Upon Detection Auto-Update File Rating [M1949]

Comodo Internet Security - CIS Verified Wish Reports - CIS
1

1. What actually happened or you saw:

An Unrecognized file is downloaded and executed. CIS applies Unrecognized rules in containing the file and the file is rated as Unrecognized in the local File List.

Alternatively, a Trusted file is downloaded and executed. CIS applies Trusted rules and allows the file to execute and the file is rated as Trusted in the local File List.

At a later time, the same Unrecognized or Trusted file is re-executed - but - by this time Comodo has reclassified the files as Malicious; the file is detected as Malicious either via signature or Cloud query. However, the file is still rated as Unrecognized or Trusted in the local File List.

2. What you wanted to happen or see:

When the file is detected as Malicious - the file rating in the local File List should be updated - automatically changed from Unrecognized or Trusted to Malicious. (Currently, the user has to manually change the rating in the File List).

3. Why you think it is desirable:

Not automatically changing a file to Malicious - that was previously Unrecognized or especially Trusted - within the File List upon detection could potentially cause re-infection under specific conditions.

For example, if the Malicious verdict is in the Cloud - and a signature has not yet been created and is not in the local signature database - and the system cannot connect to the internet - a Trusted (but now Malicious) file will be allowed to run instead of detected and blocked - if somehow re-introduced to the system - for example, by USB.

Re- or continued infection risks additional, preventable data theft.

The probability is low that such a scenario would happen - but it is nevertheless a security hole…

4. Any other information:

None.

2

Thank you for the feedback, we will check it.

Kind Regards
Buket

3

I thought trusted files are not scanned by AV?

4

Normally, you should use scanning with “Use cloud while scanning” enabled. The most vulnerable would be Firewall-only configuration to such scenario.
I’m not sure on the suggestion since it implies a performance penalty. It’s more of an issue than wish request because “Rating Scan” ignores files rated as “Malicious” if rated as “Trusted” in the local file list. Perhaps “Rating Scan” should refresh the list. What do you think?

Thanks.

5

Hello qmarius,

My CIS is always configured Proactive Security with Cloud (FLS) enabled.

Maybe I was not very clear.

  1. Download - or - file already on system
  2. File in no. 1 is rated as Unrecognized or Trusted
  3. Get malicious signature update from Comodo for file in no. 1
  4. Execute file
  5. File is blocked by AV - because of malicious signature
  6. File Rating does not change from Unrecognized\Safe to Malicious - as it should

However, to answer your question - Yes. The File List ratings should change = AV malicious signatures, when a file is determined to be malicious. The synchronization should be real-time.

I think the issue is due to Comodo server\synchronization issues.

Best Regards,

HJLBX

6

Thank you for submitting this Wish Request. I have now moved this to the WAITING AREA.

Please be sure to vote for your own wish, and for any other wishes you also support. It is also worthwhile to vote against wishes you think would be a waste of resources, as implementing those may slow down the wishes you would really like to see added.

Thanks again.