Sandbox create virus signatures ?


The sandbox CIS analyzes suspicious files.

The sandbox CIS also creates new signatures of these suspects files to the signatures base ?


Sandbox doesn’t analyze suspicious files…it isolates them (drops their rights) from making critical changes to the system.
Analysis is made in the cloud. Valkyrie is the future…

But why CIS not displays an alert of malware before run in the sandbox but yes after ?

I believe it’s uploaded to the cloud to be scanned.

Believe ?

But what really happens ?

Because the signature for that specific malware file is not yet part of the local virus database.
It is detected by cloud scanner and will be added to local database in next few updates.

In default config you have “Perform cloud based behavior analysis of unrecognized files”.
This will upload ‘unknown’ and thus sandboxed executable’s to Comodo’s analysis servers where it will be run trough an automatic process which determines if this executable is suspicious or not, if it’s found suspicious it will create an automatic signature for this file and next time it’s ran CIS AV will flag it as suspicious.

In case it’s not in the local database yet the time in between it’s scanned in the cloud because of the setting ‘Automatically scan unrecognized files in the cloud’.

That’s what happens.

Now understand.

Another thing, has anyone noticed that the firewall log CIS at the highest level (version 5.8.213334.2131) is not working ?

Thanks again

Mine logs perfectly fine, what is missing and does it have the ‘log’ option active on that rule?

Might be better to create a new post on this.

This might help

[attachment deleted by admin]