I’ve noted that Valkyrie does not support MSI files. We have a few installers that are MSI files that are being marked as “Unrecognised” so they are being contained.
Usually when a file / application is being contained, we upload it to “https://verdict.valkyrie.comodo.com/” and then within an hour or so it’s either marked as good or bad. It does not let us upload MSI files, so will any unrecognised MSI files be contained indefinitely? We don’t want to just whitelist the MSI file (it’s an old application, and we want to make sure it’s safe). How can we get MSI files rated? I’ve tried extrating the MSI file and uploading the .exe’s contained within, but Valkrie still doesn’t want to analyse these .exe’s.
Hi, thanks for the reply, as per my post:
"We don’t want to just whitelist the MSI file (it’s an old application, and we want to make sure it’s safe). "
It’s an old application that a staff member has requested, wanted a valkyrie verdict to ensure it’s safe.
Hi, could someone at comodo confirm why it’s now rated as “Trusted” on valkyrie? It has not undergone human expert analysis and doesn’t appear to be fully automatically analysed (as it’s an MSI which is not supported) : https://verdict.valkyrie.comodo.com/file/result?s=0843BA620B158CC5C13B0010FEC1751937E68BED
File hash: 0843BA620B158CC5C13B0010FEC1751937E68BED
It’s now being blocked by HIPS because the MSI is trying to access the IMsiServer service (the windows service that MSI’s use to install…).
We see that you have signed up for Comodo One and you have submitted a support ticket to them regarding this. One of the technicians from Comodo One will get update you on the support ticket regarding this.
I have indeed got an account with Comodo One, and I raised a ticket asking how containment works and why a file was suddenly trusted despite the file not being rated by us, not being fully processed by Valkyrie, and not having undergone human expert analysis.
Comodo support have confirmed that any files that are “Signed” / have a valid certificate will automatically be rated as “Trusted” on Valkyrie (as long as the hash of the file has not been detected by signature based detection). This means that any malware can bypass containment by simply signing their application, which can be done by anyone.
Your support stated that “As of the protection it is being protected by the real-time protection and the infections cannot bypass Comodo.”. This is simply not true. For example, as per your reports on the Ransomware attack that hit another company (documented on below linked topic), where containment was the component that protected endpoints! The entire point of Containment is to block 0-day malware, but if the 0-day malware is signed then it bypasses containment. https://forum.itarian.com/forum/prod…omodo-bypassed
Either way, the fact that files are automatically being marked as “Trusted” just because they are signed is incredibly flawed. Not sure what other people’s opinion on this is.
Comodo’s initial response to this issue was to state that the file was “Trusted” because it was signed.
"...The verdict was set automatically because the file has a valid certificate/certificate signed. If you considers that the verdict is invalid, you can initiate a human expert analysis on that file..."
Files are NOT being marked as "Trusted" based off of being signed by any certificate as was first stated by Comodo. This was false information. Comodo have clarified that they have a list of certificates that are "Trusted" and that the process to be marked as trusted is thorough, and only vendors such as the likes of Microsoft are added to this list. The reason that this file was whitelisted is given below by Dylan, it turns out that it is not certificate based at all.
Dylan has just updated the ticket with some more detailed explaination (thank you for the clarification Dylan, I have listed Dylan’s full reply below for clarity). I was unaware that Valkyrie / CCS uses 11 different file verification systems - I was under the impression that it was just Valkyrie. Perhaps it would be interesting to know what other file verification systems are used so that we could look files up.
Thanks
Zac.
"Please note that CCS is using 11 file rating providers and some of them are interconnected. In this case, Valkyrie is using the Trusted verdict that already exists in our database (that is why it is listed as clean with analysis type “Signature Based Detection”). This means that this file, with the same HASH, has been analyzed in the past by one of our file rating systems (Valkyrie is one of them but not the only one) and the signature was added to our whitelist database.
“-The MSI file is now rated as “Trusted” by comodo and therefore has not been contained. The file was being contained last week, something changed over the weekend.”
The file was contained last week because, most likely, the local CCS file rating database was not up to date.If the local rating is Unrecognized, cloud lookup is initiated but the file is contained anyway. Once the cloud lookup results are received and the file rating database is updated locally, upon subsequent exection, the file will be allowed to run unrestricted if the rating is Trusted.
Should you require a new Valkyrie analysis for the reported file, you may manually upload it: https://help.comodo.com/topic-397-1-773-9566-Upload-Files-for-Analysis.html
Please let us know whether the above information helped, or you require further assistance.
Kind Regards,
Dylan
Comodo Technical Support Team"