Hi,
I don’t exactly know how this digital signature thing works, but it’s really unsafe if it keeps going like this.
Short story.
This is a Xmas Ransomware, having an invalid digital signature.
Files with certificates are not always secure
What could lessen this was to have greater control over main applications and target applications (trojanRat do this and are quite old)
Example: svchost - windows update; Svchost - dllhost … apparently are legitimate requests, but can be used by hidden and unknown malwares
One solution to this would be to isolate or block requests different from those made by the system and still runs the risk of malware leaking data (fortunately or unfortunately this is not exclusive to the comodo)
Thanks for responding.
I think what you mentioned is more complicated than this.
All I want to say is: CCAV shouldn’t treat a file with an invalid signature as it has a trusted signature.
Looks CCAV only checked the vendor name on the signature and let it pass. I’m not sure so I didn’t make it clear.
Interesting…could you provide the sample, this shouldn’t be happening as both CIS and CCAV use the same trusted file and vendor list when doing an online lookup.
Hi Abe96,
Can you please share SHA-1 of sample you mentioned or link to virus total?
CCAV does check for validity of certificate before using signer name so we want to investigate further.
Thanks
-umesh
SHA1: c8be4500127bfce10ab38152a8a5003b75613603
Thanks.
Thanks Abe96,
can you please provide details of your Operating system with service pack?
Windows 8.1 6.3 build 9600 (64 bit)
It’s running in VirtualBox 5 for testing some software and malware, so I don’t upgrade it regularly.
Thanks Abe96,
We are investigating further, although a simple test on Win7, 64-bit showed CCAV detecting it as malware.
We are checking further if there are any race conditions.
Thanks
-umesh
Hi Abe96,
Please help us also as how you got this file i.e.
any other
Thanks
-umesh
Also Abe96,
Can you please scan same file on your host OS with CCAV and share results?
Thanks
-umesh
It was decompressed from the archive in VirtualBox shared folder.
[update] sample from malware traffic analysis
I forgot to mention. I’m using a Chinese-Traditional version of OS.
Changed the language when taking a screenshot to make it more clear.
Sorry, it’s kinda misleading.
Maybe it isn’t a common case, I’m ashamed now.
About testing it on my host OS. It takes me some time to uninstall my current AV so please wait a moment.
And … No detection. (Windows 10.0.14393 64 bit CHT)
I don’t want to decompress it, my apologies.
CCAV really stutters on my host OS for no reason, it almost freezes my system.
Hi umesh,
I tested the sample in VirtualBox and CCAV didn’t detect it as Malware then I tried to send it to Valkyrie (online lookup) and it was detected as trusted.
Could you please test the sample in VirtualBox?
Note: CIS on my real system doesn’t detect it as trusted.
Hi All,
We have identified the bug, where in certain certificate states CCAV could treat certificate valid.
This bug is only valid for Win 8 and on wards.
We will have a hot fix of CCAV by next week maximum to fix this.
Thank you for all your support.
-umesh
Hi All,
We have released v1.8.407387.418 to fix this problem:
https://forums.comodo.com/news-announcements-feedback-ccav/comodo-cloud-antivirus-18407387418-hotfix-version-is-released-t117941.0.html
As a risk mitigation, we already removed certificates in question from cloud so that existing users even though not updated with latest, still remain protected.
We will add certificates back after updates are propagated.
Thanks
-umesh
