CCE (Bundled with CIS) detects its own quarantine folder as a rootkit

As the title suggests, CCE detects its own quarantine folder as a rootkit. I am using CIS 6.0.264710.2708 and used the CCE which is bundled with it.

Previous to this CCE found a rootkit in the recycle bin folder. I believed it to be a false positive, but just to see what would happen told CCE to clean it. I then restarted the system and started another Full Scan with CCE. It was then that I noticed that it detected a ‘rootkit’ again. However, this one is in CCE’s own folder, which I believe to definitely be a false positive. I’ve attached a screenshot of this.

Also attached is a zip file containing the only file found in the indicated folder. Please investigate this and either pass it on to the CCE team, if this is actually indicative of a bug, or fix the detection, if it’s just a false positive.

If any action is required on my part please let me know.


[attachment deleted by admin]

I guess it was not merely a rootkit, but maybe a rootkit-like behaviour (Possibly due to the fact that comodo quarantine folder may be hidden from normal browsing by the software itself).

Very high chances to be a false positive, to my mind.

It’s definitely a rootkit.

I just hope the next version of CCE fixes this.

Hi Chiron ,

Thank you for reporting this.
We’ll check it and get back to you soon.

Best regards

Hi Chiron ,

This is to inform you that the reported file with SHA1 is not detected by AV database Version <15862> of COMODO Internet Security <v6.0.264710.2708>.
Please Update you AV database and scan it again.

Best regards

I don’t believe it’s signature based detection.

It’s just that CCE creates a hidden folder where it puts the quarantined files.

However, if it is removed from the system, but the quarantine folder is left, and then CIS is installed with CCE the problem happens. To see this run a scan. This scan will detect the quarantine folder as a rootkit, which makes sense as it is hidden.

However, this is either a false positive or a bug. The devs told me it wasn’t a bug, but that I should report it here so the scanner in CCE could be adjusted to avoid this detection.

Thank you.