Allure of a user-friendly CIS once again blighted by reality.

For the 4th time we trialled CIS on some of our business-use PCs. I thought I had every base covered but this last episode has killed-off any remaining warm, fuzzy feelings my employer may have had toward the try-hard contender that has never quite made the winners list.

I installed CIS 5.4 Pro, imported the saved configuration from last time. As the picture below illustrates (BTW everything there is an FP but lets not get carried away with that right now) on May 30 when an alert popped up re ‘vnchooks.dll’ I clicked ignore and on every other occasion between then and today there have been no further protestations from CAV. However today when my boss with a client in his office, tried to connect remotely from his own PC and got zero response… Let me just say that CIS is “softwara non grata” from here on in. I know that every AV vendor will trip up every now and then but why and how does an unchanged and previously marked as ‘safe’ file yesterday, suddenly become a threat this afternoon?

No matter how much improved CIS 5.4 may be in regard to user-hostility, inexplicable (to laymen)incidents like this are just beyond the pale.

[attachment deleted by admin]

Are you ABSOLUTELY SURE that PC is CLEAN?
Also, what are AV heuristics settings?
Did you also on prompt on those files, IF CLEAN, set IGNORE>Add to Exclusions?
I use CAV on my PC and have custom made programs and also lots of programs, very popular ones, not single incident so far…

When I submitted UltraVNC for whitelist, it was rejected and explained that it’s PUP…Comodo’s policy for now is not to trust applications like this one…so, it’s not a virus (ApplicUnsaf).
Also, you could add it to “Exclusions” as Gakun suggested.

BTW, is that Norton Commander? :o

This one?

I don’t think so, Gak…

Check that “Virus.DOS.Socha” part.
And installation folder of WinNc is “C:\Program Files\WinNc 5”, not “C:\nc”.

OK, they could manually change it but to me it smells like old-DOS Norton… ;D

Could be leftovers of a malware code after cleaning?
I strongly suggest scrubbing the pc with:
1: Malwarebytes
2: HitmanPro
3: Emsisoft Emergency Toolkit
4: TrendMicro HouseCall
And I mean full system scan!
As you said siketa, it does not look normal and CIS does not alert to something like this without a reason… :-TU
Very well spotted!

Hey! Maybe it’s cracked… >:-D

!ot!
Like FlavorFlav would say: “911 is a joke…” (my post#911)… ;D
And Twins happened on 9-11…coincidence or not? ???

pc-pete using cracked software? :o Nooooooo… ;D
Joke aside, I also suspect it is not clean :slight_smile:

Regarding 911, not a coincidence when you have war games with the same scenario the very same day.
Also, Japan skyscrapers swing under 9.4 earthquake and still stand and twins collapsed under controlled demolition… Let’s not get left-right political, this is security after all, not about national sec… never mind! :smiley:

So simple that if you are sure is clean you just need to click on, ignore->add to trusted files or report a FP (so is automatically added to trusted files) if I remember well.

I don’t see any user-hostility. Comodo Help

To ignore the alert if you trust the file/application

Click 'Ignore'. Selecting Ignore provides you with four options.

Once. If you click 'Once', the virus is ignored only at that time only. If the same application invokes again, an Antivirus alert is displayed.

Add to Trusted Files. If you click 'Add to Trusted Files', the virus is moved to Trusted Files area. The alert is not generated if the same application invokes again.

Report this to COMODO as a False Alert. If you are sure that the file is safe, select 'Report this to COMODO as a False Alert'. The Antivirus sends the file to Comodo for analysis. If the file is trustworthy, it is added to the Comodo safelist.

Add to Exclusions. If you click 'Add to Exclusions', the virus is moved to Exclusions list. The alert is not generated if the same application invokes again.

True +1000 :-TU

Hi everyone.

It’s late here and i’ve only skimmed through the responses so if I don’t comment on yours please don’t be offended. :wink:

The PC is clean.
Heuristic level default “Low”.
There is no cracked software. >:(
Yes. NC is Norton Commander. I submitted it to Comodo at the time and I think it has since been fixed.

The custom configuration did exclude ‘winvnc.exe’ but not ‘vnchooks.dll’. After this incident I excluded the entire UltraVNC folder but that didn’t satisfy the boss, as he said, it’s like creating a safe place for a real virus to hide.

I can’t remember if I or someone else “allowed” the alert on May 30. Even if it was me I may not have noticed exactly which vnc file was flagged and the really weird part is that there hasn’t been another alert until today even though the PC is remotely accessed via VNC every day.

VirusTotal Report: vnchooks.dll

Good night!

but that didn't satisfy the boss, as he said, it's like creating a safe place for a real virus to hide.

LOL. It’s quiet stupid. So i anticipate that virus which gets somehow through the sandbox, detects that there is an exclusion in Comodo and “goes” to this folder to hide itself. . Viruses aren’t smart “monsters”. They are just software with harmful intension. Tell your boss that there is no reason to be scared against exclusion, clever virus etc.

As you can see - Kaspersky also detected this file as a AppUnsafe.
Here is the point - Appxxx(in the comodo system) is the software which can cause unwanted actions/can be dangerous (rather than cause the damage).

assuming that they actually know !!, that won’t work either, because when u go ahead and add a whole folder to your safe applications list, comodo by default will add the files, so if any new files were placed in the folder… they won’t b treated as safe. Moreover, excluding files from the antivirus won’t make them treated as “safe” or trusted which is a very well known fact among all comodo users. :wink:

I’m well and truly convinced by now that the 1 year CIS Pro Trial was not the right version to install.

Today’s episode!
On the single remaining PC in our organization with CIS still on it - yesterday we disabled the firewall - started it up today and found

  • GeekBuddy is back! (I think the user probably accidentally did that himself when a scan found a “threat” and gave him options of removing it himself or getting help.)
  • Trial welcome screen re-appeared! (The confusing one that simultaneously tells you its a 1 year free trial and encourages you to pay for it.)
  • The disabled firewall has detected a new network! (Of course its the same one as yesterday.)
  • Some of the prefences have been reset! Most immediately noticeble is the traffic animaition in the tray icon is re-enabled.

I’m go to uninstall and install Premium and see if the same bug exists.

[attachment deleted by admin]

Use these links:

64 Bit Installer:

http://download.comodo.com/cis/download/installs/1000/standalone/cispremium_installer_x64.exe

Size: 37M ( 38168904 )

32 Bit Installer:
http://download.comodo.com/cis/download/installs/1000/standalone/cispremium_installer_x86.exe

Size: 35M ( 35919688 )

Regards
Josh

Hi Josh
Why are the downloads so much smaller at the locations you posted?. The CIS Premium I got earlier is 60MB.

Also, I tried re-enabling firewall, rebooting, disabling firewall, rebooting and no strange behaviour this time. I think Geekbuddy is the culprit.

It must have been combined with 32 and 64bit installers.

Josh

Okay. Use the links I posted, depending on your system. Geek buddy should then be not installed.

Josh

Successfully installed - however there is a glitch when importing and activating saved configurations.
After clearing the boxes that indicate successful importation and activation of a saved configuration, “Preferences” are not actually activated until after you open the “Preferences” dialog box and click ok, or the PC is restarted.

VirusTotal Report: vnchooks.dll

pc_pete,

As you can see from virustotal.com Other Av’s flag it too: like kaspersky for example. The reason behind it is, while the software by itself is fine like it’s usually installed on home pc computers, but definitely NOT on a corporate enterprise machine. Comodo has to consider with what the average person installs on there own computer AS WELL AS WHAT generally gets installed on a typical enterprise corporate machine for various reasons.

While this will never be an issue on a corporate machine because (For example, if you take a network that has 1,000+ machines) and run a scan. And for whatever reason, someone has “VNC” on it, it’s going to get flagged. If it’s legit, the IT department WILL place it on the exclusion list, so it won’t get flagged.