Hello,
A few days ago, I updated from Avast 4,8 to Avast 5.0.377 (free version), and 3 times I have got a warning message, saying avast! detected a virus in the operating memory (I’m using Spanish version of Avast, so it is “memoria operativa”), and it suggests to program an startup scan and to restart system. I did that, and it didn’t find anything (I confess I didn’t allow it to finish, but it checked more than 50% of the system unit). I ran a full scan from windows, and it didn’t find anything (except a few things inside compressed files, so they should not be active). I also ran Malwarebytes (with windows in safe mode), and spybot search&destroy, and nothing was found. And again, I got the same warning.
I'm running Windows XP pro SP3, and Comodo Internet Security suite (Firewall and Defense+, I didn't install Comodo's antivirus). I tried to check reports of real time shields, but there is nothing, so I don't know what is causing the warning.
So, what should I do? I don't like the idea of format and reinstall.
Best Regards
I ran it with default settings, and it didn’t find anything (but also Avast has not shown the warning message lattely). I enabled Comprehensive Heap Scan, and it detected cmdagent.exe as malicious, due to “Capability to perform DoS attacks against other computers.”. AFAIK, cmdagent.exe is part of Comodo Firewall.
Maybe Avast produces a FP of Comodo too, but I’ll wait until I get the warning, and then I’ll run ThreatExpert again, maybe the offending process is not running right now…
it seems to be a part of Comodo’s virus database detected in memory (if they don’t encrypt their signatures very well, what’s most probable)… we’ve seen such kind of detections when used avast alongside with Windows defender, so it’s quite possible that a similar detection is triggered with Comodo… there’s no reason to worry about that…
Since ThreatExpert generates a report, probably it’s better to paste the report than posting a screenshot. This is the report, using the Comprehensive Heap Scan option enabled. With that option disabled, it doesn’t detect anything.
* Scan details:
o Scan started: Thursday, January 28, 2010 20:06:43
o Scan time: 03 minutes, 06 seconds
o Number of memory objects scanned: 10831
+ processes: 58
+ modules: 3052
+ heap pages: 7721
o Number of suspicious memory objects detected: 0
o Number of malicious memory objects detected: 1
o Overall Risk Level: High
* Summary of the detected threat characteristics:
Severity Level What’s been found
Capability to perform DoS attacks against other computers.
View detected locations
* Process "cmdagent.exe", heap page: [0x01500000 - 0x015ce000]
* Summary of the detected memory objects:
Severity Level Memory Object
Process “cmdagent.exe”, heap page: [0x01500000 - 0x015ce000]
View detected characteristics
* Capability to perform DoS attacks against other computers.
I’m also attaching the screenshot of the warning message from Avast! (but it is in Spanish).
Trying to reproduce the warning message, last night I decided to “play” a bit with Virus Chest. I had a sample stored there (an install file). I created a folder, and extracted the file to that folder, to upload it to virustotal.com, but I didn’t create an exclusion rule. When I tried to upload the file, the File System Shield blocked it and produced a warning. I sent the sample back to the Virus Chest, and right then I got the warning message I posted in my previous message.
Today I tried to reproduce the message, deleted the second copy of the installer from the Virus Chest, and extracted again the original file to the folder I had created. Then I tried to upload it to virustotal.com (and I was expecting File System Shield to block it again), but this time I could upload it without receiving any warning. I have not created any exclusion rule, so now I don’t know why yesterday night it was detected, and today it passed. Finally, I scanned the file from windows explorer, and of course it was detected (as it should be).
So no I don’t know why the virus sample was detected the first time, and not the second time, and I still don’t know what causes the “virus in operating memory” message…