I’m testing CIS v5 on VMware Player v3.1.3 (1.jpg).
Few days ago I downloaded “pcclearsophos_home.exe” file from malc0de.
On-demand AV scan finds nothing (2.jpg)…Cloud scanning is enabled and Heur is set to Medium; DB is 7057.
When I upload the file to VirusTotal it says that Comodo detects it as Application.Win32.Adware.Agent.~DA (4.jpg).
This file uses valid ebiznetworks (http://global.pcclear.com/ ; WOT ranking=red) digital signature (7.jpg) and is recognized as Safe application by Comodo (5.jpg; 6.jpg). Trusted files list is empty.
This rogue is normally installed (8.jpg) and later detected by MBAM (3.jpg).
I hope that this is a VM issue…
If you need any additonal info, don’t hesitate to ask.
Thank You and best regards.
CIS is in Proactive Security configuration
AV=Stateful, FW=Safe Mode, D+=Safe Mode, SB=Untrusted
im not sure of cis’s procedures of checking files but what i think is that it saw that the files vendor was on the TVL so it didnt check it was the virus database or anything so now that its not on the TVL it sees that there is a signature for it
Unknown Files: The Sand-boxing and Scanning Processes
When an executable is first run it passes through the following CIS security inspections:
Antivirus scan
Defense+ Heuristic check
Buffer Overflow check
If the processes above determine that the file is malware then the user is alerted and the file is quarantined or deleted
An application can become recognized as ‘safe’ by CIS (and therefore not sandboxed or scanned in the cloud) in the following ways:
Because it is on the local Comodo White List of known safe applications
Because the user has added the application to the local ‘Trusted Files’
By the user granting the installer elevated privileges (CIS detects if an executable requires administrative privileges. If it does, it asks the user. If they choose to trust, CIS regards the installer and all files generated by the installer as safe)
Additionally, a file is not sandboxed or sent for analysis in the cloud if it is defined as an Installer or Updater in HIPS policy (See Computer Security Policy for more details)
Does this mean that, when ebiznetworks was in TVL, all of its products were automatically safe or Comodo did/should whitelist application by application separately?
I confirm malware detection and removal of ebiznetworks from TVL. :-TU
digital signature is not good way to determine is it application safe, at least not any more… it is however a good parameter among others…
for rogue application there is problem +, because there is no good enough indication of malicious behavior, at least not for automated process inspectors such are HIPSes nor automated certification feeder in cloud, such automatism, for time being, can not tell you are you going to be victim of e.g. social engineering
so we need for now CIS internal logic change which will at least check “known” and signed appz against malware, question is can we ask such temp solution from company which promote and sell digital certificates?
you are right salmonela. I think that CIS need to analyse the digital signatures and compare the current downloaded application to the digital signature, by seeing what products the company has.
