Recognizer v1.6.1 for Comodo Internet Security v10 (RC)

Hi All,
We are pleased to inform you that after a long wait we are all set to release recognizers for Comodo Internet Security v10.x versions.
But before we do that, we have this release candidate version and we are all set to release it next Monday unless you find blocker bugs.
We need your help for stability testing before we release update for all users.

Following are steps to test:
Step - 1: Ensure you have CIS Premium v10 installed

Step - 2: Change your host file entries to following:
91.209.196.83 download.comodo.com
91.209.196.83 www.download.comodo.com
(It’s a test server and going forward we will be using same mechanism to test updates also rather just new release to cover full update scope)

Step - 3: Run updater from CIS interface. You may encounter that AV updates may fail but recognizer updates should work. But if you see errors even for recognizer updates, it means DNS cache for download.comodo.com is still there, please clear cache “ipconfig /flushdns” and may be wait 10min and give a re-try.

Step - 4: If update is successful, you should see recognizer version 1.6.1 as shown in enclosed screen.

Step - 5: From “Settings → Advanced Protection → VirusScope” please deselect “Monitor only the applications in the container” checkbox, this will ensure all processes are watched and will be good test for stability.

Step - 6: Run your popular applications and watch out if you see any abnormal CPU / RAM usage, if you do, feedback is appreciated with system details and active applications.

Here is the full list of malware, mostly different ransomware families, which are watched out by recognizer and based on behavior pattern, detection is made:

Backdoor (2)
Backdoor.MSIL.Bladabindi
Darkcomet

Fileless Trojan (3)
Gootkit/Xswkit
Kovter
Poweliks

Password Stealer Trojan (1)
Primarypass

Ransomware (59)
7ev3n
AdamLocker
BleedGreen
BTCLocker
Cancer
Censer
Cerber
CloudSword
Critroni
Crowti
CRY LOCKER
Cryakl
Crypmod or ZeroCrypt
Cryptolocker
CRYPTOMIX
Cryptorium
CryptoWall
CryptXXX
Crysis
DeriaLock
DMALocker
EnkripsiPC
Falock
FireCrypt
Genasom
Globe Imposter
GOG
Haperlock
HiddenTears
Hollycrypt
HydraCrypt
JigsawLocker
Kangaroo
Kelnoc
Locky
Manifestus
Matrix
Philadelphia or Stampado
Ransom.NoobCrypt
Razy
Roga
Sag2.0
Sage
SageCrypt or Milicry
Sarento
Satan
Shieldcrypt
Spora
TeslaCrypt
ToCrypt
TorrentLocker
Trojware.Win32.Filecoder.Ishtar.B
UltraLocker
Wallet/Dharma
WannaCry
Xmas
Xorist
XRatLocker
YourRansom

Trojan (24)
Carberp
DarkKomet
Lethic
Necrus
Rematsu
Ropest
Sopinar
Spatet
TrojWare.MSIL.Injector.~QWE
TrojWare.MSIL.Kryptik.IAS
TrojWare.MSIL.NanoCore.E
TrojWare.Win32.Agent.ZAQ
TrojWare.Win32.Fynloski.B
TrojWare.Win32.Injector.~DLDO
Trojware.Win32.Matsnu
Trojware.Win32.Phase.A
Trojware.Win32.PSW.Fareit.A
TrojWare.Win32.Ramnit.qg
TrojWare.Win32.Spy.Recam.zkg
Trojware.Win32.Spy.Weecnaw.H
Trojware.Win32.TrojanDownloader.Small.PRQ
Trustezeb
Ranbyus
Nivdort

Virus
Grenam

We will appreciate if more users can try it and share feedback.
We are going to continuously update recognizers going forward.

Thanks
-umesh

[Edit: 20-May-2017: Added Satan and Locky to list as well]

You can also add server under “Proxy and Hosts Settings” as seen in attachment.

* credits to futuretech.

Done, will post if i find any anomaly.

Nice. Here are some pics of new VirusScope detections.

You can also add ransomware satan to the list.

Detected as Generic.Trojan@41
Detected as Generic.Trojan@46
Detected as Generic.Trojan@41

Any way I can manually download the update file & move it to the COMODO folder? Cause It seems I’m not getting anywhere updating to 1.6.1.

I used these proxy and hosts settings, I disabled the download.comodo.com to get the recognizers. you should get errors when CIS tries to update other modules.

It came back. Is this what the DLL should look like?

Yes you got it.

on a side note I don’t see locky ransomware on the list. just in case anyone else is wondering I’m assuming that it’s because many locky ransomware variants detects sandboxes and terminates, therefore no point in adding it, or it’s because the recognizers also generically detect the mechanism which locky uses to encrypt files due to similarity with other ransom, similar to how satan ransom was detected but not technically on the official list of what virusscope should detect.

WannaCry isn’t on the list either. I wonder why. All the Bad Files in the list about are in the DLL though?

WannaCry is on the list, check again ;).

and yes all the recognizers for the malware in the list should be in that dll. Some families of ransomware have a very large range of variants, particularly Cerber, it may not detect all the variants of a ransomware family.

I found it, I was looking too fast that I bypassed it. ;D :-TU

@Protected_PC I’m sure that locky not being included on this has to do with the sandbox detection technique of a large portion of locky variants, if locky didn’t detect sandboxes and close itself upon detection it would be very remiss of Comodo to not add detection as locky is a mainstream ransomware threat. Since locky doesn’t bother to run with the prescence of Comodo container then Comodo doesn’t need to bother to add a recognizer for it.

However, it would be nice if Comodo VirusScope could generate some warning if it detects when a malware potentially searches for virtual machines, sandboxes, or any possible analysis environment. That way, the user is less tempted to open the application outside of the container after seeing that the file doesn’t “work” inside the container.

Excellent! :-TU

Thanks umesh and all team.

Tomorrow I will test…

Cerber 1.0 - detect
Cerber 2.0 - detect
CryptoLocker_Crilock.A - detect
DMALocker 4.0 - detect
Locky OSIRIS variant - detect
Sage - detect
Sage2.2 - detect
TeslaCrypt - detect
TeslaCrypt 2.1 - detect
TeslaCrypt 3.0 - detect
TeslaCrypt 4.0 - detect
Trojan: Emotet - detect

I guess my post was a bit confusing. Sorry. You should change order of update servers as in my attachment. That way, other updates will work.

This locky sample is detected. You should try other locky samples using search on the main page.

That was strange the way I had to disable the main server to get the V.S. updates to work, when I had both enabled it said it downloaded the update but it didn’t apply them. The order of the servers matters for some reason I guess.

So V.S. also detects locky, and emotet which is a banking trojan.

That’s an interesting website, I will test samples from there.

Just did a test using that website. Results of VirusScope (autosandbox enabled, antivirus and cloud lookup off). I let them run for an extended amount of time:

GlobeImposter (2 samples) - blocked 2/2
Cerber (5 variants) - blocked 5/5
Spora - blocked
Jaff - blocked
Mole (2 variants) - blocked 2/2
Matrix - blocked
CryptoShield - blocked
Mordor - missed (not detected by V.S.)

Mordor variants:

Hi,
I have updated list and added Locky and Satan to list.
We have tried to cover behavioral activities used in typical cryptolocker so don’t be surprised that tomorrow a new ransomware comes in the market and you find recognizer already detecting it

Thanks for all the feedback.

Thanks
-umesh