Author Topic: Is this a potential false positive?  (Read 848 times)

Offline Data49T

  • Newbie
  • *
  • Posts: 3
Is this a potential false positive?
« on: June 20, 2019, 05:16:37 PM »
Hello, I'm fairly new in this forum but I have been using CIS for quite a few years.

I hope it's alright if I ask this question in this section (I wasn't sure if I should straight up submit this as a FP)

Lately whenever I run a full system scan on my laptop I get 2 unrecognized autorun entries detected as a threat relating to the OneDrive update file along with my secondary user account on this PC (OneDriveSetup.exe).

I was curious if I should be worried:

Unrecognized autorun entries

C:\WINDOWS\system32\cmd.exe /q /c del /q "C:\Users\InsertNameHere\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe"

C:\WINDOWS\system32\cmd.exe /q /c del /q "C:\Users\InsertNameHere\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe"

CIS will not offer me an option to remove those entries and will keep detecting them as a threat every time I run a scan.

I already attempted to uninstall OneDrive and delete any traces since I never really use it anyways along with removing that secondary user account but CIS is still detecting those autorun entries.

I never had this issue before so I would like to know if I should just ignore it.

I'm sorry if this is not the right section to ask this question, if it isn't I can post under the false positive section of the forum.

Thank you

Offline Citizen K

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 26213
Re: Is this a potential false positive?
« Reply #1 on: June 20, 2019, 08:01:23 PM »
If it is only detecting the autorun entries and not the binaries. Those autorun entries are empty. You can have CIS remove them.

An autorun entry from the registry that points to a binary that does not exist is always harmless.

When we look in detail to the autorun entries we see they are instructing the command processor to delete those binaries. Since CIS does not detect the binaries those registry keys have run their course.

In short. There is nothing to worry and you can have CIS remove them.

Offline Data49T

  • Newbie
  • *
  • Posts: 3
Re: Is this a potential false positive?
« Reply #2 on: June 20, 2019, 09:37:02 PM »
If it is only detecting the autorun entries and not the binaries. Those autorun entries are empty. You can have CIS remove them.

An autorun entry from the registry that points to a binary that does not exist is always harmless.

When we look in detail to the autorun entries we see they are instructing the command processor to delete those binaries. Since CIS does not detect the binaries those registry keys have run their course.

In short. There is nothing to worry and you can have CIS remove them.

Thanks for the reply, I forgot to mention in my first post but that's one of the problems.

I can't remove them, for some strange reason CIS does not allow me to remove those entries it just detects them (that's one of the reasons I attempted uninstalling and deleting OneDrive) which is pretty strange. I installed CCE and ran the autorun scan but it doesn't show me those entries (only CIS).

By default CIS just detects the entries as a threat but it takes no action even if I set to terminate and disable unrecognized autorun entries under settings.

I could just ignore but it detects this every time I run a system scan now.

I'll attach a screenshot, as you can see the apply selected actions box is greyed out.

Offline Citizen K

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 26213
Re: Is this a potential false positive?
« Reply #3 on: June 21, 2019, 10:33:16 AM »
They are not harmful so you can choose to let CIS add them to exclusions.

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5208
Re: Is this a potential false positive?
« Reply #4 on: June 21, 2019, 10:49:14 AM »
Quote
takes no action even if I set to terminate and disable unrecognized autorun entries under settings.
You have to change the setting within the full scan profile under options.

Offline Data49T

  • Newbie
  • *
  • Posts: 3
Re: Is this a potential false positive?
« Reply #5 on: June 21, 2019, 02:39:21 PM »
You have to change the setting within the full scan profile under options.

That did the trick, thank you. I was to remove it after I changed the setting under options.

Offline Fastflys

  • Comodo Member
  • **
  • Posts: 32
Re: Is this a potential false positive?
« Reply #6 on: August 17, 2020, 03:54:52 AM »
Hi
I have the same problem.
Can you explain to me what was the setting changed to so that CIS can add them to Exclusions?


Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5208
Re: Is this a potential false positive?
« Reply #7 on: August 17, 2020, 10:12:30 AM »
Hi
I have the same problem.
Can you explain to me what was the setting changed to so that CIS can add them to Exclusions?
You need to open the scan profile options and look for the setting 'Apply this action to suspicious autorun processes', however you can't add detected auto runs to scan exclusions.

Offline Fastflys

  • Comodo Member
  • **
  • Posts: 32
Re: Is this a potential false positive?
« Reply #8 on: August 17, 2020, 10:22:45 AM »
Done. Thanks for the heads-up.


 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek