Report trusted and whitelisted malwares here! [Don't attach Live Malware !!]

salaficall · December 30, 2010, 10:54pm

Hello everybody

There is no doubt that Comodo’s whitelist is superior and it makes CIS more user friendly.

But some malwares could sometimes get a trusted signed certificate! or accidentally get whitelisted!.

We must fight that by all means!.

So I thought it will be useful to open a new topic and report these trusted! malwares in it.

If you find files that are whitelisted, but seem suspicious (for whatever reason) please report it here asap.

just upload the malware to camas.Comodo.com and virustotal.com , and post both result links here. , the name of the trusted vendor or any other info could be useful too.

Please Don’t attach or link for a live Malware !!

regards

MOVEAX · December 30, 2010, 10:54pm

Wrong section imo.

salaficall · December 30, 2010, 10:58pm

crash_icons[1].exe

it’s a trojan in the wihtelist

http://camas.comodo.com/cgi-bin/submit?file=a02df23e81d3e708a511020c01a62fc8457c4738df77cabddf92f42c6e1b8df9

http://www.virustotal.com/file-scan/report.html?id=a02df23e81d3e708a511020c01a62fc8457c4738df77cabddf92f42c6e1b8df9-1293744488

[attachment deleted by admin]

siketa · December 30, 2010, 11:50pm

Guys, can you check this one?

http://camas.comodo.com/cgi-bin/submit?file=89f776398451f81f9859384c4a65a1a82875c855faf9ac7b2e2fd4bbda7f3b30

http://www.virustotal.com/file-scan/report.html?id=89f776398451f81f9859384c4a65a1a82875c855faf9ac7b2e2fd4bbda7f3b30-1293752665

The file is signed by Shanghai Emoney Software Technology Company Ltd.

salaficall · December 31, 2010, 12:16am

and this one is suspicious by CAMAS and whitelisted by CIS 5 !

http://camas.Comodo.com/cgi-bin/submit?file=89f776398451f81f9859384c4a65a1a82875c855faf9ac7b2e2fd4bbda7f3b30

http://www.virustotal.com/file-scan/report.html?id=89f776398451f81f9859384c4a65a1a82875c855faf9ac7b2e2fd4bbda7f3b30-1293754039

[attachment deleted by admin]

HeffeD · December 31, 2010, 12:26am

What’s wrong with the normal method of reporting?

AV False Positive/Negative Detection Reporting

salaficall · December 31, 2010, 12:59am

As you wish , but I thought that this is not a normal negative detection , as they are trusted signed or whitelisted malwares and they can easily and completely bypass comodo security layers. Not like the unknown malwares.

Anyway , I hope that these bypasses get fixed asap.

thanks

salaficall · December 31, 2010, 1:13am

Hello siketa

this one is the same that I reported after your post ! , but it’s not signed at my end , it’s only wihtelisted.

mengze.lin · December 31, 2010, 1:49am

Hi salaficall,
We are going to have a look at it and will get back to you after investigation.
Thanks and Regards,
Lin mengze

mengze.lin · December 31, 2010, 1:51am

Hi salaficall,
We are going to have a look at it and will get back to you after investigation.
Thanks and Regards,
Lin mengze

mengze.lin · December 31, 2010, 1:56am

Hi siketa,
We are going to have a look at it and will get back to you after investigation.
Thanks and Regards,
Lin mengze

mengze.lin · December 31, 2010, 5:08am

Hi salaficall
This file is not malware.

Thanks and Regards,
Lin mengze

salaficall · December 31, 2010, 9:11am

Hi mengze.lin

So is it a False positive from 7 Av’s results ?

MOVEAX · December 31, 2010, 9:24am

@ salaficall → https://forums.comodo.com/empty-t65308.0.html

salaficall · December 31, 2010, 7:48pm

It’s an adware , and It creates a malicious service Application Updater!.

Name: Adware.Win32.3D Crash Icons
Risklevel: Low Risk

Company: 3D Desktop, Ltd - http://3d-icons.com/

Description:

3D Crash Icons is an adware that uses aggressive, deceptive advertising. It shows deceptive and/or false messages. It may be installed without adequate notice and consent, often though exploits.

and check these links please

http://comprolive.com/remove/unwanted/app/dealio-toolbar

http://www.spywareterminator.com/item/3347/3D-Crash-Icons.html

http://www.threatexpert.com/report.aspx?md5=2c87ce8e67fedbad1d422290ed7f3df5

regards

Chiron494 · December 31, 2010, 9:31pm

Also, there should be a big difference between something not being malicious and being worthy of being included in the whitelist. There should be a gray area between.

_11 · January 5, 2011, 5:20pm

Rootkit.HiddenFile@0 c:\Windows\SysWOW64\WinFLdrv.sys
Rootkit.HiddenFile@0 c:\Windows\SysWOW64\sys_drv_2.dat
Rootkit.HiddenFile@0 c:\Users\Дмитрий\AppData\Roaming\systemfl.$dk

Определяются CIS 5.3 только в режиме сканирования “Критические зоны” как Rootkit.HiddenFile@0.
WinFLdrv.sys - подписан цифровой подписью NewSoftwares.net Inc. SDN. BHD., скрывает себя и два других файла так, что даже при включённом отображении скрытых и системных файлов они не видны.
Никакого ПО от NewSoftwares.net Inc. я никогда не устанавливал и не скачивал.
На всякий случай я у себя удалил newsoftwares.net из списка “Доверенные поставщики”.

translate.google.ru:
CIS 5.3 determined only in the scanning mode “Critical Zone” as Rootkit.HiddenFile@0.
WinFLdrv.sys - digitally signed NewSoftwares.net Inc. SDN. BHD., hides himself and two other files so that even when the view hidden and system files are not visible.
No software from NewSoftwares.net Inc. I have never installed or downloaded.
Just in case I have a newsoftwares.net removed from the list of “Trusted suppliers”.

http://camas.comodo.com/cgi-bin/submit?file=eb4a78d6546e9dcf5e4632c2323d2a8a3fd0e72004d716bca759a570bd34f2f7
http://camas.comodo.com/cgi-bin/submit?file=301efe96ae6091c4986a183606cbf908ff035f8835a302554af41e64a49c2dc6
http://camas.comodo.com/cgi-bin/submit?file=2b88e3bc5d3c7564617db356e0bcabe3fd30da68adcce03b36f6fad68eecc3e1

http://www.virustotal.com/file-scan/report.html?id=eb4a78d6546e9dcf5e4632c2323d2a8a3fd0e72004d716bca759a570bd34f2f7-1294229213
http://www.virustotal.com/file-scan/report.html?id=301efe96ae6091c4986a183606cbf908ff035f8835a302554af41e64a49c2dc6-1294228349
http://www.virustotal.com/file-scan/report.html?id=2b88e3bc5d3c7564617db356e0bcabe3fd30da68adcce03b36f6fad68eecc3e1-1294228342

Chiron494 · January 5, 2011, 5:23pm

This is not the correct topic to report false positives.

I could be wrong, but that appears to be what you have posted.

What makes you believe these files are actually malicious?

_11 · January 5, 2011, 5:39pm

CIS 5.3 ругался на них в режиме сканирования “Критические зоны”.
Да, вероятно, это ложное срабатывание.
Сюда написать меня попросили здесь:
https://forums.comodo.com/empty-t67478.0.html

vv5204 · January 5, 2011, 6:30pm

Hi!

Here is a some VT link.

http://www.virustotal.com/file-scan/report.html?id=635b2db857d108f0d0e3b997a08b797e0f7395d4a89de1b0bece10158e0e5805-1294251068

http://www.virustotal.com/file-scan/report.html?id=63f0885eb103ec291a5a42d1d5b07cd4cd9b86b3b8acc1418e1fb683f2436493-1294251047

http://www.virustotal.com/file-scan/report.html?id=631ab7f16d588def9eb44bc0c8e823928f7c6c3f0be4c4d493ab657ebabcb28c-1294250747

Regards,
vv5204