Trusted Malware

Comodo Internet Security - CIS AV False Positive/Negative Detection Reporting
1

I just had a question
does anyone know how all this malware gets trusted by comodo?
https://forums.comodo.com/av-false-positivenegative-detection-reporting/report-trusted-and-whitelisted-malwares-here-dont-attach-live-malware-t67172.0.html
it seems like there are so many submissions everyday and im just wondering how there getting whitelisted in the first place

2

+1000 :-TU

I already asked but received no answer… :-TD

3

i guess no one is going to answer my question

4

Typical Case goes as the following,

Trusted Publisher (AOL LLC (for an example) creates software and signs it and get submitted to Comodo… Now, If AOL LLC creates Malware and publish’s it; then the malware is automatically declared safe because AOL LLC is on the Trusted Vendors;

So, In Short Terms A Trusted Publisher can turn bad and start to create malware and that malware will be automatically allowed through CIS

Few other possibilities… I could explain but rather not

Cheers

5

Why you would rather not , Jacob?

The “trusted” (signed or whatever) issue including the insanity of the thread like “include this & that Software as trusted” was raised loooong time ago by me (few weeks… could be just a month…) before the 1st fake digital signature arrived

Do you need a link or you’ve read that one ? Hope so.

Then there are users that are not using TVL and they are completely right!

Finally, after all according to some sources (do you want a link?) in average ~20 faked digital signatures a day! are discovered now by security experts

and what was the answer to me at that time when that was not the issue yet?
Do you remember?
Enjoy!

My regards

6

I would rather not because i’m exhausted and i’m loosing my memory day by day, and i would like to focus on more things before my memory is completely faded away…

Regards to ~20 faked digital signatures ; how many of them re revoked ? … How many Trusted Vendors that are on CIS Lists that distribute malware? right now?.. Practically none…
CIS can detect whether or not a Code sign is revoked thus providing an alert,

Yes you were right few months back, but now revoked signatures are the thing of the past… It’s all about the static trust of the Vendors, (I’m in favor of not having a TVL)… but I am in favor of having a Global Community Raiting … We can have 100% trust in comodo, but when comodo starts to trust other people is the problem :P… You can help others and help your self at the same time 100% all the time… it just doesn’t work that way

I cannot remember, as i said before, My memory is certainly declining…

Cheers Friend

7

I’m really concerned by this statement (no irony here whatsoever) … at least have a rest

who said that !? I said 10-20 per day are discovered …

How? may I ask? and does it really matter. The Alert will be provided in any case when TVL is not in use - that is what users have to deal with.
All wrongly designed components around was just unfortunate failed attempt in order to reduce the Alerts (“by popuolar demands”) … that’s what many users cannot comprehend & and that is why we are facing consequences

Thank you

Correct!

unfortunately this one is wrong!

Community Rating whether it’s Global or not means very little or rather almost nothing. That was discussed here in this forum and all over the place many times
As an example - that’s why “Threadcast” was never used here (and by many) and, as far as I know, was abandoned eventually - at least one of the right decisions made by Comodo developers

That is very doubtful statement
Basically we have to test and eventually choose the security settings we like and use them
We must not ever completely trust any of them, though. Period!

Honestly, I did not get this, but that’s Ok - do not be frustrated by that

Cheers Jacob!

8

Let me see if i can get this :-La

I'm really concerned by this statement (no irony here whatsoever) ... at least have a rest
dementia isn't something you can sleep over....
who said that !? I said 10-20 per day are discovered ...
Eh; I was just covering the bases that is all;
How? may I ask? and does it really matter. The Alert will be provided in any case when TVL is not in use - that is what users have to deal with. All wrongly designed components around was just unfortunate failed attempt in order to reduce the Alerts ("by popuolar demands") ... that's what many users cannot comprehend & and that is why we are facing consequences
How? Eh Google it.. May you ask? sure :D ... does it really matter? yes; why does it matter? because of many scenarios (Or how ever you spell that word) .. can be permitted to show; like so Company A is on TVL, but Mister Bad Guy Edit's Company A Binary to inject malicious code into Software A making it Software B; thus the Code Sign has been hashed out to match Software A not Software B.. so the Code sign is broken/revoked/invalid/gone/pixel fairy dust...... you get the idea right? ...

Granted “the alert will be provided in any case when TVL is not in use - that is what #some# users have to deal with” (Sorry i didn’t want to push the qoute button)… I must say the philosphy behind the TVL isn’t bad idea; it’s the methodologies we have in place to make the philosphy behind TVL an Actual Reality… It’s not TVL/Comodo’s Fault… It’s how we authenticate and verify what is good and what is bad… there is no unknown… (BIG Philosphy statement right there :smiley: Care to chatter more about it :smiley: )

Community Rating whether it's Global or not means very little or rather nothing nothing.
I may have read this wrong, but then by that statement why you are here?.... and to what point are we not rating?...
As an example - that's why "Threadcast" was never used here (and by many) and, as far as I know, was abandoned eventually - at least one of the right decisions made by Comodo developers
I'm not stepping on anyones toes here,
That is very doubtful statement
Eh, I know but giving an example of a "saying" ...

Forgive me, but I’m going to disect your paragraph below;
Basically we(Global Community) have to test(Scientific Method :D) and eventually choose(Best Rating) the security settings we(Global Community) like and use them
We must not ever completely trust any of them, though. Period!

Hmmm… Sounds like the philosphy behind a community rating… (I said philosphy not current method of introducing and applying the philosphy

Honestly, I did not get this, but that's Ok - do not be frustrated by that
Frustrated over 9 Words?.. I'm not the type :) I like conversating and correcting and explaining the inner workings of "Jacob"

Cheers Friend;

(By the way i didn’t re-read the above so i hope no harm done and no foul … you know this isn’t baseball hahaha :slight_smile:

But yes, I’ll retire to my bed; Good night

9

We are talking about trusted malware that is not signed… :wink:

10

… I’m gonna try to be easy…
and simply say, Can you provide a link to a report with a ‘trusted malware’ that is not signed?
80% of those listed are signed (based on random clicks of 30 reports)…

11

Umesh characterises the problem of singed malware as follows:

This is the real world we are operating in.

I like to see a digitally signing (not Domain Validated ones) analogous to a company being registered with the Chamber of Commerce. It creates a legal trail to the company so they can be held legally accountable.

The fact that a company is registered makes it more credible and we are more likely to trust it. Does that mean all registered companies never go astray? No. That’s why there are (law enforcement) agencies to check them and investigate them when needed.

That’s exactly what is going on with digitally singed malware. Luckily we have a motivated set of malware searchers among our users that I would like to give kudos to.

Luckily most of the signed is “only adware”. Not the heaviest kind of malware. Sorta like in the rest of the world. Lot’s of misdemeanors more so then serious crimes.

That being said. Comodo end users need and deserve to have a TVL that can be easily edited because products like CIS, and Opera browser, have a base of loyal advanced users that are drawn to it because of customoisabiiity.

Will the upcoming v 5.4 bring that desired easy to edit TVL? Unfortunately it doesn’t. Will it come with v6? I don’t know but surely hope so.

12

i hope the reconfigure the TDL as per the user wish is much desired and intend to come in CIS before v6. Or just an special update with this change…

This is a serious problem and it needs to be addressed in a more better way instead of revoking the certificates upon identified in the wild.

13

Just check “Report trusted and whitelisted malwares here! [Don’t attach Live Malware !!]” topic… :wink:

14

Please Re-Read the quote,

15

Ok, let be the ratio 80%, but what about the other 20%?

16

Read what Eric siad :stuck_out_tongue: