Very strange file

Maybe U have written about this here before but a malware-file i have is strange. It is a malware for sure (tested with Virus Total and Malwarebytes), but my latest beta of CIS does not detect the malware, not even when the file is launched. I have the highest heuristics and the newest signatures. Comodo in Virus Total finds “Unclassified Malware” in it.
My CIS installation shoulbe oj, I have tested it agaista other malware which are detected fine.
I have subnitted this file before to Comodo.

are you testing it in a virtual machine?

No, in live environment, after testing i return my system to clean state with Comodo Time Machine.

my guess - file trusted by comodo.

Quite strange if Comodo in Virus Total detects it. And why should they rely on a malware-file.
I purged my personal trusted file lista, but no change.

Guys, can someone check this file?

http://www.virustotal.com/file-scan/report.html?id=9f966d2ddcc5c1cffd304d93eca97259db0e3e229e714ff07ca1dd7c2d5d8d61-1312813322

It is detected only when scanning manually but can not be cleaned/deleted (it remains in the folder).
Why?

[attachment deleted by admin]

My VirusTotal results can be found
http://www.virustotal.com/file-scan/report.html?id=1307059dbc3d6c8eada5beef46f1d40f52859f559587ea4e9880773d73c1a972-1312881206

Jaskolen. Can you see if the file is digitally signed and its publisher is on the Trusted Software Vendor List? Can you also check if the file is a Trusted File?

Can you upload the file to an online service and send me and other people who are interested a pm with the download link?

Thank you for download link.

The file gets detected here on Win 7 x86 with v 5.8 beta and Win 7x 86 in VM Ware with v 5.5. What OS are you running v5.8 beta in? Do you have other security programs running in the background? If so try disabling them.

An interesting thing is happening here. When I tell CIS to ignore the file and add it to the exclusion it will pop up each time I open the Properties of the file and check the Previous Versions tab for the first time and \localhost\M$\Users\Eric\Desktop\rarta.exe will be added to the exclusions. See attached image.

Notice there are several instances of \localhost\M$\Users\Eric\Desktop\rarta.exe in the Exclusions list.

[attachment deleted by admin]

Not at all.
Check how many “detected and safe” malwares are submitted in “Report trusted and whitelisted malwares here!” topic.
Seems like trust has priority over detection. :stuck_out_tongue:

Ok, now I uninstalled 5.8 beta and returned to 5.5. It detected the malware immediately. I had purged my 5.8 trusted files list with no change.
I also received mysterious “Comodo antivirus has stopped working and you must reinstall it” when trying to do a manual scanning. Mysterious indeed.

I think I wall wait the 5.8 final before updating.

Detection has precedence over Trusted:

Unknown Files: The Sand-boxing and Scanning Processes

When an executable is first run it passes through the following CIS security inspections:

Antivirus scan

Defense+ Heuristic check

Buffer Overflow check

If the processes above determine that the file is malware then the user is alerted and the file is quarantined or deleted

An application can become recognized as ‘safe’ by CIS (and therefore not sandboxed or scanned in the cloud) in the following ways:

Because it is on the local Comodo White List of known safe applications

Because the user has added the application to the local ‘Trusted Files’

By the user granting the installer elevated privileges (CIS detects if an executable requires administrative privileges. If it does, it asks the user. If they choose to trust, CIS regards the installer and all files generated by the installer as safe)

Source: Unknown Files: The Sand-boxing and Scanning Processes from the Online Help.

Eric, how do you explain malware files that are found safe and put to Trusted files by Comodo?
Those files have high VT detection ratio and most of them are detected by CAV.
Why are those files not cleaned/deleted?

Take this as example…
http://valkyrie.comodo.com/Result.aspx?sha1=eb643de3975f73d2f5144db64d2b916089abd73e&&query=1&&filename=fwproreport.exe

This file was also safe and detected at the same time but was not cleaned until I reported it…
http://www.virustotal.com/file-scan/report.html?id=24bf8de3d0d86607314164935e07e924b0631166c611a7491171ac9f57bc6ee8-1312735980

There are lots of examples like this…

Often trusted malware is from the adware family and get installed by installed by installers from Vendors who are on the Trusted Software Vendor list. These adware files may have the digital signature of the TSV. This is what umesh tells about it:

Those files have high VT detection ratio and most of them are detected by CAV. Why are those files not cleaned/deleted?

Take this as example…
http://valkyrie.comodo.com/Result.aspx?sha1=eb643de3975f73d2f5144db64d2b916089abd73e&&query=1&&filename=fwproreport.exe

This file was also safe and detected at the same time but was not cleaned until I reported it…
http://www.virustotal.com/file-scan/report.html?id=24bf8de3d0d86607314164935e07e924b0631166c611a7491171ac9f57bc6ee8-1312735980

There are lots of examples like this…

I am not a Comodo employee nor a malware analyst so I cannot and will not comment on this other then from my personal common sense. The VT link gives various judgments stating it is adware. Then the above applies; it got installed by TSV installer and got signed in the process.

As to Comodo not detecting it even though it should please start a separate topic about this. Don’t attach the malware to that post but provide interested users with a download link for the malware by pm.