While running CIS (latest update 2813) in Kiosk mode the Conduit Virus slid in via a Windows 8 desktop application.
The only practical and time efficient way to get rid of it was to do a Windows Recovery Refresh (45 minutes) when all other attempts to irradicate failed.
Any adjustment that can be made within Comodo CIS to prevent this in future?
Here is where it originated: Free power-ups for your Windows desktop: Lee-Soft
How did you know that you were infected? Can you please let me know what you saw?
Also, how did you have CIS configured?
CIS was not reconfigured, simply opened and run as is.
In the browser address bar it said “Conduit search” as well as it added itself to my search providers and configured itself as the default search provider while also making itself my home page.
Performance slowed waaaay down.
It definitely stores itself within Google Sync because once I did a system refresh there was no sign of it until I turned on Google Sync and it then came back.
Did another refresh and have quit using Google and Google Chrome since that is how and where it seems to embed itself and no trace.
So was this essentially just a browser hijacker?
Did you get any popups when installing the desktop application which you allowed?
Here is the official word about Conduit:
Description
The Search Conduit malicious browser hijacker secretly installs on your computer without your consent. It usually installs when you download video codecs and ActiveX updates. It also spreads through adult websites. Search Conduit also goes by other names, such as feed.ndot.com, findsoul.info, search.good-search.net and bee-find.com.
Function
Search Conduit is primarily designed to reconfigure settings for browsers such as Firefox and Internet Explorer. Once reconfigured, Search Conduit redirects searches performed on popular search engines such as Google and Yahoo to Search.conduit.com. Search Conduit opens ports that drop additional malware onto an infected computer and affects DLL files used to improve a program’s functionality.
Removal
If your browser keeps redirecting to Search.conduit.com, run antivirus and anti-spyware scans to remove Search Conduit and related browser hijackers. To increase the chance of detection, update your security programs virus or spyware definition list before running system scans. In addition, run weekly scans to improve computer and online security. Manually removing Search Conduit and related malware is difficult because they hide in system folders and the registry, so using a security program is a safer alternative.
Warnings
To avoid accidentally downloading Search Conduit and other malware, download content such as video codecs and programs from trusted sites. Some sites, especially those that promote pirated software, secretly package downloads with Trojans and spyware that cause computer problems.
What they failed to mention is Conduit hides in Goggle Chrome’s Sync, so if you remove it from your computer and then activate Google Sync, it returns, it actually hides on the Google servers and yet Google does nothing.
I have not tested any other browsers like Firefox and Opera’s SYNC modes but I feel confident that if Google can’t deal with it either has anyone else.
That’s the question, twice I have been hit by it while running Comodo CIS in Kiosk mode and twice it has infected the machine…well?
Can you please give details as to what you were doing when it infected the machine?
Also, what do you mean when you say it infected the machine? Do you mean that it infected the Kiosk, or that it was able to bypass the Kiosk and infect the real computer?
It got into Windows.
It was downloaded as part of an executable file.
The thing was that it was not detected before hand, Emsisoft Anti Malware did detect and warn against downloading the file when tested afterward.
Do you mean you ran an executable inside Kiosk which downloaded Conduit & installed & Conduit was installed on the real system?
Can you please answer Chiron’s question? We would like to know how it got foot on your system? What program did you install from what site? Did you start the installation from within the sandbox or from the regular system?
Just for information.
Detection for potentially unwanted applications/programs (PUPS) will be greatly improved in the next version.
The name and address of the offending source software is in my starter threat at the top of this page.
How it got in is simple, Google SYNC provided the access, have tested and confirmed GOOGLE SYNC is where it comes from there after.
The file came into Kiosk and was as I understand from Comodo was supposed to be scanned before going into the safe file and once there you can then use it safely else where because it was supposed to have been scanned and detected, it wasn’t detected and spread through Windows once run.
I never would have run it had I been warned.
Fortunately the solution is simple and takes only 60 minutes by doing a system refresh then never using Google SYNC or any other SYNC product again since that is where it now resides…or you can create a new SYNC account but I won’t since nobody seems to have a solution for this bug, not even Norton!
Little detail plzz…
Sorry Naren, I have no details at this point in time.
Is Google Sync running in the Kiosk or on the real system when this happens?
Okay, so did you download it through the Kiosk, but you then moved it to your real computer? Only once it was on your real computer did you run it.
Is that correct? If not please correct me.
Merged the two threads started by groingo on this topic.
Yes, downloaded it through Kiosk where it put it in the Comodo safe file which was supposed to isolate and scan before releasing to Windows, bottom line there were zero warnings it contained a virus or malware.
As far as SYNC mode goes, if SYNC is on inside or outside of Windows it will re-infect you every time and yes it was on inside Kiosk and re-infected.
So we have two problems, lack of detection by Comodo and Google allowing the bug to reside on their servers and doing nothing about it.
Best solution has been to not use SYNC mode in ANY browser.
What is the Comodo safe file that you are referring to?