Author Topic: Comodo A/V alerts on one of its own files?  (Read 261 times)

Offline lisa2021

  • Newbie
  • *
  • Posts: 16
Comodo A/V alerts on one of its own files?
« on: April 13, 2019, 01:47:26 PM »
Comodo just gave me an HIPS alert on a file called: C_powershell.exe_E3B5D353AF2971C75A14B8580A0BB30D51DC801F.ps1.
This concerns me because its very name screams malicious. 

The alert was as follows: :C_powershell.exe_E3B5D353AF2971C75A14B8580A0BB30D51DC801F.ps1 is trying to execute conhost.exe".

It had the following advice: "conhost.exe is a safe executable. However the parent application C_powershell.exe_E3B5D353AF2971C75A14B8580A0BB30D51DC801F.ps1 could not be recognized. Once the application is executed, its parent will have the full control over its execution. If C_powershell.exe_E3B5D353AF2971C75A14B8580A0BB30D51DC801F.ps1 is one of your everyday applications, you can safely allow this request."

Upon checking, I see that the file is located in C:\ProgramData\Comodo\Cis\tempscrpt.  Although I can't find this folder or file on my computer, it seems to be stored in one of Comodo's own folders.  So is Comodo reporting one of it's own files as potentially malicious, or simply unknown.

I've also checked some websites, and I'm concerned that this file can be malware and could be dangerous.

Does anyone have any opinions on this.  Would love to hear some feedback from Comodo.  Should I try to remove it?  If yes, how?

Thanks
« Last Edit: April 13, 2019, 02:00:27 PM by lisa2021 »

Offline liosant

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 1039
  • Terra é circo onde nós somos palhaços...
Re: Comodo A/V alerts on one of its own files?
« Reply #1 on: April 14, 2019, 11:30:21 AM »
command line: HIPS alert, it is expected (cmd, powershell...)

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 4308
Re: Comodo A/V alerts on one of its own files?
« Reply #2 on: April 14, 2019, 03:09:01 PM »
The ProgramData folder is a hidden folder by default so you would need to change folder options to show hidden files and folders. What you are seeing is embedded-code detection feature which means an application was trying to execute powershell commands and it was turned into a powershell script file, so it can be monitored like other script files.

Offline lisa2021

  • Newbie
  • *
  • Posts: 16
Re: Comodo A/V alerts on one of its own files?
« Reply #3 on: April 16, 2019, 04:10:11 AM »
The ProgramData folder is a hidden folder by default so you would need to change folder options to show hidden files and folders. What you are seeing is embedded-code detection feature which means an application was trying to execute powershell commands and it was turned into a powershell script file, so it can be monitored like other script files.

Dear Futuretech,

So I guess this means all is normal and there is nothing malicious about this alert???

Thanks

Online panic

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11727
  • Linux is free only if your time is worthless.;-)
Re: Comodo A/V alerts on one of its own files?
« Reply #4 on: April 16, 2019, 09:31:04 PM »
Dear Futuretech,

So I guess this means all is normal and there is nothing malicious about this alert???

Thanks

Correct Lisa. This is normal behaviour when CIS detects a command line command being executed from within an app. CIS creates a script to replicate the command/s.

HTH
Ewen :-)
As your mums would say, "If you can't play nice with all the other kiddies, go home".
All users are asked to please read and abide by the  Comodo Forum Policy.
If you can't conform, don't use the forum.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek