When does the Defense+ Cloud scanner scan?

I am using the firewall part with Defense+ in CIS: I wonder when does the additional new files cloud AV scanning happen? I have tried to give the scanner opportunity to scan a malware file but it has not detected it. Otherwise it has scanned some old files and passed them. How long the machine should be idle or are they scanned only in certain intervals?

CIS will submit files to cloud whenever it encounters an unknown file.

Note that this behavior needs to be enabled by the user in version 5.3.

That was my question, when will it encounter the new file? I downloaded a malware file about 2 hours ago and it sits unnoticed in my hard drive. And as tested in Virus Total Comedo AV recognizes the trojan in it.

The file will be scanned when you execute it. You can test this with e.g. Trojan Simulator. CFW will give a Cloud Scanner alert when you run TrojanSimulator.exe.

I tested it with Trojan Simulator and it reacted when it was executed. But I also executed the trojan and scanner did not react, firewall did as expecyed and blocked the internet connection.
I have tested several of these trojans (mostly named video add-on) which some vendors call Kazy and CIS has not found them. Quite strange as the normal CAV used by Virus Total does.
ps. restored my system with Time Machine.

Are you using the AV in CIS?

The cloud scanner function in Defense+ is not an AV.

No I don’t use the AV part in CIS only the cloud scanner in Defence+. As I understand it is a malware scanner and it has found malware in my tests.

It checks the trusted status of the file and does behavior analysis, but it sounds like you are wanting it to behave like an AV.

So what exactly did this malware do? Did D+ consider it trusted, was it sandboxed, etc…

Actually D+ notified only that sindows installer API wanted to do something. Nothing was said to be sandboxed. Aftrerward Windows said that the file was not correctly installed. And the Firewall warned about the internet connection.

I retested it. It said the unrecognized file was trying to get full access. I allowed it. Then firewall askd about the connection which I allowed. Then CIS warned me about the malicious file and it removed it. I dont know if it had done its job already. The notification about unsuccessful installation popped up.

So it is an msi (Windows Installer) file? They are a little different, as the msi file itself is not executed. Intead, msiexec.exe is executed with a special command. Therefore CIS now can Do heuristic command-line analysis for certain applications. Since the msi file is not executed, it will not be scanned by the cloud scanner.
That is my theory. :wink:

It is an .exe file, it can be an installer. I forgot to mention that when running it I sent it to Comodo when requested.

Can you send me a PM with a link to the file, so I can see what happens? Thanks. :slight_smile:

Just want to gather some more information about the situation;

What version of CIS are you using?; As well as what mode is Defense+ and Sandbox is in?
and to verify; are the cloud options enabled in CIS > Defense+ > Defense+ Settings > Execution Control Settings and as well as Sandbox options.


V. 5.9.16…
Ihave sandbox in partially limited and the cloud scanning options on. It finds the trojan simulator and seems to find the malware in question after submitting it to Comodo.