.477 db 1005 numerous false virus events, virus log attached

Subject: Suspect false positives

Vista 32 bit Home Premium SP1 with most current update (except Silverlight, and an ACRE update) UAC administrator account. Acer M1100.
Comodo Defense and Firewall in safe mode
Comodo version 3.8.65951.477, Virus Signature Database Version 1005 (as of 2/27/09 ~ 3 pm)

Started getting virus reports of suspicious files on 2/20/09 for several different viruses (Heur.Pck, and others) on GMER, assorted other files, more recently a Microsoft website download, and today on two of my sidebar gadgets. Did a little research and found several internet sites reporting Comodo false positives. So have been saying “once” since I believe that these are false positives

2/27/09

A web search for “comodo Virus Scanner false positive” turned up “Heur.Pck.MEW (UPDATE)- Comodo Internet Security Updated Today | pelokee” to indicate that it might be solved.

Ran Comodo Check for Updates in Miscellaneous tab and virus update (Virus data base was up to date), version 1005.

Rebooted.

During tail end of login, got Unclassified Malware [at]8317095 on windows/system32/zohuwgei.sys. Ran GMER and malware bytes.

Rebooted after system hang.

Got following Unclassified Malware [at]8325154 on \Acer\AcerTour\Reminder.exe

(See comodofalsepos090227.pdf file for image)

So report cited above that false positives was fixed is incorrect. It may have changed the false positives.

Beginning of Virus Event log on next page. Complete event log included as attachment.
Beginning of Virus Events log:
(See comodofalsepos090227.pdf file for screen shot
or comodofalsepos090227-log.pdf for complete virus event log)

[attachment deleted by admin]

Hi,

Could you please verify the FP’s with the latest base updates?

Thanks,
Ramanan

have not seen any false positives since 3/2/09 per the log file, although I had exceptions for the two false positives for the sidebar. removed exceptions and restarted and did not observe any false positives from sidebar.
Database 1027, version .477
:-TU

Just started getting virus alerts for older 11/10/2005 version of GRC leaktest sitting in a backup directory. Downloaded new version (GRC | LeakTest -- Firewall Leakage Tester  ): BOClean complained about download and virus scanner complains about running "Application.Win32.LeakTest.~LT@9484639.

Leaktest is not a virus - it is a firewall testing tool and should not be generating alerts!

Because of the way comodo apparently remembers answers for current task about internet access (block), to run a 2nd attempt to see if leaktest can be allowed through the firewall required exiting leaktest and rerunning to “allow”

Virus database 1043

This is what Umesh told me when I reported the GRC leaktest as a false positive. (The Comodo leaktest was also picked up, it was fixed)

I can understand the detection of the internet connection - but calling it a virus is just plain wrong.

Hi leland,

Even though it is CAV alerting you it isn’t labeling leak test as a virus.
Application.Win32.LeakTest.~LT[at]9484639

It is labeled as Application, meaning possibly unwanted/unsafe software.
I hope this helps to make sense of the alerts.
The reasoning for this should be apparent.

Later

Database 1049
BOCLEAN

virus report:
Comodo | Antivirus Alert
Comodo Antivirus has detected a Virus:
Name: Application.Win32.LeakTest.~9484639
Locatin: e"\Downloads\leaktestV1.2.exe