Signatures are not dominant over heuristic detection for all files

The bug/issue

  1. What you did:
    Scanned a set of malware samples twice. Once with heuristics set to low and once with heuristics turned off.

  2. What actually happened or you actually saw:
    With heuristics turned off the samples were detected with signatures. With heuristics set to low the samples are only detected with heuristics.

  3. What you expected to happen or see:
    If a signature is available it should be detected by that and not by heuristics.

  4. How you tried to fix it & what happened:

  5. If its an application compatibility problem have you tried the application fixes?:

  6. Details (exact version) of any application involved with download link:
    I made a topic in the Malware Research Group about this. I have not noticed this behavior with all files, but in the topic I attached the 9 files that exhibit this behavior.

The link is here.
7. Whether you can make the problem happen again, and if so exact steps to make it happen:
Yes, it happens every time. Just scan them with different heuristics settings.
8. Any other information (eg your guess regarding the cause, with reasons):

Files appended. (Please zip unless screenshots).
I would attach the files here, except it is publically available. The files are attached to this post.

  1. Screenshots illustrating the bug:
  2. Screenshots of related event logs and the active processes list:
  3. A CIS config report or file.
  4. Crash or freeze dump file:

Your set-up

  1. CIS version, AV database version & configuration used:
    CIS Premium 5.3.176757.1236
    AV Database version is 7446
    I have it configured as described here. The real-time scanner is disabled. Enable cloud scanning was checked.
  2. a) Have you updated (without uninstall) from CIS 3 or 4, if so b) have you tried reinstalling?:
  3. a) Have you imported a config from a previous version of CIS, if so b) have U tried a preset config?:
  4. Other major changes to the default config (eg ticked ‘block all unknown requests’, other egs here. )
    Described in my article here.
  5. Defense+ and Sandbox OR Firewall security level:
    In general it is set to proactive security. Defense+ and Firewall are in Safe mode. Antivirus is disabled. Sandbox is enabled.
  6. OS version, service pack, no of bits, UAC setting, & account type:
    Windows 7 x64 fully updated. UAC is disabled. Account is admin.
  7. Other security and utility software running:
    No other real-time scanners besides CIS.
  8. Virtual machine used (Please do NOT use Virtual box):
    Not a virtual machine

I can confirm the same behavior on Win7, x32 Enterprise