CIS 6.2.xxxx Releases!

Re: CIS 6.2.282872.2847 Released!

I still dont understand the point of testing a AV product directly against malware binaries because in any sort of case you will never contract them directly and it will only come from the web

So testing a product directly from a pack makes no sense atleast in terms of real life usage,where most users see malware binaries coming from malware URL's or redirected to those url's in some way from a legit website.You will never see a pack of fresh malware files coming from a USB or something,its never gonna happen.In my exprience of cleaning Computers since years what mainly comes from USB's is sality,virut,autorun,lnk runner and some payloads of dorkbots,gamurue etc which are normally well detected by AV's atleast well detected by AV's atleast my oftenly recommended/used AV's (Avast,EAM,Avira,COMODO AV) and stuff like that will never happen..still most of the 98% stuff comes from the web and most of them follow some sort of chain So there is no reason to Not to go with URL tests as they 98% of the time show the semi-realistic real world scenario just like AV-C and AV tests do.

eg: Google search>>Legit site>>Malicious JS redirector>>Malware binaries.

OR

Game Site>>Advertisements>>Malware site/binaries.

OR

Music player/downloader>>Advert>>exploit.

OR

Porn site>>advert>>malware

OR

Facebook/twitter>>Malware URL>>Malware binary.

In cases of USB's:

USB inserted>>autorun/LNK runner>>Resulting in launching of optionally existant file infector/worm etc>>system infected.

This is the most way I have seen people getting infected...

 

Re: CIS 6.2.282872.2847 Released!

I really must respectfully disagree with you on this one. Malware as most know have different infective pathways. As you mention direct from some website is one; sent as an email attachment is another; a nasty person with a malware filled USB infecting their workplace of "friends" is another. So just testing URL links would be at best misguided.

Also the malicious URL links that amateurs use for testing come from public databases. There are malware companies that have employees whose sole purpose is to scan these databases and add them to blocklists (Fortinet is predominant among them). But even at the most inclusive I think most will admit that not all existing malicious URL's will be detected. So not only will straight URL testing ignore other ways to become infected, it is not all-inclusive for its primary purpose.

I will admit that direct sample testing leaves much to be desired. Instead of a focus on the percentage detected, the concentration should be on how a particular product handles samples that it does not detect via definitions or Cloud (the term Zero Day comes to mind).

Finally most testing ignores things that I would consider essential. Extensive analysis of the Network is needed for things such as Malware that has co-opted legitimate system files (such as svchost) or was bundled with a RAT such as DarkComet. This is a time consumptive process which I've never seen done on any amateur Youtube videos and I doubt is done with any of the Pro treating agencies (who would prefer to give a 98%!!!! and leave it at that). I could go on with Hidden files in Hidden directories and Timebombs, but I'm sure the point is already made- to be sure a computer is clean after running samples, extensive forensics really is mandatory.

Those reading this post almost certainly have little practical use for any malware testing as we are wise enough never to get infected in the first place; but we are Geeks (come on, admit it). But for the masses, who can hardly turn their computers on without running into some malware or other from a variety of places need well run testing in order to determine the best product to protect them from malware arising from every possible scenario.

 

Re: CIS 6.2.282872.2847 Released!

1 day has passed (as per GUI) and my CIS hasn't received any signature updates. Thats weird...

 

Re: CIS 6.2.282872.2847 Released!

No issue here with Updates.

 

Re: CIS 6.2.282872.2847 Released!

There is a problem with the backend infrastructure IMO as I don't get any CAMAS alerts for any of my submissions.... Hopefully situation will get normal ASAP.

 

Re: CIS 6.2.282872.2847 Released!

Same here. And Cloud doesnt work for me.

 

Re: CIS 6.2.282872.2847 Released!

Yes, i submit tons of malware but i didint get CAMAS alert.
Also file intelligence doesnt work.

@spywar;

Can you use numeric pad on windows login screen? (i am asking for CIS installed system, i am using non-english keyboard)
Because i cant. i suspected from SS but i uninstall SS for checking, nothing change.

 

Re: CIS 6.2.282872.2847 Released!

How do I get auto-sandbox to ask me first? I can't find the setting.

 

Re: CIS 6.2.282872.2847 Released!

The auto-sandbox can only ask you for unknown programs which require elevated privileges e.g. installers or updaters.

 

Re: CIS 6.2.282872.2847 Released!

Well that's dumb. I'm pretty sure it used to have an Ask option. I started Steam, and despite how well-known and used that program is, it auto-sandboxed it.

 

Re: CIS 6.2.282872.2847 Released!

Same here. Updates are 1 day ago.

 

Re: CIS 6.2.282872.2847 Released!

Steam app(s) is(are) digitally signed so it shouldn't get auto sandboxed regardless of how new the file was.

 

Re: CIS 6.2.282872.2847 Released!

Oh, it's probably because I unchecked "Trust applications signed by trusted vendors" and "Trust files installed by trusted vendors" as I've heard Comodo has a tendency to whilelist almost anyone without thoroughly checking if they are legitimate or not.

 

Re: CIS 6.2.282872.2847 Released!

That is not true.
Where did you hear that?

 

Re: CIS 6.2.282872.2847 Released!

"as I've heard Comodo has a tendency to whilelist almost anyone without thoroughly checking if they are legitimate or not"

hehe lol interested to get the source of the person who told you that...


As guest pointed out, File Intelligence is also down there is definitely a backend issue.

 

Re: CIS 6.2.282872.2847 Released!

Maybe here
https://forums.comodo.com/defense-s...adding-malware-in-cis-whitelist-t96651.0.html

 

Re: CIS 6.2.282872.2847 Released!

Do you think this is something new ?

It's funny when you say "no other AV vendor using whitelist (almost all of them) have this kind of issues"...do you test each of them everyday ? How can you be sure ?

 

Re: CIS 6.2.282872.2847 Released!

I never said this is something new.
I haven't seen a similar thread in any other AV forum, that's a start.
Can you proof the opposite? It should be easy if I'm wrong. Taking into account that CIS is almost not used compared with others and it has tons of reports of whitelisted malware.

 

Re: CIS 6.2.282872.2847 Released!

Whitelisting of malware is a problem but is not that often considering the amount of files they receive every day.
But we are talking here about procedure of whitelisting applications and vendors (TVL).
When you submit an application or vendor for whitelisting, the procedure is done manually following defined rules.
Classification of unknown files is performed in the cloud by automatons.

 

Re: CIS 6.2.282872.2847 Released!

CIS is used by about 60 M users now. Without adding Comodo Firewall users which mainly use it alongside free or paid products. You can also note that Comodo seems the only one to have such a thread on its forum.

 

Re: CIS 6.2.282872.2847 Released!

So in general is it safe to use TVL in CIS?

 

Re: CIS 6.2.282872.2847 Released!

Of course.
There were few "issues" in the past but affected vendors got quickly removed from TVL.

 

Re: CIS 6.2.282872.2847 Released!

Let's go step by step to find the problem :
Considering that all unknown files are uploaded to cloud.

*Comodo receives an amount of about 100 000 (even more) unknown files each day from all CFW // CIS installations around the world.

*These files are unknown, thus good are bad classification is definitely done with automated systems (CIMA, Valkyrie, and others in house systems not shared to public..)

They also use automation for whitelisting, some files can get whitelisted really quickly which is great some not (which are submitted by users on forum).

Apparently, it seems like some piece of malware could be whitelisted during the process.

edit: A file detected by 20 engines on VT can completely be a FP.

 

Re: CIS 6.2.282872.2847 Released!

Sorry but there are a few issues every week that at least we can tell
http://forums.comodo.com/av-false-p...ware-here2013-no-live-malware-t89869.210.html

 

Re: CIS 6.2.282872.2847 Released!

We are speaking about vendors not a single file...
These files can also be safe. Not all but some.

every week..Last time I had issue with a trusted vendor which got fixed quickly BTW...was August 2012