i was using comodo firewall last year and after new xp installation i decided to install Comodo Internet Security, after two days of normall web browsing i saw strange behaviour too many outbound connection on smtp port
1/even i denied such traffic fw still allowed them to go out
2/when i found that i am infected with BN2.tmp and rs32net.exe i ran antivirus and it found nothing.
So i had to use F-secure online scan.
how it is possible CIS was not able to detect it? (ps i have last virus update)
product version 3.5.57173.439
virus signature db version 749
windows XP SP3
There is not one AV under the sun that can DETECT all the malware out there. It’s that simple. However, Defense+ can PREVENT 99% of all malware, because you have control of what applications go on your PC. So now Prevention is your first line of Defense, not detection. Defense+ will Alert you and you can block it.
Anyway the virus database is growing. Zip and send the malware to Comodo and it will be taken care of.
yes i know it is impossible detect all of them at once, but this older one. so i would expect it will be detected.
anyway i did submit report from the gui about that.
file itself is deleted by F-secure online scan, so maybe next time.
problem for selfdefense is that file itself is not doing anything visible so you can see only svchvost.exe running dns and smtp queries, but i have few tcp captures, do you think it will be helpfull for you?
AFAIK rs32net.exe is not an older sample, although it is not unlikely that is a new variant of another Trojan.
Since rs32net.exe register itself in protected areas of a PC the only likely explanation for these TCP captures is that D+ was unadvisedly configured to allow it to run.
If D+ policies were not purged there could still be a fingerprint confirming the weak points that lead to rs32net.exe unwanted execution.
Whatever the case, other than acknowledging the missed detection there is nothing else that could help other than submitting a sample to AV labs.
Right now you can’t see which definitions CIS/CAV contains, but it has been requested for a future version: