Two ways:
- If the malware's certificate signer isn't on Comodo's trusted vendors list then it will be sandboxed the same as unsigned malware
- Even if malware is using a certificate from a vendor that's on the trusted vendors list, cloud lookup can still flag the file as malware
Malware using stolen certificates apparently get pounced on pretty quickly by security vendors.
Good question from OP, thanks. Looks like things might change in the future but who knows into what. Comodo is testing "Recognizer" for Valkyrie, which will be able to detect particularly nasty malware, even ransomware, with both signatures and based on behavior.
I think I may turn on Cloud Lookup again. I turned it off because it kept enlarging the TVL list and then I saw that CL was responsible for a couple of documented successful malware attacks. I'm not sure, though. With Comodo testing "Recognizer" as part of Valkyrie, I wonder if the TVL will be as important to me (keeping it short). I like the list short, because I like to know what's happening on the system in the general sense.
For the future, I guess I am somewhat confused about whether leaving Cloud Lookup off would disable "Recognizer" when it comes online. Also, will "Recognizer" replace Cloud Lookup eventually altogether? Ultimately, I kind of wish Comodo would for now back off adding vendors to the TVL via Cloud Lookup. This would be the ideal situation for me imo. I could shorten the TVL and still have the benefit of using CL.
