Recognizer v1.6.2.15 for Comodo Cloud Antivirus (RC)

umesh · June 22, 2017, 5:48pm

Hi All,
Thank you for testing recognizers in previous release of v1.6.0, where we released recognizers finally in test mode to verify performance and false-positive.
We have evaluated false-positive and plan to release updated recognizer as v1.6.2.15 in non-test mode (i.e. when detection is made, you will be informed).

This version replaces previous v1.4.0.0 as well so after you have updated, you will see 1.6.2.15 and won’t see v1.4.0.0.
Please see enclosed snap as should be the case after update.

But before we do that, we would like some feedback about product stability with new recognizer version.

We have made recognizer version live on test server and you can use following steps to receive this new recognizer:
Here are the steps:
Step - 1: Make sure you have latest CCAV version installed.

Step - 2: Have following hosts entries:
91.209.196.83 download.comodo.com
91.209.196.83 www.download.comodo.com

Step - 3: Unfortunately like CIS, we don’t have manual updater in CCAV at the moment, it is being worked upon in on going sprint and will be released in Jul-2017 release. CCAV checks for program updates once a day, so you will have to change date to next day and re-start system or wait for next day.

Step - 4: Wait around 5-10 min after system restart and then you could check from CCAV’s about box recognizer version showing 1.6.2.15 as shown in enclosed snap and alternately you can also verify actual file in following location:
%Programdata%/Comodo/CCAV/evc/recognizers/proto_v9/recognizerCryptolocker.dll
with following sha-1:
SHA-1: a4eab2f8928f338318b6f0f8527bf747bb9570ad

Objectives:
Looking for CCAV stability and any abnormal CPU / RAM usage.

Here is the full list of malware, mostly different ransomware families, which are watched out by recognizer and based on behavior pattern, detection is made:

Backdoor (2)
Backdoor.MSIL.Bladabindi
Darkcomet

Fileless Trojan (3)
Gootkit/Xswkit
Kovter
Poweliks

Password Stealer Trojan (1)
Primarypass

Ransomware (52)
7ev3n
AdamLocker
BleedGreen
Cancer
Censer
Critroni
Crowti
CRY LOCKER
Cryakl
Crypmod or ZeroCrypt
Cryptolocker
CRYPTOMIX
Cryptorium
CryptoWall
CryptXXX
Crysis
DeriaLock
DMALocker
EnkripsiPC
Falock
FireCrypt
Genasom
Globe Imposter
GOG
Haperlock
HiddenTears
Hollycrypt
HydraCrypt
JigsawLocker
Kelnoc
Locky
Manifestus
Philadelphia or Stampado
Ransom.NoobCrypt
Razy
Roga
Sag2.0
Sage
SageCrypt or Milicry
Sarento
Satan
Shieldcrypt
TeslaCrypt
ToCrypt
TorrentLocker
Trojware.Win32.Filecoder.Ishtar.B
UltraLocker
Wallet/Dharma
WannaCry
Xorist
XRatLocker
YourRansom

Trojan (21)
Carberp
DarkKomet
Lethic
Necrus
Ropest
Sopinar
TrojWare.MSIL.Injector.~QWE
TrojWare.MSIL.Kryptik.IAS
TrojWare.MSIL.NanoCore.E
TrojWare.Win32.Agent.ZAQ
TrojWare.Win32.Fynloski.B
TrojWare.Win32.Injector.~DLDO
Trojware.Win32.Matsnu
Trojware.Win32.Phase.A
Trojware.Win32.PSW.Fareit.A
TrojWare.Win32.Ramnit.qg
TrojWare.Win32.Spy.Recam.zkg
Trojware.Win32.Spy.Weecnaw.H
Trojware.Win32.TrojanDownloader.Small.PRQ
Trustezeb
Ranbyus

Virus (1)
Grenam

Few names have been dropped since last release as detection was false-positive prone.

Note: Considering recognizer work based on behavior, we have tried to detect typical ransomware activities so even though a malware family may not be in above list, it may still be detected.

Please try to run applications inside Sandbox as in CCAV only sandboxed applications activities are checked.

We would like CCAV users to give it a try and share if they see any abnormal CPU or RAM usage.

Looking forward for some results using CCAV.

Thank you
-umesh

BlueTesta · June 22, 2017, 7:17pm

:-TU

Redstraw · June 23, 2017, 12:54am

Why don’t you add a manual update button for CCAV?

umesh · June 23, 2017, 1:53am

In works as mentioned earlier:

Yousername · June 23, 2017, 2:03am

:-TU

Are there plans to readd detection for the ones that were removed if false positives are sorted out? Or do the current set of recognizers provide similar levels of detection as the previous version?

umesh · June 23, 2017, 2:12am

Are there plans to readd detection for the ones that were removed if false positives are sorted out?

being worked out.

Or do the current set of recognizers provide similar levels of detection as the previous version?

This is super set. Cover all previous ones + new ones.

Ploget · June 23, 2017, 11:58am

I haven’t tried these before with CCAV

All the browsers I tried to run virtually; Dragon, IE11, Edge, Firefox and Opera were as expected , blocked when running with the default settings of Incoming and Outgoing blocked

When I removed those settings; Dragon, Edge and Opera all worked fine

but

IE wouldn’t function with dllhost.exe and COM Surrogate application being sandboxed each time

Firefox started, but all Tabs immediately and consistently crashed, even on default settings with addons disabled

(This isn’t a big deal to me, but just so you’re aware)

umesh · June 23, 2017, 12:45pm

Thanks, we will check.

Flykite · June 26, 2017, 11:29am

Hi Ploget,
Didi you restart IE or renew a tab after setting performed?
If possible could you please provide us crashed dump file of firefox?Attached procdump.exe

Thank you in advance!

liosant · June 26, 2017, 2:34pm

Trojancrypt does not change extensions?

Why not create a file of texts, images, injections of code without a system?
For example, viruscope identifies a specific trojancrypt which may make it out of phase, but it is not monitored by files but running applications in memory.
Viruscope monitors non-executable files (txt, doc …) - once changed by secure or unknown files - viruscope blocks

Ploget · June 26, 2017, 3:28pm

IE had nothing but default settings and default homepage . . .
see attached

I’ll send the Firefox dump later this evening

Ploget · June 26, 2017, 6:56pm

For some reason the dumps I would expect from the command line isn’t produced. With Procdump, I get the, ‘was unexpected at this time’ result . . . although I may well be doing it incorrectly 88)

There are 2 Firefox dumps produced in Boxroot by Firefox - if they are what is expected?

Never had to use Procdump before, so any help would be appreciated!

Flykite · June 27, 2017, 2:24am

You can share the dumps with us, hope we can capture something with them.
Thanks for your help!

Flykite · June 27, 2017, 2:34am

If possbile could you please generate one dump file of IE? Task manager->process list->right click IE process->create dump file.

Ploget · June 27, 2017, 9:47am

Both Firefox files attached in zip

Also for your info. both IE, Firefox and Dragon run normally in the Container in CIS, but Opera pages crash instantly!

umesh · June 27, 2017, 10:19am

Hi All,
Recognizers update have been released to all CCAV users now.

Thanks
-umesh

nikos200 · June 28, 2017, 2:57pm

it is work now?or still very weak???i test it with some malwares that av detect already… i run them in sandbox but still no viruscope detection

Flykite · June 29, 2017, 1:32am

Hi Ploget,
We found that you installed CCAV and CIS on same system, the firefox crased as sandbox compatibility issue, we suggest you to install only one of them.
Thanks for your support!

Ploget · June 29, 2017, 10:42am

I understood that if Auto Containment was disabled in one or other, there should be no compatibility issues?

Is this no longer true, or is it just these particular items?

Flykite · July 1, 2017, 7:06am

No, you should keep one of them, “disable” cannot resolve the compatibility issues.