On-access scanner cannot detect malware that the on-demand scanner catches

Hi,

To keep this brief, I have a copy of a trojan horse that Comodo detects if I right-click on the file, and instruct Comodo to scan it. However, if I doubleclick on the file, the on-access scanner will not detect the file, and allow it to execute without warning. The HIPS component will still catch it, however.

To eliminate one possible cause of the problem, I have taken care to ensure that my on-demand and on-access scan settings are identical. Can someone knowledgeable about this product help me pinpoint the reason of this very dangerous behavior?

Thank you.

What happens when you turn off HIPS? Does it detect it? If it’s a REAL trojan horse, I would recommend trying this with the EICAR test file instead.

Tried that. The on-access module didn’t squeak either, and the malware promptly proceeded to delete the Windows ICS service and install a global hook on my system.

Hey solcroft,

Could you please submit a sample immediately to Comodo for analysis. Both the on-demand and the on-access scanner use the same engine, so only one of them detecting a object is really, really odd. Do you have any other info on the object - possible or suggested name etc?

Ewen :slight_smile:

Hi Ewen,

I have just realized that I can replicate this alarming behavior on EVERY piece of malware in my collection. Assuming CAVS has a signature for that piece of malware, what invariably happens is: double-click, on-access scanner miss, HIPS blocks the program, and then right-click scan detects the malware.

I am using a copy of WinXP SP2 Pro which has gone unpatched for more than three years, inside a virtualized environment (VMWare Server 1.0.3). The only other software I have running in the background are SandboxIE and Dynamic Security Agent. I am testing CAVS on a fresh install directly after a low-level format on an NTFS drive.

All samples have been submitted to Comodo through the HIPS function. Please tell me what further information is required to pinpoint this problem.

Hey solcroft,

I’ve PM’d some Comodo staff on this (cc’d you on the PM as well). It does it with the eicar test virus as well. :-[

Ewen :slight_smile:

Hi Solcroft,
The engine used by both On-Access and On-Demand modules is the same.

The possibility is that for some reasons On-Access may not get correct path of the malware.

Can you please tell us what’s the folder path in which you have malware samples?

Can you please also check what happens if you move folder containing malware directly under OS drive and repeat the test?

Thanks
-umesh

My samples were executed from the desktop. Moving them to the root folder of the boot disk does not help.

Hi solcroft/Ewen,

Please send the cavasm, cavsn logs to us for findout root of this problem.

Regards,
Gopal

This is similar to a problem I reported twice, several months ago. But nobody ever bothered to reply.
The email scanner detected a virus, while the right click scan did not.

https://forums.comodo.com/index.php/topic,4685.0.html

Same for me. EICAR easily everytime detected by on-demand scanner. But only rarely by on-access scanner :frowning: Usually after restart of PC it detects on-access but after couple of minutes newly dowloaded or decompressed eicar.com files not detected. I tried CyberDefender FREE that detected in past virus too with same negative effect this time. Might be some more fundamental file access problem or apps collision. On-access driver problems maybe. WinXP home SP2 here. I tried to close all services, but still no luck on access.

Hi Solcroft,

This might be due to SandboxIE uses Middle storage for file operations. So the files
may not be catched by driver.

Can you please remove SandboxIE and try to replicate this issue?

Regards,
Gopal

Hi,

the same for me too.
Eicar test does not found from on-access scanner when I run or download it (path is on my desktop)!!
Moreover is it normal to have two cavse.exe loaded in memory?


http://www.divshare.com/img/thumb/1223207-51a.png

I’ve Win Xp pro sp2 OS with COMODO Firewall and Boclean.

Before I had installed Avira Antivir, very efficient, but seen the optimal firewall and Boclean antimalware I have intentional to give confidence to the CAVS 2 Beta, but if the survey on-access not well function, I will come back to Avira, even if with displeasure.
(sorry for my bad English)

Thank you