Unrecognized file marked as 'Trusted' [Issue: #262]

Any updates on this. Could you try again, repeating your original procedure as closely as possible please. Trying serveral times if possible.

From the config file you sent me you do not have ‘block all requests’ ticked. Is this correct?

Best wishes

Mouse

I can’t reproduce this now but I think there is a problem. I guess it is down to timings.

I have not had the “block all requests when the application is closed” ticked.

I am now having problems with inconsistant CLT results. One time I run It it is sandboxed and vulnerable to 2 tests, another time It is trusted and I get a much lower score. It should not have been trusted. The very first time I ran it I got loads of pop-ups and 100% passed. I probably had the sandbox off then.

I have just reproduced CLT being trusted. I copied the folder containing CLT to a new location but changed nothing in CIS. When I ran it CLT.EXE and all its DLLs were added to trusted list and many of the tests failed. It also clobbered by firefox installation. Firefox.exe had been overwritten. Had to reinstall Firefox.

I have attached screen of processes running. CLT is marked as unknown installer and not sandboxed. “Automatically detect installers” was not ticked but “automatically trust files from trusted installers” was.

[attachment deleted by admin]

Thanks for your honesty. Since you cannot reproduce, I’m not sure whether to forward this. Frustrating for you I realise. If OK with you, I’ll ask another mod for advice.

Best wishes

Mouse

If you can replicate the firefox problem, and can definately attribute it to CIS, please post a bug in a separate topic.

Many thanks for all your contributions in this forum

Best wishes

Mouse

The CLT issue is repeatable. I copy the folder containing CLT and its files somewhere else, run at immediately and it is trusted. I have not run the tests again as it clobbers firefox. I then take it out of the trusted files list and run it and it is sandboxed when I run it.

Something must go wrong with new files. Perhaps while they are checked on line they are temporarily trusted. I am sure there is a bug here that needs to be fixed.

Tanks again for all your help with this.

Please see the new topic created for the CLT variable results issue, from your text.

Sorry should have said that the CLT is trusted issue was known and has already been fixed - basically it got into the white list.

Your firefox issue sounds like a CLT bug, so you’d need to raise a CLT issue. Maybe the only way to do this would be to PM Egemen. If you think its a CIS problem please raise a specific CIS issue for it.

I’m still thinking about the issue we started with inthis topic. Maybe I need a bug in Bugzilla for inconsistent results under load. Was cmdagent or overall processor load high when the unrecognised file was marked as safe?

PS if I do forward it I’ll have to remove all the stuff about CLT, so please post any further on CLT in the new topic.

Best wishes

Mouse

My problem with CLT is NOT that it is the safe list. Normally it gets sand boxed as untrusted. Sometimes it automatically gets marked as trusted when it should not. That is the problem. It appears to be the same problem as with my test programs. I will investigate more.

I have repeated this three more times. Copy the folder containing CLT and its associated files. Immediately run CLT in the new folder. It is marked as trusted by CIS. CLT.exe and all its DLLS get added to “trusted files” and it fails load of tests. If I wait a while before running it after copying it CLT is correctly sand boxed.

As for clobbering firefox, CLT makes a copy of firefox called firefox.exe_ and then truncated firefox.exe. I guess this is part of one of the tests. I did not think it did anything destructive but it is easy to undo.

Thanks Tcarribon. It’s possible that this is in some way specific to you system, but it certainly needs investigation, so I am forwarding it now.

Best wishes

Mouse

The bug/issue

  1. What you did: I downloaded a malware to my desktop from a “0 day malware” website.
  2. What actually happened or you actually saw: D+ trusts malware automatically.
  3. What you expected to happen or see: No D+ or AV alert.
  4. How you tried to fix it & what happened: I unticked the “Automatically trust files from…”.
  5. Details (exact version) of any software involved with download link: Download location only in a private message.
    Other link: http://www.virustotal.com/file-scan/report.html?id=4758294d9501a9aa89a27c18880b6f03d02c990bac2717b024cbbdbf787f5d28-1284975854
  6. Any other information you think may help us: I did not do anything else, I just downloaded the file.

Files appended

  1. Screenshots illustrating the bug: Attached
  2. Screenshots of related event logs or the active processes list: N/A
  3. A CIS config report or file: Attached
  4. Crash or freeze dump file: N/A

Your set-up

  1. CIS version & configuration used: 5.0.x.1135, Internet Security config.
  2. Whether you imported a configuration, if so from what version: Not imported.
  3. Defense+ and Sandbox OR Firewall security level: D+=safe, FW=safe, Sandbox=enabled, AV=stateful.
  4. OS version, service pack, no of bits, UAC setting, & account type: Windows XP, SP3, 32 bit, N/A, Admin account.
  5. Other security and utility software running: No other security softwares.
  6. CIS AV database version: 6140

[attachment deleted by admin]

This looks like my bug here: https://forums.comodo.com/moderator-verified-issue-reports-cis/unrecognized-file-marked-as-safe-t61787.0.html

Other comments.
CIMA says more than one malware that is: “Undetected”. For example: → http://camas.comodo.com/cgi-bin/submit?file=8e7897223b800c5e1683c45544aa6cbf2912862002dbba3fa7cc18d39ab211a0

The VT says this file is: http://www.virustotal.com/file-scan/report.html?id=8e7897223b800c5e1683c45544aa6cbf2912862002dbba3fa7cc18d39ab211a0-1284986461

If CIMA sasy it is “Undetected”, we do not receive an alert in CIS V5. But it’s a malware… 88)

That is very interesting - are you suggesting that CIMA is declaring it ‘trusted’?

I’m not sure. Undetected = trusted?

No I was just wondering why you said:

“If CIMA sasy it is “Undetected”, we do not receive an alert in CIS V5.”

Which implies that it is trusted.

Are you talking about the same file as the bug report? IE the file 652512.

Mouse

Are you talking about the same file as the bug report? IE the file 652512.

No, this is a different file. On the malware website there are many to choose from.
In several cases, the result will be the same.

OK am merging this into tcarribon’s verified topic

They seem the same to me. Please say if you disagree and I will split.

Mouse

All right.

I uploaded a video on the YouTube, for developers.
I hope it does not violate the forum rules, please delete if it does.

Watch this in 720p:

Thanks that will be very helpful. Links to videos are fine I think, so long as content is non-controversial.