I performed a couple of deep scans with custom settings with Avast! and in the results it tells me the COMODO’s process cmdagent.exe as a virus.This only happens on the laptop.
On the “home PC” it doesn’t detect nothing unusual.
Someone can tell me something about this behavior?
Full details of the detection of screenshot of the scan results window would help determine what it is.
Did you do a Memory scan as a part of that custom scan ?
I’m sorry for the error in the previous post…the process isn’t “cfp.exe”, but “cmdagent.exe”.
In this moment I can’t post a screenshot or full details of the scan on my laptop.Now I can tell you that the deep scan that I have created is a custom scan with all possible scan areas that you can find in custom scan parameters.
On my “home pc” I have just now find the same problem.This is the results:
-Process 816[cmdagent.exe],block memory 0x00000000047C0000,block dimension 2097152- -Severity:High- -Threat:Win32:FakeVimes-B [Trj]-
I tried to translate the results because my AV is in italian ;D
I get the same error when I run an Avast memory scan. Avast forum people told me not to worry; the alert is from Comodo loading unencrypted signature into memory.
My theory is cmdagent.exe at boot time does tons of hook injections to minimize Defense+ alets. What is left in memory is the leftover from that process.
Ok Thanks!! Now I can stay quiet!!! ;D
Detections in Memory as this one is - come from doing a Custom scan in which you have elected to scan Memory and that all these detections are in memory. Since they aren’t physical files they can’t be moved to the chest, deleted, etc. so there is no action that can be taken, hence the Apply button being greyed out.
The detections in memory are frequently other security applications loading unencrypted virus signatures into memory. Having set off a scan of memory by an antivirus application looking for virus signatures, don’t be too surprised if it finds some in memory.
So either don’t scan memory in the custom scan or understand that you can get detections like this on other security applications loading unencrypted signatures into memory.
Max, Donz.
I also run Comodo, Firewall and D+, but I have never ran Comodo AV. When I do a memory scan with Avast, I do not get any unencrypted virus signatures into memory from Comodo. I get Windows Defender though because it is running. I wonder, have you ever had Comodo AV running in your machines?
Regards.
Defence+ also uses signatures as far as I’m aware (it was my believe it was only the AV, but I was corrected), so it would be cmdagent.exe which would load them into memory as and when used.
DavidR.
Thank you for the info, but still Avast is not detecting cmdagent.exe unencrypted virus signatures in my PC just Win Def sigs. ???
I don’t know why that is as I have never used any comodo product, been very happy with my firewall for many, many years.
For iroc9555:
I have never installed Comodo AV on my PCs.
For DavidR and iroc9555:
So, what should be the problem? Is right what DonZ63 wrote? Or the cause is the unencrypted virus signatures into memory?
However, Can I stay quiet or I have to worry?
Thanks for the help!!!
MaxReed go to Comodo forum and ask someone IF they ever come across the same problem as you, and you might get an answer I don’t think is related to Avast it might be Comodo FW unless your settings is not setup correctly. If your not a member please register and join it free
Ok I’ve asked about this problem on Comodo forum and they said that is a false-positive of Avast.I hope that Avast Team solve the problem.
Thanks to all!!!
Sorry, but I honestly don’t see how this can be considered a false positive, you ask avast to scan in memory for virus signatures and it has done as you asked.
Avast as I have said isn’t alerting on cmdagent.exe but the unencrypted signatures that it has loaded into memory.
I have no idea what question you asked in te comodo forums, but if it didn’t ask ‘Does cmdagent.exe (for defense+) load virus signatures into memory.’ Then you won’t get an accurate answer as I feel they are simply saying there is nothing wrong with cmdagent.exe, avast isn’t saying it is infected, just that it is responsible for loading those signatures into memory.
As I said before:
So either don't scan memory in the custom scan or understand that you can get detections like this on other security applications loading unencrypted signatures into memory.
@MaxReed if I’m not mistaken if I understood correctly what DavidR saying I hope ??? virus signatures should not be loaded into memory by cmdagent.exe (for defense+), sometime this can cause problem to PC having to many virus signatures loaded into memory can slow down your PC so it shouldn’t in most cases.
@MaxReed please check your Comodo FW setting for me please trust me I have been using Comodo FW for nearly 6 years from v3.0 to v5.4 I’m not using Comodo FW any more, I’m currently using Outpost. So go to Comodo FW in the defense+ settings:
-
Go to Firewall Behavior Settings and tick Create rules for safe applications
-
Go to Defense+ in general settings have you picked Create rules for safe applications
-
In Execution Control settings un-tick the following settings:
- Perform cloud based behavior analysis of unrecognized files
- Automatically scan unrecognized files in the cloud
-
In Sandbox settings disable Comodo Sandbox is not required while you have Avast sandbox running
-
In Sandbox settings un-tick the Automatically trust the files from the trusted installers
-
In Monitoring Settings make sure you pick everything.
And reboot your PC after that go back to Comodo FW and go to More Options section right at the end
-
Run the Comodo Diagnostics just to make sure everything is okay
-
After Diagnostics go to Manage My Configurations and backup your Comodo settings in a different name and keep it in a safe place, just in case if the new Comodo FW version might come out in most cases you could loose all your settings everything and it easy to restore them back into Comodo FW.
And do another Avast custom scan the memory and I’m pretty sure everything should be clean out by cmdagent.exe (for defense+)
Please let me know.
But with these changes,however, is my PC protected good? :-\
Yes your PC is protected keep in mind you don’t need two sandbox running at the same time Comodo and Avast, the only sandbox you need is Avast not Comodo cause this is over killed.
Your Comodo Defense+ is still enable this is how it works without using Comodo Sandbox.
The Defense+ component of Comodo Internet Security (hereafter known simply as Defense+) is a host intrusion prevention system that constantly monitors the activities of all executable files on your PC. With Defense+ activated, the user is warned EVERY time an unknown application executable (.exe, .dll, .sys, .bat etc) attempts to run. The only executables that are allowed to run are the ones you give permission to.
Defense+ also protects against data theft, computer crashes and system damage by preventing most types of buffer overflow attacks. This type of attack occurs when a malicious program or script deliberately sends more data to its memory buffer than that the buffer can handle. It is at this point that a successful attack can create a back door to the system through which a hacker can gain access. The goal of most attacks is to install malware onto the compromised PC whereby the hacker can reformat the hard drive, steal sensitive user information, or even install programs that transform the machine into a Zombie PC.
Defense+ boasts a highly configurable security rules interface and prevents possible attacks from root-kits, inter-process memory injections, key-loggers and more. It blocks Viruses, Trojans and Spyware before they can ever get installed on your system and prevents unauthorized modification of critical operating system files and registry entries.
I forgot to tell sorry set your Firewall Security Level to Custom Policy and set your Defense+ Security Level to Paranoid Mode and finally look for Stealth Ports Wizard and pick Block all incoming connections that all
Well this is becoming more prevalent by a number of security applications as it speeds up any scan/check as accessing this data is much quicker if the signature data is loaded in memory rather than on the hard drive.
So the rights and wrongs of it those signatures when loaded in memory should be encrypted or not, as they must know there is a possibility that the users resident anti-virus may well detect these signatures. Or is it just the case that, since comodo now only offer the suite version with an AV and feel there shouldn’t be anyone who doesn’t want their AV (or care).
If the signatures were encrypted in memory they wouldn’t/shouldn’t be detected, but then there is the overhead of having to decrypt the signatures first, losing some of the benefit of having them in memory.
So in essence it is up to the user, to do as I suggested don’t run the memory scan in the custom scan or ignore the expected results if virus signatures loaded by security software are detected.
A bit OT, but if you just need a quite slick FW (and eventually a HIPS) use an older version of Comodo. (See my sig.!) This version doesn’t load any signatures into memory and does everything you can expect from a FW (and a HIPS).
I noticed you mentioned HIPS, I have been using Online Armor Free which has HIPS and does not slow down my machine. I was wondering if Comodo does like wise? I am asking for my knowledge because I have never used anything from Comodo. I am constantly trying to learn.
I found this link so anyone could download an earlier version.
http://filehippo.com/download_comodo/