Hello COMODO, today I was watching this video in youtube where a virus infected a critical system file (System login file) and COMODO cleaning Essentials either damaged the files or quarantined it.
https://forums.comodo.com/news-announcements-feedback-cce/cce-test-t82113.0.html;msg588672#msg588672
CCE is not a toy for normal use, detection or removal, for that you have malwarebytes, antispyware and others. This shows that if this tool is used reckless it will have great consequences. This also shows that people need to gain experience how to work with it, get to know its functionally and capabilities
Good point, Valentin! :-TU
Today I came across a system infected by Sality.
I tried to clean it with CCE, started CCE in agressive mode, but by that time itself (just after extraction from zip) it was itself infected by Sality, therefore all it’s detections were fake.
I ran Kaspersky “Salitykiller” and came to know that CCE.exe, Killswitch.exe and Autoruns.exe were all already infected by CCE.
After two or three attempts (re extracting), I could finally get them to work. But,
CCE found some infections, after clicking clean it took forever to clean them…(just 36 files, it was just a smart scan)(salitykiller is not running by this time fyi) :-TD
I copied the samples and tried to clean them with CIS (CIS on my system just for verification) it was the same issue, even CAV takes forever to clean them, even asks for a reboot, after reboot says that it failed to clean.
One more piece of surprise is that Killswitch showed absolutely no unknown/infected processes (I was in aggressive mode), but the “psfli.pif” file was being repeatedly created on my pendrive even after deleting them manually many times (I could not delete autorun.inf at all, they were actually spreading sality infection, I doubt that there is still something running in the background saving and hiding the infection)
I would like to see a better cleaning routine like that of kaspersky “TDSSKiller” and “Salitykiller” implemented in CCE at least if not is CAV.
In the end, of course I ended up with a mess and had to go with a full fresh re installation. ;D
Does it makes any difference if the system is infected & you run CCE which is already on the system or you use CCE from a pendrive?
Did you checked the process psfli.pif if it was treated safe for any reason?
I have been extracting CCE from a zip file (on Pendrive) on to a local drive everytime. By that time itself (immediately after inserting my Pendrive), all the executables on my pendrive were immediately infected.
The extracted files were also being immediately infected, for which I had to run Salitykiller and kill the existing sality infected threads and processes.
That was the file that was being created on pendrive, not a running process. By the way, I could not find any running infected/unknown processes in Killswitch. (I even killed all unknown processes twice from the menu)
I dont know if this question is right, but does this file showed up with autorun analyzer?
no