Author Topic: CPM component was detected as being infected with the Win32.Palevo virus  (Read 5204 times)

Offline GCS303

  • Newbie
  • *
  • Posts: 4
This should be important to Comodo since someone out there has figured out how to infect Comodo Programs Manager (3.1) to do its dirty work; what an insult.

Background of Incident:
While installing Soluto (Soluto.com: boot-up analyzer), Spybot Search and Destroy's Teatimer detected a malicious program execution infected with Win32.Palevo. I was surprised to see that it listed the infected file as CPMInformation.exe from the Comodo Programs Manger folder, which had monitored the Soluto install and was apparently starting to report the install to me (small popup in System Tray). I do not know the exact function of CPMInformation.exe, nor was I able to find a listing on Comodo's web site that shows the list of files that should be installed in the CPM folder. Other web sources do list CPMInformation.exe as being a component of CPM, at least for version 1.0.1.

This encounter is very odd because I have no reason to believe either Comodo Programs Manager or Soluto to be the true culprit here, at least not at this point.  Comodo Programs Manager has monitored many installs since its last update (to 3.1). However, had Teatimer not been executing, the Win32.Palevo bug could have slipped by (MS Essentials did not catch it).

Clicking on the Teatimer OK button announcing the find deleted the CPMInformation.exe file (automatically checked option; otherwise, I could have saved it for analysis).

The Soluto install/Win32.Palevo encounter happened just after a fresh boot due to doing Windows Updates (I manually initiated Windows Update and the Check for Updates). The Windows updates consisted of: Software Updates:  Root Certificate update, and a MS Security Essentials update, plus Hardware: Nvidia card update. The updates were installed without incident, and then prompted to reboot. Just moments prior to the Windows Update, I was prompted to update Safari Browser (from version 5.1.4 to 5.1.5) and that completed without incident. That is what gave me the idea that I should check for Windows Updates too, in case Safari wanted to reboot (it didn't).

Since none of these updates seem likely culprits, I began checking to see what else I have installed recently on this computer. The last modified folders in my Programs Files folder were:
Soluto               Today
NVIDIA Corporation         Today
Safari                  Today
AvsP                  5 days ago
Mozilla Thunderbird         5 days ago
TaskCoach               7 days ago
Opera                  8 days ago
Zimba               11 days ago
DownloadToolz            12 days ago
DVD Photo Slideshow Professional   12 days ago

Only the first three were updated today, the others have had several reboots since being installed. Somehow something got the WIN32.Palevo installed into CPMInformation.exe, and it showed up during the Soluto install, which makes it the most suspicious. Soluto was listed in PC Magazine's The Best Free Software of 2012 list, which is why I decided to give it a try on this PC.

I noticed one other Comodo CPM Forum entry relating to Soluto (Jan 2011) in that CPM did not monitor the install. Could there actually be an issue between these two? Did I catch a problem only because I had Spybot S&D Teatimer monitoring?

CPM must be defensive itself. If Programs Manager can be attacked/hacked/infected by some other application (during its install or otherwise), then an application install could make CPM look to be infected to anti-malware software, and while it is being held hostage by an anti-malware software program, the other program could thwart CPM's monitoring ability and get whatever it wanted past it. This would be a serious security breech for CPM, which is expected to detect when bad software is being installed. Likewise, this can tarnish CPM's reputation.

During the install of any program, Comodo Programs Manager always reports the install. Several days ago, I do recall seeing Comodo Programs Manager announce an install/update while I was doing editing work (not during an install).  I did think that was a bit odd. I recall the pop-up short report showing an "update" of some software; it was something common though, such as Quick Time update installed, but I do not recall what exactly it was. Is there a log of things that Comodo Programs Manager has monitored?  If not, there should be.

In the Programs Manager install folder, the CUSettings.ini file was updated today; the last updated before that is setup_cpm.exe (1/15/2012 8:00 PM)
I zipped the Comodo Programs Manager directory in case you care to inspect it (17,506 KB).

What can I provide to help Comodo solve/prevent this from re-occurring or happening for someone else?

Offline Rolo42

  • Comodo Family Member
  • ***
  • Posts: 77
  • DON'T PANIC!
Spybot was great in its day but it is pretty antiquated now.  MSE is one notch above awful (cf. www.av-comparatives.org and www.av-test.org ).  In any case, a positive warrants a second opinion.

Have you submitted the alleged infected file to an online virus scanner?  (i.e. https://www.virustotal.com/ )  What does it report?
Win7x64 Pro, i5-2500K 4.2GHz, Zalman 9900MAX, Mushkin 8GB DDR3-2133, Gigabyte Z68XP-UD4, GTX580[at]833, Crucial m4 128GB SSD, WD 2TB FAEX, Seagate 2TB Green, 500GB 7200.10, Enermax Evo 1250W, APC RS1500, Antec 1200, Fire Engine Red Swingline 747

Offline GCS303

  • Newbie
  • *
  • Posts: 4
>Spybot was great in its day but it is pretty antiquated now.
But Spybot caught it. I (and many others) feel that Spybot is doing a great job. Their immunization (and HOSTS updates) are important, otherwise things would be worse. They too are improving.

>MSE is one notch above awful (cf. www.av-comparatives.org and www.av-test.org ).  In any case, a positive warrants a second opinion.
I agree that it is not the best but MSE was one of the four tested (www.av-comparatives.org) that rated "very few" false positives. MSE has also improved from its earliest days. I have been a fan of ESET but it wants to remove some important diagnostic tools, so it is not on this computer.

>Have you submitted the alleged infected file to an online virus scanner?  (i.e. https://www.virustotal.com/ )  What does it report?

Did you read this part in my report?
    Clicking on the Teatimer OK button announcing the find deleted the CPMInformation.exe file
    (automatically checked option; otherwise, I could have saved it for analysis).

I do not have anything to analyze.

I am under the assumption that CPInformation.exe is still a current file that should be in the Programs  Manager folder. I will need to re-install to get it back.

My biggest concern is not whether some detection software could have made a mistake (I am confident that Spybot caught a legit Win32.Palevo infection) but more that CPM can be infected. If Comodo cannot prevent this situation, then CPM will surely lose some respect.

Do you work for Comodo?

Offline Rolo42

  • Comodo Family Member
  • ***
  • Posts: 77
  • DON'T PANIC!
http://r.virscan.org/adab55f533658aa9cbe9cab592fe6b9c

I'd think Teatimer gave a false positive before Comodo's install got infected prior to/during packaging.

I don't work for Comodo; I just use CPM and have used/played with some of their other products in the past.
Win7x64 Pro, i5-2500K 4.2GHz, Zalman 9900MAX, Mushkin 8GB DDR3-2133, Gigabyte Z68XP-UD4, GTX580[at]833, Crucial m4 128GB SSD, WD 2TB FAEX, Seagate 2TB Green, 500GB 7200.10, Enermax Evo 1250W, APC RS1500, Antec 1200, Fire Engine Red Swingline 747

Offline GCS303

  • Newbie
  • *
  • Posts: 4
>http://r.virscan.org/adab55f533658aa9cbe9cab592fe6b9c
I know that CPMInformation.exe is not a virus, but it could get infected.

>I'd think Teatimer gave a false positive before Comodo's install got infected prior to/during packaging.
I keep re-reading this statement but I cannot figure out exactly what you mean; I may have it but I'm not sure how you are using "packaging" (as in packaging of what).
Also,
  • Does "Comodo's install" refer to the actual install of Comodo Programs Manager?
  • Should I read  the slash as "or" and apply "packaging" to both parts (before the slash and after the slash)?
  • "packaging" meaning, placing files into the Comodo Programs Manager folder?
    I am not sure how you are using the "prior to" and "during" parts probably because I do not understand what you mean by packaging in this scenario.

Is your statement the same as stating:
  • I'd think Teatimer gave a false positive before the Comodo's program (CPMInformation.,exe) got infected, which likely occurred when CPMInformation.exe was being installed into the Comodo Programs Manger folder.

If not, can you help me with what you meant?

Thanking you in advance.

Offline Rolo42

  • Comodo Family Member
  • ***
  • Posts: 77
  • DON'T PANIC!
I would believe Teatimer gave a false positive before I would believe Comodo's developers got and distributed a virus unnoticed by them and everyone else who's installed CPM.
Win7x64 Pro, i5-2500K 4.2GHz, Zalman 9900MAX, Mushkin 8GB DDR3-2133, Gigabyte Z68XP-UD4, GTX580[at]833, Crucial m4 128GB SSD, WD 2TB FAEX, Seagate 2TB Green, 500GB 7200.10, Enermax Evo 1250W, APC RS1500, Antec 1200, Fire Engine Red Swingline 747

Offline naren

  • Comodo's Hero
  • *****
  • Posts: 4379
For me, simply a case of FP here. And you should report & check with the vendor detecting it.


Offline GCS303

  • Newbie
  • *
  • Posts: 4
>I would believe Teatimer gave a false positive before I would believe Comodo's developers got and distributed a virus unnoticed by them and everyone else who's installed CPM.
Thanks; much clearer; now I understand exactly what you meant. I too have full confidence that Comodo has not distributed a virus unnoticed by them (or unnoticed by anyone else). I have not stated nor implied such. Now I understand why you pointed out that CPMInformation.exe is not a virus. I never stated that it was. I stated that it became infected, and that concerns me, ... and I hope Comodo.

At first, I hadn't realized that you were responding to the post title, instead thinking you had read the actual post but might have missed some things.

The title of the post does not mean that Comodo distributed a virus; merely that a component of CPM was detected with a virus (as outlined in the post), which was long after CPM had operated just fine.

The install that was taking place was not the install of Comodo Programs Manager. CPM had been installed for a long time prior (without incident then or afterwards, up until the install I was doing as reported). If the CPM component had been infected as distributed, it would have been discovered long ago. No virus software has detected anything wrong with my set of Comodo's files as Comodo distributed them. Neither has Spybot's Teatimer ever diagnosed any of my set of Comodo's files (as distributed by Comodo) with being infected.  A lot of software has been installed on this system since CPM was installed without any issues.

CPMInformation.exe became infected long after its install and after many successful uses of CPM following its initial install (plus several CPM updates).

The infection happened after installing a bad software program (not related to Comodo). The infection would not get noticed until I installed the next software program, which triggered Comodo to monitor the install. In the process of Comodo's monitoring, CPMInformation.exe was started (by Comodo), and that is when Teatimer detected the Win32.Palevo infection. The title of the post is correct, but it goes with the actual post text.

Like most program files, the CPM component can become infected (by others). Then when executed (unless adequate measures are taken to prevent it by Comodo prior), it may or may not be detected depending on the ability of the user's anti-malware software.

That is my concern: that the program can be infected without Comodo's knowledge (currently), or Comodo's ability to prevent its execution after being infected.  It is significant because of all the programs that could have been targeted, someone has decided to infect the CPMInformation.exe file. In its cleverness, it means that even if the infection is detected, some negative effect will be made because, in most cases the file (CPMInformation.exe) will be quarantined or removed, thus allowing installing processes to not be monitored or reported correctly.  That is concerning because the reason we have CPM installed is to monitor other installs, and even more importantly, to detect malware installs. Anything that (cleverly or not) thwarts that process needs to be dealt with.  It is a bit more work for a vendor to monitor its own software distribution files to ensure they do not become infected, and more work to repair those files if they become infected, but it can be done. Now that someone has targeted CPMInformation.exe, the security hole needs to be patched.

Again, the main concern is not so much that CPMInformation.exe was infected, but that it can become infected.

I now have additional information that ensures me that CPMInformation.exe was indeed infected (at the time of the Saluto install I mentioned). In its next full scan, Spybot (correctly) identified several other bad components installed by the same malware that infected CPMInformation.exe. I did not know that information when I originally posted.

At the time of the infection detection, several good programs had been installed since Spybot's last update, and for each one, Comodo Programs Manger executed as normal (not detected as being infected). If Spybot was identifying CPMInformation.exe as a false positive, it would have been due to a faulty Spybot update, and as such, it would have started reporting the false positives for the very first install following the update.  Without any changes to Spybot (no updates), the malware install that infected CPMInformation.exe was detected on the next install (by Spybot). Good going Spybot! Spybot has had the ability to detect Win32.Palevo since 2010; it didn't just all of a sudden get it wrong.

I have seen Spybot evolve and improve, and I have seen Comodo's Programs evolve and improve; some (several) discontinued. I hope that doesn't happen to CPM. I have been around a long time, since before CP/M, and that means before Comodo too, because the slash was intentional.

Please don't think that Spybot was good in its day but antiquated now. Spybot is holding up very well, and is improving. Spybot Version 2.0 is (currently) in Beta. I don't have any reason to believe that Spybot is antiquated, or going away soon.  If you have facts to prove otherwise, please post in the appropriate place and lead me to that post.

I do understand if your answer was based on the title rather than the actual post; you aren't the only one. There will be other CTPFP members that will state it was a false positive for them too.

The post was intended to point out the security issue to Comodo. Sorry to have distracted anyone else.

Offline Rolo42

  • Comodo Family Member
  • ***
  • Posts: 77
  • DON'T PANIC!
TL;DR

I didn't need to read the vignette to reach my conclusion.

Teatimer isn't a file scanner, it is a behaviour analyser.  It flagged CPM's behaviour during a software--not CPM--install, which is when CPM would trigger; Teatimer wouldn't see that before such an event since there'd be nothing to see.  My assertion still stands.

There are plenty of free top-shelf titles available without the need for multiple fringe programs, redundant programs, and bloatware.
Win7x64 Pro, i5-2500K 4.2GHz, Zalman 9900MAX, Mushkin 8GB DDR3-2133, Gigabyte Z68XP-UD4, GTX580[at]833, Crucial m4 128GB SSD, WD 2TB FAEX, Seagate 2TB Green, 500GB 7200.10, Enermax Evo 1250W, APC RS1500, Antec 1200, Fire Engine Red Swingline 747

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek