I’m not sure what’s going on. Out of the blue, a boot-time scan tells me I’ve caught an INF:AutoRun-W [Wrm] infection from a Gizmo/WindowsSecrets.com newsletter email. This I find very odd, because a) I trust this source, and b) wouldn’t avast! and/or Spy Sweeper have flagged it when I originally opened the mail?

Straight after that, my custom scan tells me that a Process [cmdagent.exe], memory block, is infected with Win32:FakeVimes-B [Trj]. Ditto my next 4 custom scans (see attached image).
I’ve had this Comodo firewall ‘cmdagent.exe process’ problem before, so I know (through this forum) that I shouldn’t worry too much about this:
“In general, any security application can load some signatures (fragments of malicious code used to detect the real threats) into memory - they are located in data segments (instead of executable code).” “…scan results are not the files, but the virus is detected in memory allocated to cmdagent.exe process…”
After a few days avast! updates the engine and/or relevant virus definitions and the problem disappears.
…It’s been four days now. I can’t be the only user who has noticed this?

P.S. My custom scan has EVERYTHING turned on and scan sensitivity set to 11.

EDIT:
Coincidence? I’ve just discovered from http://www.avast.com/virus-update-history that:
Win32:FakeVimes-B [Trj] was part of the 8.10.2010 - 101008-0 virus definition updates and
INF:AutoRun-W [Wrm] was introduced in the 8.10.2010 - 101008-1 virus definition updates.
My avast! started flaging these on the first scans I did after this date.

You appear to have the comodo AV also installed and not just the firewall as I can’t see why the firewall needs to download virus signatures and load them into memory (?)

That is where the signatures being detected in in memory are coming from. So it isn’t about there is nothing to worry about, but why they are there in the first place.

Having two resident scanners installed is one too many and not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable.

Nope.

I have the same Comodo Firewall Pro and avast! anti-virus setup that I’ve had for years - both are the free versions.
I run the same avast! whistles-and-bells custom scan which I’ve run since v5.0 was released.
What I do have is the exact same problem that crops up every 9 months or so, where I suddenly start getting warnings about Comodo’s cmdagent.exe (see my post from Feb this year: Avast5 Free Edition detect comodo and window defender process as virus/threat?)

I carried out a boot-time and custom scan on the 6th with no problems found.
On the 8th avast! added Win32:FakeVimes-B [Trj] and INF:AutoRun-W [Wrm] to the virus definition list.
On the 10th I carried out a boot-time scan and INF:AutoRun-W [Wrm] was found in a newsletter email from a site I trust, and during my subsequent custom scan, I get a warning that Process [cmdagent.exe], memory block, is infected with Win32:FakeVimes-B [Trj], with the same results in the 5 custom scans I’ve completed since then.

Well why is comodo firewall cmdagent.exe loading virus signatures into memory if it doesn’t have an AV installed, it doesn’t have any use for them.

That question I guess you would have to ask at the comodo forum as we are unlikely to know why.

A boot-time wouldn’t find anything windows and comodo aren’t running at that point so cmdagent.exe wouldn’t have loaded the signatures into memory.

oh…Now you say it out loud, that’s a blooming good question.

But like I said, this only happens once in a while. Usually after a few virus definition updates, and without any intervention from me, my avast! custom scans stop flagging cmdagent.exe as a threat.

It isn’t flagging cmdagent.exe as a threat, it is telling you what process loaded the unencrypted signature/s into memory which are being detected. So it entirely depends on why and when cmdagent.exe loads them and if after that you happen to do a memory scan.

So you have to get the why and when cmdagent.exe loads these unencrypted signatures into memory from the source as we can’t answer that.

Hi MostlyHarmless -

Do you have or did you have Comodo Internet Security on your computer?
See the links below.

cmdagent.exe - Comodo Personal Firewall executable. The firewall has been incorporated into COMODO Internet Security.

Cmdagent.exe with description COMODO Internet Security is a process file from company COMODO belonging to product COMODO Internet Security.

I’ve asked for help on Comodo forum
https://forums.comodo.com/firewall-help-cis/firewall-loading-virus-signatures-into-memory-and-detected-by-avast-t63746.0.html;new#new

I checked your post, no response as yet, though I wouldn’t have offered the ‘is this an avast FP’ as it is a get out of jail card.

What we want to know is what is cmdagent.exe loading into memory ?
If as is suspected these are unencrypted signatures, why if this is a stand alone comodo firewall installation, anything else is irrelevant ?

I don’t understand what do you mean…

If they say yes it is an avast FP they don’t have to answer the main question, what is being loaded into memory by cmdagent.exe and why.

So they don’t have to answer the real issue/question, they have effectively been let off the hook, got out of jail.

Let they say that… Let’s see what we get there technically.
I’m not sure the detection is due to cmdagent being loading things on memory. It could be a false positive of avast detecting “other things” in that memory block.

MostlyHarmless, does the detection disappear after avast being updated?

Question:is comodo a good firewall?i am thinkin to install it

The only thing in that memory block is what was loaded by cmdagent, that is how memory blocks are allocated, they aren’t shared.

If something tries to use a memory block already allocated, I would guess that would cause some sort of access violation or clash or memory error.

I have received no alerts or detections from Avast 5.0.677 regarding cmdagent.exe with CIS 5.0.x.1135 (FW and HIPS). I notice that the OP is using CIS 5.0.x.1142, an upgraded version from CIS 4.x. Possibly, that’s a clue.

No. Version 2.4(?) had an on-demand virus scanning option, but since CFP v3.0, I have only ever installed the firewall component.

Until a few days ago I had CFP v4.1.x installed. I started getting the cmdagent.exe alert on the 10th. I updated to CFP v5.0.1 on the 14th, but was still been alerted to process [cmdagent.exe]. On the 15th I uninstalled CFP and downloaded a fresh copy of v5.0.163652.1142 from personalfirewall.comodo.com. (Though oddly, the profile of this installer thinks it is v5.0.32580.1142… )
Installed, but still getting the warning
File name: Process 11xx [cmdagent.exe], memory block 0x00000000023C0000, block size 4xxxxx
Severity: High
Status: Threat: Win32:FakeVimes-B [Trj]

Thanks for that, Tech. I was just about to do that very thing.

I have to reiterate: This is NOT the first time that avast! has had problems with cmdagent.exe on my PC. Usually after a few virus definition updates or an engine revision, avast! stops flagging process, cmdagent.exe

It will be better if you post there yourself, giving details of the problem.

Done ;D

It’s the Defense+ cloud and behavior shield.
Now, Comodo must encrypt the signatures loaded into memory or we will see this over and over again.

ok… But why is avast! only warning me about:
Process 11xx [cmdagent.exe], memory block 0x00000000023C0000, block size 4xxxxx > Threat: Win32:FakeVimes-B [Trj] ?
Nothing else, just this one signature.

Win32:FakeVimes-B [Trj] was added to the avast! virus blacklist on 8-Oct-2010 (101008-0), and the very next scan I do after that date flags it as a memory process. Doesn’t anyone think this is a little bit of a coincidence?

When this problem arose, I was using CFP v4.1. I’ve had this since I last reinstalled XP on my PC back in June.
CFP rarely changes; avast! changes daily through virus updates; something in the 8-Oct-2010 (101008-0) update has triggered this cmdagent.exe alert.

Because of my surfing habits, if I catch one actual virus in a year, it’s odd. (Honestly, one a year, tops).
However, I get a cmdagent.exe process flagged about once every nine months.

I can’t be the only person who has reported this, can I? ???