Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Comodo
Comodo Internet Security 2025 was obliterated by an exploit!
Message
<blockquote data-quote="Andy Ful" data-source="post: 1111329" data-attributes="member: 32260"><p>We agree that the detection should not be Trusted but for different reasons. The sample was uploaded to Comodo several hours after it was already "dead" (no payload available). Comodo analyzed only the sample, and it contained no active & malicious code. Anyway, the analyst should also check if the sample downloaded/executed the malicious payload in the past. Such information was already available on VirusTotal.</p><p></p><p></p><p></p><p>CIS ignored it because it did not do anything special.</p><p>When the sample was 1-hour malware it could be contained because initially it would be Unrecognized. Next, the sample would be uploaded to Comodo, but the analyst could see that it was a trojan downloader by analyzing the downloaded payload. Furthermore, even if the analyst made a mistake, this concrete sample could not infect Comodo users, because the sample was already "dead" after 90 minutes, long before the analyst could finish the analysis.</p><p>The design of Comodo's Auto-containment + Cloud analysis protects non-enterprise users against most malware, even when wrongly flagged as Trusted. Simply, most new malware are short-living, so they are Unrecognized and auto-contained.</p><p></p><p></p><p></p><p>Yes, but several hours after the payload disappeared from the malicious domain.</p><p></p><p>Edit 1.</p><p>In theory, such false negatives might be used in targeted attacks by reusing the sample with another payload.</p><p>Edit2.</p><p>I think that such incomplete malware should be removed from testing (except for very special false negative tests). The AV detection (not only Comodo's) will depend on the fact that the sample is complete (with payload) or incomplete (payload not available).</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 1111329, member: 32260"] We agree that the detection should not be Trusted but for different reasons. The sample was uploaded to Comodo several hours after it was already "dead" (no payload available). Comodo analyzed only the sample, and it contained no active & malicious code. Anyway, the analyst should also check if the sample downloaded/executed the malicious payload in the past. Such information was already available on VirusTotal. CIS ignored it because it did not do anything special. When the sample was 1-hour malware it could be contained because initially it would be Unrecognized. Next, the sample would be uploaded to Comodo, but the analyst could see that it was a trojan downloader by analyzing the downloaded payload. Furthermore, even if the analyst made a mistake, this concrete sample could not infect Comodo users, because the sample was already "dead" after 90 minutes, long before the analyst could finish the analysis. The design of Comodo's Auto-containment + Cloud analysis protects non-enterprise users against most malware, even when wrongly flagged as Trusted. Simply, most new malware are short-living, so they are Unrecognized and auto-contained. Yes, but several hours after the payload disappeared from the malicious domain. Edit 1. In theory, such false negatives might be used in targeted attacks by reusing the sample with another payload. Edit2. I think that such incomplete malware should be removed from testing (except for very special false negative tests). The AV detection (not only Comodo's) will depend on the fact that the sample is complete (with payload) or incomplete (payload not available). [/QUOTE]
Insert quotes…
Verification
Post reply
Top
