Why comodo IS detects a file as malicious only after I run it?

Discussion in 'other anti-virus software' started by flik, May 21, 2010.

Thread Status:
Not open for further replies.
  1. flik

    flik Registered Member

    Joined:
    May 21, 2006
    Posts:
    49
    Hi, I decided to try ComodoIS v4 and I found it very good. So I download a trojan to test the sandbox. Comodo antivirus did not detect the file when i downloaded it, neither when I scanned it. But when I ran it, just after the sandbox alert, a windows came up showing that comodo antivirus has been detected it as trojan.
    Does comodo scan furthermore when the file is being executed?
     
  2. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,481
    Probably because it's on stateful config?

    Try changing the AV to On Access and see :rolleyes:
     
  3. risl

    risl Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    581
    Maybe because it's unable to unpack/decrypt the .exe and finds the signature when the file gets decrypted in runtime.
     
  4. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Can you post a screenshot of a detection popup? I'd say it's an in-memory detection (like BOClean used to work). There is certain malware that only gets detected on runtime...
     
  5. flik

    flik Registered Member

    Joined:
    May 21, 2006
    Posts:
    49
    I think that it's a classic detection popup.
    Unfortunately now it detects it when I download it, although I haven't change it from stateful to on-access setting.
    But yesterday I repeated more than 15 times. I was downloading without an alert, and I was scanning it with right click->scan with comodo and it wasn't finding anything. Only after I run it.
    I think that it's not about stateful or on-access. Maybe risl is correct, but I don't know how exactly comodo works
     

    Attached Files:

  6. smage

    smage Registered Member

    Joined:
    Sep 13, 2008
    Posts:
    378
    Hi it might be the memory scanner(BoClean) which is detecting the trojan.
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.