TrojWare.Win32.TrojanDownloader.Agent.~JBD@31855190

Today Ive been kinda bored and downloaded some samples that I later sent to comodo… (I send samples that are UD when heuristic is off…)

However, I do scan samples with heuristic on as well (just to see how many more are found…) :stuck_out_tongue: :)… And when I do I get findings like “TrojWare.Win32.TrojanDownloader.Agent.~JBD@31855190”

My question is simple…

Is that a naming for heuristic findings?? :-\ :o It sounds like a signature finding and perhaps something that should be detected even with heuristic off?

Wait you mean you get TrojWare.Win32.TrojanDownloader.Agent.~JBD[at]31855190 Only with Heuristics on?

I know that the Heuristics Engine (if on) scans before the Signatures.

Yes correct… Scanning the file with no heuristic and there is no warning about a infected file… When I turn on heuristic and rescan the file I get a “infected file” warning with that alert… :-TU

I think Ive seen similar stuff before as well but never really thought about it… I think its a weird naming for heuristic findings… :o

Yes that is weird, i have PM’ed Umesh, hopefuly he will repond.

Thanks, keeping the file then. =) If you like Ill PM it to you so you can confirm this “behavior”…

Sure ;D PM it to me.

Same thing here its not detected if heuristics are off.

Virustotal.com (no heuritics)
http://www.virustotal.com/analisis/4e0f602ae43a55dbba03cec03199fcd196884f047d553cc2750f6f22bf6ef210-1250638888
Virscan.org (Heuritics on low)
http://www.virscan.org/report/d3206199abdd3d6dd9029ae01bd0fb47.html

VT uses no heuristic… but virscan does… I learn something new everyday… :-TU :-TU
Thanks for the confirmation…

Hi,

Can anyone explain why VirusTotal does not use heuristics for Comodo.

Thanks.

Hi,
They do use highest heuristic mode as per information we have.
We will have to investigate this case.

This is basically Heur.Suspicious case, where name has been changed. We are going to make it available as standard detection where it will detect when heuristic is off as well.

Thanks
-umesh

Hi Umesh, just wanting to inform you: http://www.virustotal.com/sv/analisis/b931af1b61e92582986106204c9266b18393215ce2ab430463036e6806b85daf-1250693201

eg, That file was sent to comodo where I wrote “probably fake antivirus” or something similar… submitted here: http://internetsecurity.comodo.com/submit.php

It was not added as a definition… =/ A lot of files I send don’t get added… at least not in days… (the example sample was sent yesterday guess thats nothing to complain about) 88) 88) But your goal is to be quick?? Some files I sent through CIMA weeks/long back has not been added either. Perhaps some are false Positives… But there is a lot of files other (scanners) say are bad that comodo simply do not add at all… Just wanted to inform you about that…

=]