Why CIS antivírus don't scan in real time files in the sandbox ?

I tested and malware files isn’t detect by antivírus in the sandbox ( C:\VTRoot ).

Hi Henrique ,

If the File was unknown and has NO Signature , you have NO CAV detection !!! The File is put into the sandbox and the sandbox sends the file to Valkyrie for a further Analysis !!!

Or did I misunderstand your question ?

Regards !!!

Yes, you no understanded.

The file is detect by CAV and alert but don’t detect in to sandbox.

This is important for crypt installers when malwares.

Crypt installers are many numerous in the web.

hm ok , so my question is , for which reason do you put the File in the sandbox if you have an positiv cav detection ? :wink: CAV detection = Job done !!! :slight_smile:

CIS probably detected a part of the malware but does not have a signature for the other dropped files.

hi yousername ,

welcome to the discussion :wink:

Hmmmm , I’m really not sure what henrique wants to said. ???

So … FIRST CAV detection = Job done !!! :wink:

Hmm you’re right not only does the real-time scanner not detect, but using the manual scan via right-click context-menu scan with CAV does not start when you scan a file inside the sandbox. Maybe for performance reasons? Of course on execution it will be detected by cloud file rating.

yes … !!! Unfortunately, for me is not really apparent what the problem is and how it has exactly emerged. So I would , but i can`t give an precise answer .

Probably the containment rule:

CAV HAVE an detection !!! :wink:

That makes it a bit strange for me why its necessary to put an detected file into the sandbox !!! Ok , mayby heu want to analyze its behaviour ? But then it would be better to exclude the file fully from detection .

Nope the issue is that malware saved inside the containment is not detected by the real-time AV and you can’t manually run a scan on the file from within a containment Windows explorer window.

To check:

  1. disable ‘do not virtualize access to the specified files/folders’
  2. run a contained web browser and download the eicar test file.
  3. once downloaded use web browser show in folder/open containing folder from browser download list/window.
  4. alt-click on file and choose scan with comodo antivirus.

@ futuretech

hm … I think that could make sense :wink:

I took steps 1 and 2 and the eicar test file is being detected by on access scan, while running a contained browser.

from me comes another BIG … hm… !!! :wink:

Sorry atm i can´t reproduce this for myself ! I fully trust in your results !!! :-TU :slight_smile: Maybe it would be the best , henrique comes back in next days and give us more details ?!

I am using the proactive config if that matters. I retested and checked the location of the file, it is indeed in VTRoot

for sure i think thats matters !!! That’s an example what would be very good to know ! Maybe he uses a customized Config ?!

I guess it could, proactive was designed to be less permissive.
are you also using proactive when you tried to reproduce?

first with my own customized pro-active and then with “standard” pro-active config . I think this would be the best .

OK yeah for me I had added every root folder I have in my C:\ path to the AV exclusions which had C:\Users* thus it would not detect, but as soon as I removed the Users folder from the exclusion then yes I was able to get AV alerts. So I’m not sure why Henrique is not getting AV alerts for a detected sample in the sandbox.

:slight_smile: :slight_smile: :slight_smile:

details … we need details … from henrique !!! :slight_smile: