…an unknown (but actually malicious) program is sent to CIMA for verification, found to be safe (even CIMA can’t be 100%) and is the automatically fully trusted by CIS in return (considering it places verified and found safe files into Trusted section? Is it just me or such behavior isn’t exactly safe?
It’s simple for novice users indeed and works in theory, but what about reality? From the looks of it this is seriously flawed way of trusting files and can lead to disastrous results. What concerns me even more is that not a single person has asked about this till now. All that bad guys have to do is to craft a file that evades CIMA and voila, the way is fully opened. Unless there is some mechanism that would prevent that from happening. But i’m not aware of one…
As far as I know only the programs in the wishlist (local and cloud) or trusted list are not run inside the sandbox.
Maybe the file was in the Cloud whitelist.
It all depends on the quality of CIMA of course. Nothing is 100% safe.
It's simple for novice users indeed and works in theory, but what about reality? From the looks of it this is seriously flawed way of trusting files and can lead to disastrous results.Groundless assumption unless you have prove. Do you have examples of files that bypassed CIMA? Can you provide us with CIMA, Virus Total and Anubis links to their reports?
What concerns me even more is that not a single person has asked about this till now.You are the first. (:CLP)
All that bad guys have to do is to craft a file that evades CIMA and voila, the way is fully opened. Unless there is some mechanism that would prevent that from happening. But i'm not aware of one...Do you have intimate knowledge of how CIMA works? For as far as I know you are not an ex Comodo employee. So you cannot tell whether CIMA could prevent this or not.
The best I can make of the above is a question to whether CIMA has been bypassed and the rest is, until further notice, speculation, your honour.
Show me a file that can bypass CIMA. Remember one file may bypass CIMA, but thousands of others will have been blocked.
i dont think if a file is sent to cima from cis that it will ever go into trusted files, all cima does is help point out wether or not something may be malicious, it still stays in the sandbox malicous or not
I’m extremely doubtful as to whether seriously malicious behaviour could circumvent CIMA,even if it isn’t 100% accurate.
“All that bad guys have to do is to craft a file that evades CIMA and voila, the way is fully opened.” makes it sound like a trivial task,but,in reality it’d require intimate knowledge of how CIMA works and/or an entirely new way to infect a system that doesn’t utilize any existing points of infection.
It may be possible,pretty much anything is,but likely? that’s another matter.
In fact we have this case already.So sad, but CIS is failing, IMO.
https://forums.comodo.com/beta-corner-cis/chinese-signed-malware-vs-cis-5-rc2-t61351.0.html;msg431846#new
CIS says it’s a safe executable, but in fact it’s pure malware>> http://www.virustotal.com/file-scan/report.html?id=d46aca87f28681a2428cb23de59b8a421407f1425ffbe47411a01d660347fdbe-1283775324
[attachment deleted by admin]
I try it yesterday and I found that only makes shourcuts and a toolbar in IE, no running process any file start with windows. Anyway they should take a look
I think RejZoR has a good point. Granted, none of us here know exactly how CIMA works (and those that do will either never post here or post some semi-cryptic positive comment).
From the general computer knowledge and experience I have, CIMA sounds like a behaviour analysis tool. We all know that behaviour blockers, heuristics etc. give no where near 100% detection. It’s like relying on eg. Prevx to tell you if a file is safe or not - it’s never going to always be reliable, and will always give a significant proportion of false positives and false negatives.
Melih himself has repeatedly promoted the concept of “default-deny” (as opposed to behaviour-blocking and heuristics) to be the “ultimate” line of defense. And of course, “default-deny” of any newly introduced file is the key to “100%” protection.
So if what RejZoR says is true (that is, anything that CIMA says is clean gets full execution rights), then I think there is a flaw in the protection mechanism (especially for purists like me haha). Of course, I don’t think CIMA has been tested thoroughly yet. Regardless, if it can somehow detect “100%” of all malicious actions, then why would we need anything else?
I have tested many malware not detected by the AV, not detected by CIMA and this malware runs automatically inside the sandbox.
So the problem that he is describing does not exists he has intevented it.
CIMA only marks the file if its bad…
if it can’t verdict a file it does NOT mark it as safe.
Melih
I like precise and short answer. 
Thanks
Interesting. You have to make one hell of a noise for someone to actually answer questions.
CIMA won’t mark it as safe (it marks it as undetected in online scanner), but CIS will, based on results from CIMA. I’ll have to check the behavior again, but from what i’ve seen, once the unknown file vent through CIMA, CIS flagged it as Safe and Trusted and it was moved from Sandbox. Whitelist was clearly not involved, otherwise it would be marked as trusted without any need to go through CIMA first.
Melih said “If it can’t verdict a file” it doesn’t mark it as safe,if it’s able to do so it will presumably.
Well that’s what i’ve seen. I’ll check again with a custom crafted EXE that is not whitelisted for sure.
I would like to see you get the kind of attention and answers you get in this forum, from CEO of other major security vendors like Norton, McAfee etc. 
And lets be honest RejZoR, you always start your posts with a big noise anyway
Melih
By the way, I got a keygen file that got “Scanned Online and Found Safe” and be automatically added in the local trusted file list.
I agree that the file may not be harmful but how can it get into the cloud whitelist? ???
It’ll be interesting to see the results.I’m most intrigued by the borders of CIMA’s determinations,ie.the point at which it’s positive verdict operates and when ‘unsure’ kicks in.
A keygen is not malicious per say.If all it does is to generate a random key then there’s no reason to flag it up.
Sorry, but when i have tried give me a suspicious process to run after reboot (and it was trusted/installer in D+ explorer).
RejZoR I thought you had left this forum, why are you still here?
[i]..snip[/i]
mod edit: unreferenced citation removed, mainly since you beat me to it & only one is needed. :) kail