Why comodo IS detects a file as malicious only after I run it?

Discussion in 'other anti-virus software' started by flik, May 21, 2010.

Thread Status:
Not open for further replies.
  1. flik

    flik Registered Member

    Joined:
    May 21, 2006
    Posts:
    49
    Hi, I decided to try ComodoIS v4 and I found it very good. So I download a trojan to test the sandbox. Comodo antivirus did not detect the file when i downloaded it, neither when I scanned it. But when I ran it, just after the sandbox alert, a windows came up showing that comodo antivirus has been detected it as trojan.
    Does comodo scan furthermore when the file is being executed?
     
  2. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    Probably because it's on stateful config?

    Try changing the AV to On Access and see :rolleyes:
     
  3. risl

    risl Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    581
    Maybe because it's unable to unpack/decrypt the .exe and finds the signature when the file gets decrypted in runtime.
     
  4. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Can you post a screenshot of a detection popup? I'd say it's an in-memory detection (like BOClean used to work). There is certain malware that only gets detected on runtime...
     
  5. flik

    flik Registered Member

    Joined:
    May 21, 2006
    Posts:
    49
    I think that it's a classic detection popup.
    Unfortunately now it detects it when I download it, although I haven't change it from stateful to on-access setting.
    But yesterday I repeated more than 15 times. I was downloading without an alert, and I was scanning it with right click->scan with comodo and it wasn't finding anything. Only after I run it.
    I think that it's not about stateful or on-access. Maybe risl is correct, but I don't know how exactly comodo works
     

    Attached Files:

  6. smage

    smage Registered Member

    Joined:
    Sep 13, 2008
    Posts:
    377
    Hi it might be the memory scanner(BoClean) which is detecting the trojan.
     
Loading...
Thread Status:
Not open for further replies.