Author Topic: [FP]Heur.Dual.Extensions  (Read 15609 times)

Offline Catalin P

  • Malware Research Group
  • Comodo Family Member
  • *****
  • Posts: 78
[FP]Heur.Dual.Extensions
« on: July 19, 2009, 10:19:53 AM »
Comodo Internet Security :: 3.10.102363.531
Virus Signature Database Version :: 1703
Heuristics :: High
No password
autoparch was detected as Heur.Dual.Extensions

[attachment deleted by admin]
« Last Edit: July 19, 2009, 10:25:12 AM by ComputerHelpCatalin »

Offline gmohan

  • Comodo's Hero
  • *****
  • Posts: 368
Re: [FP]Heur.Dual.Extensions
« Reply #1 on: July 20, 2009, 01:49:51 AM »
Hi ComputerHelpCatalin ,

Comodo Internet Security :: 3.10.102363.531
Virus Signature Database Version :: 1703
Heuristics :: High
No password
autoparch was detected as Heur.Dual.Extensions

The reported FP will be fixed in next updates.

-Chandra Mohan

Offline gmohan

  • Comodo's Hero
  • *****
  • Posts: 368
Re: [FP]Heur.Dual.Extensions
« Reply #2 on: July 20, 2009, 05:10:48 AM »
Hi ComputerHelpCatalin,
Comodo Internet Security :: 3.10.102363.531
Virus Signature Database Version :: 1703
Heuristics :: High
No password
autoparch was detected as Heur.Dual.Extensions

The reported FP has been fixed in DB 1712

-Chandra Mohan

Offline robsta

  • Newbie
  • *
  • Posts: 13
Re: [FP]Heur.Dual.Extensions
« Reply #3 on: July 26, 2009, 03:40:43 AM »
After yesterday's fiasco with daisy, I'm starting to lose confidence with Comodo. This morning, my overnight scan reported 4 hits on Heur.Dual.Extensions - is this really a problem or is another case of false reporting?

I've quarantined the items but how do I go about checking them out? When I submit them for analysis the results say already submitted. How do I find out what the results are?

The 4 hits are...
gtb6BDC.tmp.exe  (part of Google toolbar)
mom.Test.CMD.exe (this is reported twice as its in 2 different places, in C:\Windows\Assembly\...
                             and in C\Program Files\ATI Technologies\... )
_SCHCT_Sprint.exe.exe (in C:Windows\Installer\...)


Offline gmohan

  • Comodo's Hero
  • *****
  • Posts: 368
Re: [FP]Heur.Dual.Extensions
« Reply #4 on: July 26, 2009, 04:58:33 AM »
Hi robsta ,

After yesterday's fiasco with daisy, I'm starting to lose confidence with Comodo. This morning, my overnight scan reported 4 hits on Heur.Dual.Extensions - is this really a problem or is another case of false reporting?

I've quarantined the items but how do I go about checking them out? When I submit them for analysis the results say already submitted. How do I find out what the results are?

The 4 hits are...
gtb6BDC.tmp.exe  (part of Google toolbar)
mom.Test.CMD.exe (this is reported twice as its in 2 different places, in C:\Windows\Assembly\...
                             and in C\Program Files\ATI Technologies\... )
_SCHCT_Sprint.exe.exe (in C:Windows\Installer\...)



Please submit the detected files to our analysis.

-Chandra Mohan

Offline Umesh

  • Comodo Alumni
  • Comodo's Hero
  • *****
  • Posts: 3421
  • Comodo Alumni
    • COMODO
Re: [FP]Heur.Dual.Extensions
« Reply #5 on: July 26, 2009, 10:46:00 AM »
Hi robsta,
After yesterday's fiasco with daisy, I'm starting to lose confidence with Comodo. This morning, my overnight scan reported 4 hits on Heur.Dual.Extensions - is this really a problem or is another case of false reporting?

I've quarantined the items but how do I go about checking them out? When I submit them for analysis the results say already submitted. How do I find out what the results are?

The 4 hits are...
gtb6BDC.tmp.exe  (part of Google toolbar)
mom.Test.CMD.exe (this is reported twice as its in 2 different places, in C:\Windows\Assembly\...
                             and in C\Program Files\ATI Technologies\... )
_SCHCT_Sprint.exe.exe (in C:Windows\Installer\...)

Dual extensions are usually used by malware to disguise as genuine files. There is generic detection where if file has more than one extension, it will be given verdict as Heur.Dual.Extensions.
There can be very few odd cases where genuine files may also have double extensions.
In such situations, if user knows they are false-positive, he can add to exclusion list and also inform to us by submitting files via:

http://internetsecurity.comodo.com/submit.php

CIS does not have inbuilt interface to submit false-positive. So we request you to please use above mentioned web interface to submit false-positive to us, additionally you can also report those files here.

Thanks
-umesh
We can't stop malware entering user's PC but we render them use-less when they enter PC: Welcome to Comodo's Default Deny innovation

Offline robsta

  • Newbie
  • *
  • Posts: 13
Re: [FP]Heur.Dual.Extensions
« Reply #6 on: July 26, 2009, 04:00:19 PM »
Thanks Umesh,

However, when I submit the files for analysis from quarantine I get a result of already submitted. When I tried to open the Quarantine folder (to email the file) I was denied access. I was also denied access when I tried to use the url you provided in your reply.

Please advise.
Thanks.


Offline Umesh

  • Comodo Alumni
  • Comodo's Hero
  • *****
  • Posts: 3421
  • Comodo Alumni
    • COMODO
Re: [FP]Heur.Dual.Extensions
« Reply #7 on: July 26, 2009, 05:45:24 PM »
Hi robsta,

Quote
However, when I submit the files for analysis from quarantine I get a result of already submitted.

Yes, in case we already have a file, you may get this message.

Quote
Quote
When I tried to open the Quarantine folder (to email the file) I was denied access.

Yes, this folder is protected by CIS.

Quote
I was also denied access when I tried to use the url you provided in your reply.

Not sure what you mean here. Can you please give more details?

In order to get us file, you can take following steps:
1. Disable real-time scan.
2. Re-store file from Quarantined Items
3. Upload via http://internetsecurity.comodo.com/submit.php

Thanks
-umesh
We can't stop malware entering user's PC but we render them use-less when they enter PC: Welcome to Comodo's Default Deny innovation

Offline robsta

  • Newbie
  • *
  • Posts: 13
Re: [FP]Heur.Dual.Extensions
« Reply #8 on: July 26, 2009, 07:06:36 PM »
Thanks Umesh,

I restored the files as you suggested but could only submit 2 of them because I couldn't find the c:\windows\installer directory or the c:\windows\assembly\GAC_MSIL directories. I guess they must be hidden.

Not being able to look at the directories made it difficult to quarantine the files again. It would be a good idea (I think) if it were possible to quarantine an item from the 'View Anti-Virus' events panel. This way one could quickly put an item back into quarantine.

On reflection, it would be useful (I think) to be able to run the virus scan against those files which have been quarantined. This way one could periodically check quarantined items and restore items which had previously been detected as false positives.

I also think that it would be useful to show the Virus Signature Database Version on all reports. If one runs a scan overnight, and if the database is updated, one doesn't necessarily know in the morning which version they were reported under. When corrections made to rectify false positives and a note to this effect is made on the forum, one would then know whether or not one is dealing with false positives that have been corrected and files can be restored accordingly.

Thanks.

Offline Umesh

  • Comodo Alumni
  • Comodo's Hero
  • *****
  • Posts: 3421
  • Comodo Alumni
    • COMODO
Re: [FP]Heur.Dual.Extensions
« Reply #9 on: July 26, 2009, 07:16:49 PM »
Hi robsta,
Thanks Umesh,

I restored the files as you suggested but could only submit 2 of them because I couldn't find the c:\windows\installer directory or the c:\windows\assembly\GAC_MSIL directories. I guess they must be hidden.

Not being able to look at the directories made it difficult to quarantine the files again. It would be a good idea (I think) if it were possible to quarantine an item from the 'View Anti-Virus' events panel. This way one could quickly put an item back into quarantine.

On reflection, it would be useful (I think) to be able to run the virus scan against those files which have been quarantined. This way one could periodically check quarantined items and restore items which had previously been detected as false positives.

I also think that it would be useful to show the Virus Signature Database Version on all reports. If one runs a scan overnight, and if the database is updated, one doesn't necessarily know in the morning which version they were reported under. When corrections made to rectify false positives and a note to this effect is made on the forum, one would then know whether or not one is dealing with false positives that have been corrected and files can be restored accordingly.

Thanks.
It's a good suggestion. We will see if we can have it included in next major CIS release.

Thanks
-umesh
We can't stop malware entering user's PC but we render them use-less when they enter PC: Welcome to Comodo's Default Deny innovation

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek