AV triggering file on safe list? And other questions...

I’m a new user of Comodo Internet Security, and some of it’s features I find confusing.

Today the AV triggered a false positive on a component of AutoIt. Specifically, thehook.dll. It is used to record macros in AutoIt, so it is a benign key logger. This is interpreted as a trojan by security software off and on. A2 Free seems to decide it’s a trojan every six months or so.

Anyway, Comodo picked it up as a trojan, so I ignored it permanently. Then deciding I should be a good user and send this file to the folks at Comodo so they could add it to their safe list. Being a little unsure how to do this, I first tried to add the file to my pending files list. (Which is empty. Should it be?) The file added fine, but when I clicked “Apply”, low and behold, I’m staring at an empty list again. After trying to add the file two more times, I decided I must be doing something wrong. Not sure what, but something…

So then I went to the miscellaneous settings and found “Submit Suspicious Files”. So I tried to add the file to that list so I could submit it, but I got a message saying that this file was already in the safe files database so I couldn’t submit it.

???

So if this file is in the safe files database, why did the AV engine pick it up? (Note that I wasn’t actually using the .dll at the time, so it’s not a D+ thing deciding that I had a key logger on my system…) Apparently the “safe files database” means something else that I am not comprehending. Any enlightenment?

It also triggered a false positive on a .bin file, but apparently I’m unable to submit .bin files? (I’m unable to even view .bin files in CIS) I submitted the file to virustotal and only F-Secure decided it was suspicious. So how do we report false positives to Comodo if the software is ignorant of the file type?

Hello. :slight_smile:

The Submit Suspicious Files is mainly for the white list. The white list for D+ and blacklist for the AV are two separate things, so if you got that message, then it means the dll file is in the D+ safe list (white list) but the AV is falsely flagging it.

You can sumbit the dll and all other FP’s (i.e. the .bin file) this way.

:slight_smile:

OK, thanks for clearing that up! I knew there was some functionality I just wasn’t familiar with. Sounds like D+ and the AV don’t communicate with each other very well yet.

I’ve submitted both files as directed by the post you linked me to. Although it sounds like they’re already familiar at least with the .dll.

Any way to clear the “threats detected so far” counter on the summary tab? It always annoys me to see detections that shouldn’t be there.

“Yet” is the right word. :wink: The next update (in less than a couple weeks hopefully) will have many usability updates. I’m almost positive that this new version (if not this one, some other one, but probably this one) will make it were if the AV detects something, you will get no D+ alerts.

BTW, FP’s are resolved rather quickly, probably by tomorrow’s new signature database.

There’s no way to clear it normally. It bothers me too, but you can add it to the GUI wishlist. :slight_smile:

Sounds fantastic! Yes, I’m aware that the CIS suite is still evolving, so I’m sure all the little issues will be ironed out. I have patience.

That’s good to know. I already took the files off my exclusion list in anticipation of no more false positives on these.

Done! Hopefully they can do something about that, because it’s misleading.

I also use Avira as another on-demand AV scanner and it’s quite prone to to false positives. I’m much more ■■■■ about system security than anyone I know, but looking at Avira, it thinks it’s taken care of quite a lot of nasties on my machine when in actuality it has found nothing.