Possible PCClearSophos bypass?

Hi, guys!

I’m testing CIS v5 on VMware Player v3.1.3 (1.jpg).
Few days ago I downloaded “pcclearsophos_home.exe” file from malc0de.
On-demand AV scan finds nothing (2.jpg)…Cloud scanning is enabled and Heur is set to Medium; DB is 7057.
When I upload the file to VirusTotal it says that Comodo detects it as Application.Win32.Adware.Agent.~DA (4.jpg).
This file uses valid ebiznetworks (http://global.pcclear.com/ ; WOT ranking=red) digital signature (7.jpg) and is recognized as Safe application by Comodo (5.jpg; 6.jpg). Trusted files list is empty.
This rogue is normally installed (8.jpg) and later detected by MBAM (3.jpg).

I hope that this is a VM issue…

If you need any additonal info, don’t hesitate to ask.

Thank You and best regards.

CIS is in Proactive Security configuration
AV=Stateful, FW=Safe Mode, D+=Safe Mode, SB=Untrusted

EDIT: malware file is removed from attachment.

[attachment deleted by admin]

Please send me the sample. I would test it in Sandboxie.


Not detected here (DB 7059). CIS says it’s a safe file. ebiznetworks is in TVL.

VT: http://www.virustotal.com/file-scan/report.html?id=c1b9b1cf79fe82dc05c78d722eb15b11838825289785917ab040e53933b937f0-1292247221

Harsha, the file is attached in siketa’s post. :wink:

[attachment deleted by admin]

oops…Thanks JoWa

it looks like ebiznetworks is removed from the TVL it must have been removed with the update we got today

Yes, that should solve the problem.
I can’t confirm this now since I’m on PC with no CIS installed.

It is detected now.

[attachment deleted by admin]

The question is why VirusTotal reported that CAV detects it while it was really letting it through. ???

im not sure of cis’s procedures of checking files but what i think is that it saw that the files vendor was on the TVL so it didnt check it was the virus database or anything so now that its not on the TVL it sees that there is a signature for it

this sound happens with antimalware-2011 pro.

Nope. Here is how the vetting process starts:

Unknown Files: The Sand-boxing and Scanning Processes

When an executable is first run it passes through the following CIS security inspections:

Antivirus scan

Defense+ Heuristic check

Buffer Overflow check

If the processes above determine that the file is malware then the user is alerted and the file is quarantined or deleted

An application can become recognized as ‘safe’ by CIS (and therefore not sandboxed or scanned in the cloud) in the following ways:

Because it is on the local Comodo White List of known safe applications

Because the user has added the application to the local ‘Trusted Files’

By the user granting the installer elevated privileges (CIS detects if an executable requires administrative privileges. If it does, it asks the user. If they choose to trust, CIS regards the installer and all files generated by the installer as safe)

Additionally, a file is not sandboxed or sent for analysis in the cloud if it is defined as an Installer or Updater in HIPS policy (See Computer Security Policy for more details)

The above is is showing the first part of Unknown Files: The Sand-boxing and Scanning Processes.

Does this mean that, when ebiznetworks was in TVL, all of its products were automatically safe or Comodo did/should whitelist application by application separately?

I confirm malware detection and removal of ebiznetworks from TVL. :-TU

thanks for the info

but I don’t think it’s a good idea to leave the trojan attached in the post!


or Comodo did/should whitelist application by application separately?
CIS uses both ways of whitelisting.

According to this link the website in opening post isn’t safe to visit. Fire Fox blocks it, and Clear Cloud DNS blocks it.



digital signature is not good way to determine is it application safe, at least not any more… it is however a good parameter among others…
for rogue application there is problem +, because there is no good enough indication of malicious behavior, at least not for automated process inspectors such are HIPSes nor automated certification feeder in cloud, such automatism, for time being, can not tell you are you going to be victim of e.g. social engineering
so we need for now CIS internal logic change which will at least check “known” and signed appz against malware, question is can we ask such temp solution from company which promote and sell digital certificates?

you are right salmonela. I think that CIS need to analyse the digital signatures and compare the current downloaded application to the digital signature, by seeing what products the company has.


There are some of us around here that have been saying this for a very long time.

repeating is mother of knowledge :wink:

‘ebiznetworks’ was removed from TVL as we found questionable practices used by Vendor.