BOClean flaging KMXAGENT.SYS as ROOTKIT-VANTI.R

Hello all,

Just put BOClean on me dad`s computer and it flaged KMXAGENT.SYS as the trojan ROOTKIT-VANTI.R

Found out KMXAGENT.SYS is the HIPS driver for CA security suite,done a jotti scan and checked the MD5 of the file,also its digitally signed so i`m pretty sure its a F.P.

Anyway put it in the exclusion list,just thought i`d let you know.

Regards
Matty

ps Congrats to team,thanks all.

Matty :slight_smile:

Please email the file to: malwaresubmit [ at ] avlab.comodo.com .
Specify in the subject line “False Positive ?”.
Zip and password protect it with “infected” and include that information in the body.

Thanks m8 :slight_smile:

Greetz, Red.

Will do.

Cheers
Matty :-TU

Hello:

   What was the final resolution on this? I had the same experience just now. Is it a false positive? This is important to me because i DO have a rootkit I've been trying to remove without reformatting!

Thanks
John

For anyone who’s seeing this, submit a copy of the file in question to the address up above, along with a subject line of “BOClean FP?” and my lab guys will check it out. The subject line though is extremely useful to avoid confusion as the lab input for ALL COMODO products all goes to that common lab address so that everybody in each department gets a copy of it so it’s most helpful for them to pick up on it being a “BOClean issue” … our lab folks all across the house are so busy lately, it’s likely if it IS an FP that the file was tested, nothing found, and they simply went onto the next without realizing that it might have been an FP report … we’re THAT busy here. :frowning:

Kev, am I right the adres should be now : malwaresubmit [ at ] comodo.com ???

So now the procedure should be :

Email the file to: malwaresubmit [ at ] comodo.com .
Specify in the subject line " BOClean False Positive ?".
Zip and password protect it with “infected” and include that information in the body.

Greetz, Red.

Hi Red,

I’m not Kevin -grin-
But yes, you are right :slight_smile:
Of course the final word is up to Kevin and crew !

I’ll see whether I can edit my posting here to make it a little bit more clear.

Cheers, Jan.

It was a false positive and it was removed last month. If anyone is still facing any problem, please let us know.

Regards,
Baskar.