Unknown Files: The Scanning Processes
- When an executable is first run it passes through the following CCS security inspections:
- Antivirus scan
- HIPS Heuristic check
- Buffer Overflow check
- If the processes above determine that the file is malware then the user is alerted and the file is quarantined or deleted
- An application can become recognized as 'safe' by CCS (and therefore notscanned in the cloud) in the following ways:
- Because it is on the local Comodo White List of known safe applications
- Because the user has raited the file as 'Trusted' in the 'File list'
- By the user granting the installer elevated privileges (CCS detects if an executable requires administrative privileges. If it does, it asks the user. If they choose to trust, CCS regards the installer and all files generated by the installer as safe)
- Additionally, a file is not sent for analysis in the cloud if it is defined as an Installer or Updater in HIPS Ruleset (See Active HIPS Rules for more details)
- Cloud Scanning
Files and processes that pass the security inspections above but are not yet recognized as 'safe' (white-listed) are 'Unrecognized' files and contained automatically. In order to try to establish whether a file is safe or not, CCS will first consult Comodo's File Look-Up Server (FLS) to check the very latest signature databases:
- A digital hash of the unrecognized process or file is created.
- These hashes are uploaded to the FLS to check whether the signature of the file is present on the latest databases. This database contains the latest, global black list of the signatures of all known malware and a white list of the signatures of the 'safe' files.
- First, our servers check these hashes against the latest available black-list
- If the hash is discovered on this blacklist then it is malware
- The result is sent back to the local installation of CCS
- If the hash is not on the latest black-list, it's signature is checked against the latest white-list
- If the hash is discovered on this white-list then it is trusted
- The result is sent back to local installation of CCS
- The local white-list is updated
- The FLS checks detailed above are near instantaneous.
- If the hash is not on the latest black-list or white-list then it remains as 'unrecognized'.
- Unrecognized files are simultaneously uploaded to Comodo's Instant Malware Analysis servers [a.k.a Comodo Automated Malware Analysis System (CAMAS)] for further checks:
- Firstly, the files undergo another antivirus scan on our servers.
- If the scan discovers the file to be malicious (for example, heuristics discover it is a brand new variant) then it is designated as malware. This result is sent back to the local installation of CCS and the local and global black-list is updated.
- If the scan does not detect that the file is malicious then it passes onto the the next stage of inspection - behavior monitoring.
- The behavior analysis system is a cloud based service that is used to help determine whether a file exhibits malicious behavior. Once submitted to the system, the unknown executable will be automatically run in a virtual environment and all actions that it takes will be monitored. For example, processes spawned, files and registry key modifications, host state changes and network activity will be recorded.
- If these behaviors are found to be malicious, the file is submitted to our technicians for further manual checks and confirmation. If the manual testing confirms it as a malware, then it will be added to the global blacklist which will benefit all users. The results will be sent back to local installation of CCS, file will be quarantined and the user alerted.
- If the manual analysis confirms the file as safe, then it will be added to global whitelist and results sent back to local installation of CCS.
Important Note: In order for the software to submit unknown files to our file rating and malware analysis servers (CAMAS), please make sure the following IP addresses and ports are allowed on your network firewall:
|