App Review Comodo FW bypass malware the sandbox (sandbox hips off + on) and voodooshield (autopilot)

[Davidov]

No reaction from Comodo stops just voodooshield PC shutdown but after the restart the PC infikovano.Pc then behave strangely. Detection on VirusTotal 0.
I used Comodo sandbox Improved Setup + Factory Defaults voodooshield.
No reaction from Comodo stops just voodooshield PC shutdown but after the restart the PC infikovano.Pc then behave strangely. Detecting malware on VirusTotal 0. testing on a living tree in the sandbox did not want to run or did not show. What should I use when everything disappoints .-))

https://www.hybrid-analysis.com/sam...7bf2ce35b121b9a9de59c2b0d51?environmentId=100

Antivirus scan for 8930b9c8dbf95fcc8184254546b99c00971517bf2ce35b121b9a9de59c2b0d51 at 2016-10-22 19:40:00 UTC - VirusTotal

 

[Davidov]

What do we use a single sandbox and what I tried to resist were Sandboxie .-)) and I am going to reinstall PC or sown sample to try, thanks.

 

[vivid]

Not a bypass. Trusted malware.

 

[Ink]

Not a bypass. Trusted malware.

Trusted by Comodo's Trusted Vendor List or other reason?

 

[SHvFl]

Was the file digitally signed?

 

[vivid]

Trusted by Comodo's Trusted Vendor List or other reason?

Trusted by hash. Human error.

PS: I have objected to human analysis with Valkyrie. It will probably be rechecked.

 

[Davidov]

Apparently has a bug but how is it possible that Comodo and voodooshield take this as safely?

Here's seeing the dangers of big whitelist as ma comodo.

 

[vivid]

Proof that it's trusted malware, not bypass: http://i.imgur.com/l7f4eS9.png
Not sure about VoodooShield though.

 

[shmu26]

what would stop this malware?

 

[hjlbx]

Proof that it's trusted malware, not bypass: http://i.imgur.com/l7f4eS9.png
Not sure about VoodooShield though.

Valkyrie isn't detecting it as malicious. A Clean Valkyrie detection does not mean it is automatically added to the COMODO Safe List. Plus, CIS does not use Valkyrie - it hasn't been integrated yet into CIS>

It isn't officially clean until manually inspected by a COMODO technician. Then the tech has to add the file to the Safe List database.

Look at the VT Scan report - COMODO reports it as undetected = Unknown\Unrecognized.

It should be auto-sandboxed.

It is not trusted... so it's a CIS bypass.

 

[Ramona]

Sandboxie is the answer (+ Qihoo with all engines enabled)

 

[Davidov]

Whether this is so or so it's not very good for either Comodo voodooshield it rubs were almost wholly products.Today you can not believe it the Great whitelist, Comodo etc.

 

[shmu26]

VT says it was checked a week ago, and that it is totally undetected. sounds like a contradiction. what's up with that?

 

[hjlbx]

Whether this is so or so it's not very good for either Comodo voodooshield it rubs were almost wholly products.Today you can not believe it the Great whitelist, Comodo etc.

I have seen this sort of thing happen with certain types of malware before - so I recognize the behavior.

 

[hjlbx]

VT says it was checked a week ago, and that it is totally undetected. sounds like a contradiction. what's up with that?

What's so strange about that ?

There is such a thing as undetected malware for days, weeks, months, years... or never.

A script that will delete your entire disk drive can be used legitimately or maliciously - and no scan engine typically detects such a user created script as malicious.

 

[shmu26]

What's so strange about that ?

There is such a thing as undetected malware for days, weeks, months, years... or never.

well, this malware must not have been distributed very widely.

 

[hjlbx]

Look at the Hybrid Analysis report carefully.

• Malicious Indicators5
• External Systems
  • Sample was identified as malicious by at least one Antivirus engine
    details
    2/57 Antivirus vendors marked sample as malicious (3% detection rate)
    source
    External System
    relevance
    8/10

 

[vivid]

Valkyrie isn't detecting it as malicious. A Clean Valkyrie detection does not mean it is automatically added to the COMODO Safe List. Plus, CIS does not use Valkyrie - it hasn't been integrated yet into CIS>

It isn't officially clean until manually inspected by a COMODO technician. Then the tech has to add the file to the Safe List database.

Look at the VT Scan report - COMODO reports it as undetected = Unknown\Unrecognized.

It should be auto-sandboxed.

It is not trusted... so it's a CIS bypass.

1. There is a signature-level detection and a cloud-level detection.
2. I have used Valkyrie to check status. You can see that it is trusted in my picture.
3. CIS does not use Valkyrie. Rephrased: CIS does not auto-submit files for analysis to Valkyrie.
4. If a file is rated by human analyst in Valkyrie then a signature-level detection will be added automatically to CIS.
5. You can look at human analysis as a cloud verdict with CIS.
6. VirusTotal checks for signature-level detection. In no way you will know by using VirusTotal if there's a difference between unrecognized and trusted verdict.

 

[Davidov]

I sent this malware for the analysis to ZEMAN about yesterday, so we'll see if he was classified in the database (Need to manually analizovat because the AI does not know about the harmfulness)

 

[vivid]

well, this malware must not have been distributed very widely.

This is common. Vendors might use common sources for whitelisting/blacklisting.