Trojan passes by D+, Sandbox, Image Execution

I had a trojan completely ■■■■ past my D+ today on my test PC, COMODO says it is safe and trusted, made by Kaspersky Labs. I wasn’t sure if I should post this here or not yet, but I thought of the possibility of it being a flaw/bug in the current release of v5. If not feel free to move :wink:

It was active and running in memory un-sandboxed:

MD5: 89aaa9d55631fe2f405b5f895fca7fe4


Please sumbit the file [at] Comodo Antivirus Database | Submit Files for Malware Analysis
Or make a new threat [at] Comodo Forum


All set, submitted. But is this type of behavior normal? I would hate to think that, as it it opens my system up to an attack leaving COMODO Firewall clueless.

can you hook me up with a copy of it?

It is signed by Kaspersky: “Kaspersky Lab; VeriSign Class 3 Code Signing 2004 CA”
As I already says, verdict only by digital signature in D+ is not good enough for file to be declared as a safe/trusted

v5 from what I know should be doing it by sha1, and it is not signed, look at the VT report, unsigned at the bottom.

Hey bro, sure can. I just found out that I still have a copy of it of sitting under blocked-files. I can .rar it up, password it and send it to you. Just let me know.

thanks just send it to

I bet it says “signature is not valid”, if it is does Comodo check if certificate is valid?
Did you got your sample?

Languy, can you send it to me too please? Is it marked as safe or does it really have a valid signature from Kaspersky?


it really is signed and it is marked as safe also. I’ll e-mail it to you. Let me know what you find.


Can you post a virustotal link and a cima link?

signature is not valid

[attachment deleted by admin]

How a non valid signature is valid for Comodo?
Can any developer give more details about this issue?

How comodo trust in certified files if it seems to be a very weak protection, is not the first time that we can read things about falsified signed files.

Found a similar file, also signed by kaspersky and not valid.


Tested on CIS V5 (1066 build), and it passes right through even if i disable the trusted vendors list, it still shows up in active processlist as “trusted” :-\

just tested this file on CIS 4.1 and it gets sandboxed, so thats a relief :-TU

So maybe is a bug in the beta, anyway we still need to know what happened with the other file

hi Guys,

Yes i have verified. This is a new bug in CIS 5 which does not verify the ceritifcate before chekcing the cloud for the vendor.

Good catch! Thanks for the feedback!