicious user from uninstalling comodo. The yes/no alerts are also a problem that a malicious user could take advantage of.

HIPS and firewall need to be enabled and set to “Do not show popup alerts” and “block requests” by default on all configurations.

And I’ve also seen some people in youtube tests and also here on these forums complain about bluescreen issues with comodo’s sandbox. I think comodo’s container should be set to block all unknown files by default instead of containing them. The performance is much smoother like that.

Hi DrAlrek,

Thank you for reporting.
We will take your concern to the team.
Thank you for supporting.

Thanks
C.O.M.O.D.O RT

One option is to uncheck Trust files installed by trusted vendors in File Rating settings.

Everything that is in container will get virtualized too even if its trusted it will get contained

1 Like

The container is great, but sometimes it causes bluescreens. Making the container block things instead causes zero performance problems

Thanks for the heads-up.
Never had a single BSOD because of the Containment. I prefer HIPS and Firewall to show notifications. But the firewall should be set to custom rules! As for the Containment, I prefer to set the restriction level to limited and to uncheck the box “Do not virtualize access to” (both). I agree that cloud should be disabled. However, I am still not sure about deleting the list with the vendors. While it could be a risk, there will be a plenty of notifications if you use a lot of software every day (like me).

Don’t delete the entire list, just the vendor names that aren’t makers of things you currently have.

Cruelsister1 made a guide on how to do that.

Please post a link to her instructions.

There are several videos on the channel that can be of use :-

https://www.youtube.com/@cruelsister1/videos

I’m familiar with her channel. However, there is a lot of content on there and I was hoping that @DrAlrek could post a link to the guide he referred to.

You can use this link : Comodo and Trusted Vendors List - YouTube

Thanks! Now the challenge in determining which ones I need to keep :slight_smile:

BTW, is there a way to restore certs if I accidentally delete something I need?

you can just look up the unknown file when it gets blocked.

assuming you change the container to make it block things instead of sandboxing them.

I would suggest you look up the infohash on virustotal and do a re-scan before you do a file lookup through comodo’s UI

Comodo/Xcitium has been known to whitelist PUPs and other bloatware. Sometimes they’ll have malware whitelisted because of stolen signing software

You can also still manually submit files to cloud through comodo’s menu. But I’d recommend submitting the links from lookups on filescan (dot) io to the “submit malware here to be blacklisted” thread. It will get added to the blacklist faster if you submit it to the thread here.

or submit it to Xcitium Verdict Cloud

The cloud mistakenly whitelists a lot of malware…well actually, it’s a lot of PUPs, it’s better to upload the malware to filescan (dot) io and then submit the link to the scan result to the “submit malware here to be blacklisted” thread on here. Make a text file with all the links to your filescan (dot) io scan results you have to upload and upload the text file

It gets added to Comodo’s/Xcitium’s malware database faster that way. I’ve experienced it myself

Whether it’s a PUP or malware, you should always report it to the thread here on the forums.


Uploaded this file to Xcitium and turned Malicious so i dont think there is problems with FLS

Is that service free? If not, how much does it cost to have those scans done?

I just looked into it, the best parts of it aren’t free, so there’s no point in using it unless you’re going to pay.

yeah there is a free version and a paid version of it the free version uses only Automated Analysis and the paid with Human Analysis

It’s very unlikely that you’ll get any help with that here. TPSC has a discord server, someone there might be able to help you. As long as you’re okay with discord having your phone number to get onto that one