Reported unrecognized file. Told to report here instead.

CIS 5.3.176757.1236 (firewall+antivirus)
Windows XP Pro SP-3

Went to install Machete Lite video editor (see URLs in comment below added in submit report to see what product I’m talking about). This is a simple video editor that lets me edit out parts of a video that I don’t want. It’s just a really simple editor but it does clue me in that I have to be at a key frame to the edit works correctly. It might do more but that’s all I am using it for now. An alert came up from CIS saying the app would get sandboxed (partially limited). That means it is an unrecognized file and sure enough it was listed under Defense+ → Unrecognized Files.

^{Cannot use the Submit button in the Unrecognized Files window. That’s broken. The dialog appears saying “Submitting … Initializing …” but doesn’t do anything and after 3 hours the progress bars haven’t been updated. So I have to use the web page to submit unrecognized files; however, that page explicitly says it is for reporting malware and false-positives. Well, I guess an unrecognized file is a false-positive because CIS ends up sandboxing the unknown file because it is not in its whitelist.}

So I submitted the following report to get Comodo to update their whitelist so they would later add this file (an installer) to their whitelist. Here’s what I said (reporting it as a false-positive using their web page) for the comment so they knew where it came from:

Installer for Machete Lite Video editor. See product page at http://www.machetesoft.com/. Originally found at http://www.softpedia.com/get/Multimedia/Video/Video-Editors/Machete-Lite.shtml. I believe Softpedia won’t allow malware on their site, and adware gets listed as “ad-supported”.

This is Comodo’s response:

The sample you have submitted as false-positive is not detected by Comodo Internet Security version 5.3.176757.1236 with database version 7507. Please make sure the Antivirus database is updated and check again. If detection is still present, please submit the file on Comodo forums

Okay, I didn’t record the database version at the time I submitted the unrecognized installer file. Currently I have version 7517. I ran the installer (but cancelled) to see if CIS would complain again. It had already been removed from Unrecognized Files (and I didn’t move it to Trusted Files because it’s an installer and I shouldn’t see again unless I rebuild my host). When I run the install again, I get a red Defense+ alert popup that says:

MacheteLiteInst.msi could not be recognized and requests unlimited access to your computer.
Unidentified Publisher
Not digitally signed.
Should not be trusted.

So a later signature database and whitelist still don’t know about this installer file. Well, I figured it wouldn’t when my report got pushed off telling to being the submit all over again here. Before when I did the install, I had to select Allow to continue the install. Apparently I’m not to use the malware/false-positives web page to report unrecognized files as I was told earlier but instead logon to this forum and report it here. Geez, sure be nice if the Submit worked under Unrecognized Files. They told me to dump the report here so I did.

Hi VanguardLH,

Submission form (Comodo Antivirus Database | Submit Files for Malware Analysis) purpose is to send to Comodo Antivirus Lab samples that are suspected to be malware for analysis and creating detection if it’s the case or notify us that a legitimate application was flagged as malware (false-positive).

Requests for whitelisting applications or legitimate files can be made on this topic: Comodo Forum

Applications which you know, trust and are not yet whitelisted can be added to Trusted Files list in CIS: Defense+ → “Trusted Files” until safe verdict is reflected within Comodo Internet Security.

We will verify and whitelist the “Machete Lite Video” application if it’s found safe.

Thank you for your feedback!

Regards,
Ionel

Okay, so now I’ve been told a 3rd time to post somewhere else. I put a shortcut for this link in my Start folder for CIS and named it “Report - Unrecognized file”. Thanks for the info.

Applications which you know, trust and are not yet whitelisted can be added to Trusted Files list in CIS: Defense+ -> "Trusted Files" until safe verdict is reflected within Comodo Internet Security.

This was for an installer file when executed. There is no option in the popup to temporarily trust this file during the term of its process’ existence; i.e., to trust only as long as this instance of the process was in memory. Since it is unlikely that this installer will be executed again during the existence of this instance of Windows on my host, there’s no reason to pollute the Trusted Files list with a program that won’t be executed again. If I have to do a fresh install of Windows, that instance of CIS won’t know about me trusting this installer in the prior instance of Windows. It’s not logical to populate the Trusted Files list with files that are likely to be seen only once. Users may have to review that files list occasionally.

^{A better solution would be to let the user temporarily disable the Defense+ and Sandbox functions of CIS. While the user can do this using the system tray, the choice is on or off. Other security products, like Avast, let the user choose to disable the protection indefinitely, 10 minutes, 1 hour, or until a reboot. That way, with the last 3 choices, the user doesn’t forget to reenable that protection.}

In my case, I terminated the installer, disabled Defense+ and Sandbox (maybe all I need to disable is Defense+ which might also eliminate Sandbox), run the installer again (since I’m going to trust it anyway), and then reenable Defense+ (and Sandbox). Then I deleted the installer’s entry under Unrecognized Files since I can’t use the Submit there, anyway, (doesn’t work) and if ran again sometime later then I’ll be trusting this installer again and don’t want it sandboxed.

We will verify and whitelist the "Machete Lite Video" application if it's found safe.

Thanks again. I’m hoping it tests out okay.