Who is responsible of adding malware in CIS Whitelist?

It’s starting to be something extremely common to have malware whitelisted by COMODO
https://forums.comodo.com/av-false-positivenegative-detection-reporting/report-trusted-and-whitelisted-malware-here2013-no-live-malware-t89869.210.html

Who is the responsible of this in the company?
Any explanation on why this is happening?

It’s not a big problem IMO. How often will you meet a “trusted malware” ? How often will others AV let unknown files go throught ? Who is responsible ? Probably some automated whitelisting systems.

“It’s starting to be something extremely common”

Not really, it has always been so.

It’s a problem that only COMODO has, no other AV vendor using whitelist (almost all of them) have this kind of issues, so there is something completely wrong in the whitelisting process or they are doing it on purpose.

Only Comodo? If I recall correctly Kaspersky would allow any digitally signed program when using it HIPS.

But you could disable that option…

Thanks for agree with me on this. (since you are comparing a one time thing in Kaspersky with the normal mode of operation of COMODO)
“You recall once when Kaspersky…” but every week there are dozens of malware that are whitelisted that are found and reported, plus some other of dozens that are whitelisted but nobody reports them.

But as usual the attitude by comodo mods and stuff is that they don’t do any mistake and comodo is perfect.
I mean there is something more important than this for Comodo right now?

Please show me where the Mods said it is perfect.

I am afraid nothing is perfect.

All Security software have problems at one time or other including trying to destroy your OS, letting in Malware etc.

In this same thread you have to samples of 2 mods using 2 tactics, like “others also has the same problem and nothing is perfect…”

This is the attitude that I’m criticizing. While the attitude/answer should be:
“yes, obviously we have a problem here, we are going to share this concerns with the dev team, because probably something can be done to improve the whitelisting process, and we don’t think that this volumes of malware in the whitelist are acceptable at all.”

Let’s go step by step to find the problem :
Considering that all unknown files are uploaded to cloud.

*Comodo receives an amount of about 100 000 (even more) unknown files each day from all CFW // CIS installations around the world.

*These files are unknown, thus good are bad classification is definitely done with automated systems (CIMA, Valkyrie, and others in house systems not shared to public…)

They also use automation for whitelisting, some files can get whitelisted really quickly which is great some not (which are submitted by users on forum).

Apparently, it seems like some piece of malware could be whitelisted during the process.

edit: A file detected by 20 engines on VT can completely be a FP.

Now if you got infected by a malware from virussign… ;D

You are wrong (I hope), the whitelisting is based on certs mostly, and is done manually.
Doing whitelisting based on an AV, behaviour, whatever… is like shoot in your own foot, and no other AV vendor does this.

Please stop telling wrong infos…What is KSN from Kaspersky ? 88) … automatically whitelisting tons of files everyday so please…

I got confirmation from bogdan whitelisting is done manually by AV analysts but also with automated systems.

Sorry but you are wrong, KSN does not whitelist anything its a reputation cloud
http://support.kaspersky.com/7269# so if a malware gets a good raring in KSN that doesn’t mean that kaspersky allow the file automatically to access to INTERNET and modify anything in the computer like happens in COMODO

Thanks for confirming that Comodo does the whitelisting automatically it’s a pioneer in the industry and this explains perfectly the issues that I pointed out. Like I said shooting in their own foot.

If they assume that a file can be whitelisted based on the outcome of a AV cloud scanner with N engines or whatever artificial intelligence… they are assuming that the detect the 100% of malware, which normally it’s a 95% according to the test, so there is a 5% of potential malware in CIS whitelist.

I must say that I do not like that Comodo automatically whitelist files, perhaps we should have an option in CIS to not accept whitelist updates that have been automatically generated, so only whitelist updates from manually testing will be implemented?

I think automatic whitelisting is possibly acceptable, but that certainly something like this is required to balance out the danger.

Currently it seems that the only thing trying to balance this is manual user submission via the forum. I do hope that Comodo has some additional measures after the automatic whitelisting, but it appears that whatever they are, they are not potent enough.

In my opinion, something else is needed in order to counter this (albeit small risk) of the current whitelisting process. Although I’ve never heard of a very dangers piece of malware being whitelisted, I have heard of adware being whitelisted.

Why do you think we have a direct line to the dev team, we have no more access to them than any normal member, please feel free to PM them your concerns.

I believe they are concerned as if they were not concerned they would not reply to members in that topic, like I said before nothing is perfect mistakes can be made.

Sorry but it is beginning to look like you are trying to make something out of nothing, by implying what attitudes we have as Moderators.

Dennis

Edit Changed but to by last paragraph.

Tread carefully. C’est le ton qui fait la musique.

The disadvantages of Trusted Software Vendor list have been discussed extensively at the introduction. I remember Siberlynx being very outspoken about it in discussions with Melih about this.

It’s up to Comodo to tell whether they think too much trusted malware gets past and if that is the case might want to decide to change the conditions under which Vendors become Trusted Vendors.

The procedure to make a Vendor a Trusted Vendor is done by an analyst. For other tasks automated processes play a role.

Other than that I agree with Dennis. Your concern is shrouded in a toxic and inflammatory tone.

Few if not many criticised CIS Whitelisting in the past… But it’s almost impossible not to white-list some malware. Plus Comodo is the only full DD system on the AV market today so you can’t really compare it to anything else. Automated system or not… Humans make errors as well…

At the end of the day… It’s rare but it can happen…

It’s up to Comodo to tell… yes right we will wait 4 years more to see if they tell something. Until now Comodo is silent about this topic.

The procedure to make a Vendor a Trusted Vendor is done by an analyst. For other tasks automated processes play a role.

Other than that I agree with Dennis. Your concern is shrouded in a toxic and inflammatory tone.


Toxic? well if you see normal to find every week several malware files trusted… and what is worst is the malware in the TVL that isn’t found, and what is even worst is Comodo devs/staff being silent about this issue.
A normal person would say that the TVL is “toxic”…

PD: just in case, I don’t consider the forum moderators comodo staff

Even silence speaks.

A normal person would say that the TVL is "toxic"...

PD: just in case, I don’t consider the forum moderators comodo staff

One could ask the attention for the problem in a non abrasive fashion and get better exposure for your argument.

It has been discussed intensively in the past by Melih and Siberlynx. Until further notice the silence means Comodo has not changed their point of view on TVL.

Better exposure of the argument? what part is not clear for you?

It has been discussed intensively in the past by Melih and Siberlynx. Until further notice the silence means Comodo has not changed their point of view on TVL.
Yes, we all know they are doing it wrong, but instead of trying to get it improved lets bury the problem as you want, thanks for your useful input in this thread.