- Dec 8, 2014
- 206
As a rule of thumb : it is a bypass when you right-click on the file > run it in the Sandbox and changes are made to real system. (CIS case)
Comodo FW bypass malware the sandbox (sandbox hips off + on) and voodooshield (autopilot)
- Thread starter Davidov
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
I know exactly what the argument is going to be -- that it isn't malware. It is the same argument applied to a script I write to delete your entire drive without your consent. Technically, it isn't malware. Really ? I'd bet you'd consider it malware after deleting your entire drive.
Mark my words...
Mark my words...
Really ?
I submitted a Zbot sample to COMODO Engineering not long ago that completely disabled COMODO upon execution. All CIS modules were completely disabled, but the GUI was still running.
All you have to do is download a few Virussign malware packs and eventually you will find something that can disable COMODO HIPS and\or sandbox.
- Dec 8, 2014
- 206
It's possible. If that's the case, we could say it's a backdoor (most likely implanted by a third-party). 
- Dec 8, 2014
- 206
Not sure what to say.. I have submitted bypasses that were fixed. I could post it after version 10 is released.
CIS virtualization is tricky as it provides more compatibility. If you have a driver installed then (for compatibility purposes) you could make use of that driver and action will not be virtualized by default. Example: run Process Hacker, exit Process Hacker, virtualize Process Hacker and terminate non-virtualized application. This is possible because you have launched a driver upon first run and virtualized instance makes use of that driver.
Last edited:
I can find no rhyme nor reason as to what, when, and why COMODO fixes some things and not others.
I submit all the sample directly to Haibo Zhang - Director of COMODO Engineering (Beijing, China).
I worked for months collecting data for the "disappearing rules" bug. It has been submitted repeatedly to everyone - Haibo, Artyom (Ukraine -responsible for the rules module) and BuketB.
But you're right... the COMODO tech did rate Thingthing.exe as Safe - I checked the Safe List. Sure enough, it's rated as Trusted. You were right and I was wrong.
I suppose we can write it off as a mis-rating by the tech.
- Dec 8, 2014
- 206
I usually submit directly to bugs moderator (on forums). Everything was fixed.
- Apr 13, 2013
- 3,224
- Nov 19, 2014
- 2,350
Does the file do anything malicious if you checked?
- Sep 9, 2012
- 470
Hi obviously it is a fault whitelist I made another video if you delete a whitelist suppliers system is clean. Comodo killswitch takes a file as safe .Voodooshield succumbs in lock mode, it's weird .- (
Disable the scan checkbox in VS settings , you should have a prompt.
- Dec 8, 2014
- 206
FYI verdict changed to malware.
http://i.imgur.com/HK7aHB5.png
http://i.imgur.com/HK7aHB5.png
- Sep 9, 2012
- 470
- Sep 9, 2012
- 470
8 days before the verdict lasted change to dangerous it is for a long time. He did not get at all to the whitelist.
- Nov 19, 2014
- 2,350
Damn, someone with power took action. I am sure experts don't do analysis at a Sunday evening for a random file that already was checked.
As you see someone just changed the verdict. It is still saying "Human Expert Analysis Date: 2016-10-22 22:46:34 ( 8 days ago )"
- Dec 8, 2014
- 206
Valkyrie analysis is very fast to be honest. I did mention it in the past.
It's great to see Comodo guys acted fast on this one!
Great share by the OP and interesting discussion here!
EDIT: Also big thanks to @cruelsister for picking that one up!
At the time I tested that one with a default Internet Security Preset (+HIPS @ Security Preset) configured CIS, sandbox wasn't triggered, pretty sure because of the previous whitelisting.
As for it's actions it changes fonts and immediately restarts the PC. Haven't seen anything more like in the initial video on this one, as by restart my ShadowDefender session ended.
Last edited:
- Dec 8, 2014
- 206
- Nov 19, 2014
- 2,350
That's not what i said. Check the expert analysis date. Now someone changed the verdict because they were informed about this post probably.
- Dec 8, 2014
- 206
Click on "Human Expert Analysis" tab.
Human Expert Analysis Results
Analysis Start Date: 2016-10-22 22:32:14 ( 8 days ago )
Analysis End Date: 2016-10-22 22:46:34 ( 8 days ago )
File Upload Date: 2016-10-22 20:25:13 ( 8 days ago )
Update Date: 2016-10-30 17:50:55 ( 26 minutes ago )
Human Expert Analyst Feedback: malware
Verdict: Malware