Win32:Dropper-LJP [Drp] during Comodo Firewall Setup - False Positive?

cska133 · January 25, 2013, 12:55pm

during the installation of Comodo firewall 5.10 (the same happens with version 5.12) Avast reported Win32:Dropper-LJP [Drp]. See screenshot
Comodo mods in the Comodo forum say this is false positive. The hashes of the installed setup are identical with these from Comodo official side.

does someone else have this alert or did one install CF 5.10 or 5.12 soonly?

how to proceed futher?

Asyn · January 25, 2013, 1:10pm

Report it as a FP.

cska133 · January 25, 2013, 2:06pm

where to report it?
and how can I (you) be sure that it is false positive?

system · January 25, 2013, 2:20pm

Report it here as a F/P: http://www.avast.com/contact-form.php?loadStyles

Must be if you are installing Comodo and both file open in temps while installing Comodo. However, all of this is true if you downloaded Comodo installer from its web site.

To tell you the truth I reinstalled Cfw 5.10 back at the end of december after trying out CIS 6, and I did not get any alert from Avast!; However, this could be a new detection added in Avast! VPS and that is why Asyn asked you to report it as a F/P and let avast! decides.

cska133 · January 25, 2013, 4:54pm

iroc9555

could you please upload somewhare your CF 5.10. PLEASE
I would like to compare the installers.
Send me the upload link in PM

system · January 25, 2013, 4:59pm

I got it from Filehippo: http://www.filehippo.com/download_comodo/11856/

cska133 · January 25, 2013, 7:14pm

Report it here as a F/P: http://www.avast.com/contact-form.php?loadStyles

Well the tmp file is no longer avaiable so I can not send it to Avast by using the above link. Am I right? Or do I have to sent the Comodo installer?

system · January 25, 2013, 10:13pm

Leave it like that. Try the link from FileHippo or the MediaFire link I gave you. If you still get the alert, click the part of the alert that says “Report the file as a false/positive” at the bottom of it then go to File System Shield and exclude the file to continue the installation.

securitest · January 27, 2013, 12:38am

Avast :
program version : 7.0.1466
virus definition : 130126-1 (26 januray 2013, up-to-date)

I got the same virus alert

virus found in CIS1.TMP
virus type : WIN32:DROPPER-LJP [DRP]
process : CMDINSTALL.EXE

when using the Comodo CIS installer : 5.10.228257.2253
MD5 : 8D25C043876A0FDBCED0443674D0E0E9
SHA-1 : 19A5936256E00F8470F6E173237C57F6818CFC9C
SHA-256 : 84FC4861DDBCB588601D993CFEF0338502FA6EA1DA6D0EFB74639B5678DADA5C
Size : 62 856 768 Bytes

In this post on the comodo forum :
http://forums.comodo.com/install-setup-configuration-help-cis/i-need-ciscf-510-or-512-t90635.0.html;msg653558#msg653558
you get a direct download link for this CIS 5.10 installer at :
http://www.cogneo.org/images/news/jan17/cispremium_installer_510.exe
(this is not a link on the comodo site since CIS 5.10 is not the latest CIS version)

I’ll try to report it at
http://www.avast.com/contact-form.php?loadStyles

securitest · January 27, 2013, 1:00am

Unhappily when I try to report at http://www.avast.com/contact-form.php?loadStyles
each time I try, I get a ‘The connection to the server was reset while the page was loading’ from my browser.
So I can’t report it for the moment.

bob3160 · January 27, 2013, 1:27am

You didn’t mention which browser you’re using.

Asyn · January 27, 2013, 6:24am

You can also report it to: virus[at]avast.com

system · January 27, 2013, 2:14pm

…Or as I said above in reply # 7

system · January 27, 2013, 7:47pm

Did anyone check to to see if this comodo installer was digitally signed? and have you or can you compared the file hashes?
I extracted the 5.12.2599 installer Digitally signed ‎Wednesday, ‎November ‎07, ‎2012 7:02:40 PM
and i found no alerts at all.

bob3160 · January 27, 2013, 7:52pm

And how does that relate to “connection to server reset” ???

system · January 27, 2013, 7:54pm

Simple. the installer you are downloading is not signed or has been substituted. The Avast Network/Web Shield shield aborts the download/network connection because it sees it as infected.
is there a p[rticular file that it says is infected i have extracted the 5.10 installer you said to download and extracted it completely with 7zip. i scanned it and found no threats. see attachment

cska133 · January 28, 2013, 2:46am

this is a temp file in the temp folder. Look at the screenshot in my first post http://forum.avast.com/index.php?topic=113585.msg887394#msg887394. I dont think that Avast can get it when you scan the installer. L

cska133 · January 28, 2013, 2:51am

the hashes are identical with these on the Comodo side https://forums.comodo.com/news-announcements-feedback-cis/comodo-internet-security-5102282572253-released-t82809.0.html . Compare with http://forums.comodo.com/install-setup-configuration-help-cis/i-need-ciscf-510-or-512-t90635.0.html;msg653558#msg653558 and http://forum.avast.com/index.php?topic=113585.msg887856#msg887856

securitest · January 28, 2013, 5:20pm

I use some old Firefox
(might be the cause of ‘The connection to the server was reset’ when I try to report at http://www.avast.com/contact-form.php?loadStyles).

Someone else could maybe try to report since the ‘cispremium_installer_510.exe’ is available from
http://www.cogneo.org/images/news/jan17/cispremium_installer_510.exe (link provided on the Comodo forum as I said before)

To DrHaze :
I also don’t get an alert while scanning ‘cispremium_installer_510.exe’,
but only when actually installing (from a cis1.tmp file in the Temp folder)
The ‘cispremium_installer_510.exe’ (for CIS v 5.10.228257.2253) is signed, and the hashes are the ones given on the comodo forum…

Win32:Dropper-LJP [Drp] during Comodo Firewall Setup - False Positive?

Announcements