Comodo File Rating System Inconsistencies *** VIDEO ***

Status
Not open for further replies.
H

hjlbx

Thread author
Comodo Internet Security v. 8.2.0.4591

The linked video below shows how there are synchronization issues between the various parts (databases\servers) that comprise Comodo's File Rating System.

Comodo's File Rating System = File Lookup Service (Cloud), local database (machine upon which CIS is installed), Comodo Instant Malware Analysis Service (CAMAS\CIMAS) and Comodo File Intelligence (CFI). Plus there are internal Comodo lists.

The file used in the video is C:\WIndows\System32\aeinv.dll .

The file's SHA1 hash is: 50e71839285e234d694e1e5f1e8dff80fe873780

It was introduced on the system: 4/22 (Trusted by FLS)
Updated (modified) on: 6/17 (changed from Trusted to Unrecognized by CIS)
Re-rated by Comodo on: 6/24 (changed from Unrecognized back to Trusted via FLS)

There are two entries in the CIS File List - which is correct. However, if you watch carefully, you will see that the File Detail (Comodo rating on local machine - from FLS\Cloud) does not agree with Comodo Lookup (I am not sure of the Lookup database location - perhaps Comodo File Intelligence or other internal file list).

Furthermore, by entering the file's SHA1 hash at https://file-intelligence.comodo.com/search-sha1.php , you can verify that as of today (6/28) that aeinv.dll is listed as "Unknown" in Comodo File Intelligence. If you have it on your local machine, it should be Trusted in the CIS FIle List... and that rating, in all likelihood, came from Comodo - unless you changed it from Unrecognized to Trusted in the CIS FIle List sometime between 6/17 and 6/24.

So... what's the point? At the very least it causes confusion. At worst, it might cause CIS to treat a file differently over time - until there is complete agreement across all Comodo FIle Rating databases. In other words, the worst case scenario is that CIS will treat a Trusted file as Unrecognized - and generate alerts (depending upon user's chosen CIS settings) and auto-sandbox the file. This, while annoying, can be circumvented through the creation of Allow rules.

The ultimate worst case scenario is where a file has been re-rated by Comodo from Trusted to Malicious - but it takes a relatively long time for all the databases to sync. I have not seen nor heard of such a thing - but think about it.

The bottom line: the user can create rules that solves almost any File Rating issues and\or bugs that cause CIS to improperly treat a safe, Trusted file as Unrecognized. Keep in mind that Comodo is all about "Old School," manual administration of the system... so users should expect, at least some intermittent, administration. CIS now has the option for the user to change the rating of a file - which, in most cases, fixes any issues.

If user desires more "hands-off," automated experience, then use @cruelsister 's suggested CFW configuration.

NOTE: What is covered here is a logistical issue - and not a CIS bug. CIS File Rating bugs do exist - and for some time now - but this isn't one of them. Even in the case of some of the more serious File Rating bugs, the user can create Allow rules to eliminate alerts, blocks and auto-sandboxing for safe files.

The cause: as far as I have been able to determine, @Malware1 gave me a tidbit of info = Comodo File Intelligence database uses some form of cache - so - there can be a delay between file rating synchronization between all the databases that make up the system. Just an educated guess... so take it for what it is. I am drawing a conclusion here - and this is not the opinion of @Malware1.

In this case, nothing was ever broken. When the file was updated on 6/17, CIS changed the rating from Trusted to Unrecognized and it generated alerts (based upon my chosen CIS settings) - which is correct behavior. So from 6/17 to 6/24 I had to create Allow rules. After the file rating was changed on 6/24 from Unrecognized to Trusted by Comodo, I no longer needed those Allow rules. Tip: Once in a while I go through the HIPS, firewall and sandbox rules - verify a file's rating to see if anything has changed - and delete any unneeded rules.

Here is OneDrive download link for video: https://onedrive.live.com/redir?resid=2C645D108A1E40C7!4857&authkey=!AEWleuHFmCJMLeM&ithint=video,avi

NOTE: Movie is in Microsoft Video1 AVI format; can be viewed using Windows Media Player or VLC or Classic Media Player. Viewing it this way should be much more clear - but video is 82 MB...

 
Last edited by a moderator:
  • Like
Reactions: yigido and Kent
S

sinu

Thread author
I will add infos later... for now please let me know if video images can be clearly seen...


looks good in small window but when it is put to full screen it is not that clear need to increase its resolution
 
H

hjlbx

Thread author
looks good in small window but when it is put to full screen it is not that clear need to increase its resolution

I've tried fixing it, but there is a full-screen image clarity limit because it is hosted video.

I will add direct download link of video - so if anyone wishes - they can view it in much sharper quality.

Thanks @sinu

Best Regards,

HJLBX
 

Malware1

Level 76
Sep 28, 2011
6,545
The cause: as far as I have been able to determine, @Malware1 gave me a tidbit of info = Comodo databases use some form of cache - so - there can be a delay between file rating synchronization between all the databases that make up the system. Just an educated guess... so take it for what it is.
I was talking about Comodo File Intelligence.
There's no delay unless you checked the hash before they whitelisted it.
 
  • Like
Reactions: yigido and Kent
H

hjlbx

Thread author
I was talking about Comodo File Intelligence.
There's no delay unless you checked the hash before they whitelisted it.

@Malware1

That is as I understood it, but maybe I didn't explain it fully; I did not mean to misquote you. I will make correction - just to be clear. OK?

File in video was re-rated as Trusted on 6/24 via File Lookup Service, but still remains rated as Unknown in Comodo File Intelligence - as of 6/28.
 
D

Deleted member 2913

Thread author
It would be good if all the databases are seamlessly in sync.

hjlbx,

You use "Any" Autosandbox setting. Default is "Internet" for Autosandbox.

Does CIS treats the updates/upgrades of the programs differently in any way in "Internet" setting compared to "Any"?
 
H

hjlbx

Thread author
It would be good if all the databases are seamlessly in sync.

hjlbx,

You use "Any" Autosandbox setting. Default is "Internet" for Autosandbox.

Does CIS treats the updates/upgrades of the programs differently in any way in "Internet" setting compared to "Any"?

No, CIS does not treat the updates (modifications) differently. When any file - regardless of source - changes due to updates, then CIS will change the status of that file to Unrecognized.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top