CIS Installation - Trojan:Win32/Wacatac.G!ml

I have just taken delivery of my new shiny laptop and the first program I downloaded and installed was Comodo CIS. I used installed browser and the following site Best Internet Security Software 2022 | Antivirus Total Security

Once downloaded and installed I immediately got a warning from Microsoft Defender saying Trojan:Win32/Wacatac.G!ml was detected. I had to restart as part of the CIS installation process and then did a full scan. Nothing found! I downloaded and scanned using Malware Bytes and Hitman pro, but again nothing detected.

However, I now have a blocked application and two unrecognised files relating to C:\ProgramData\Comodo\Cis\tempscrpt\C_powershell.exe_DCF4E8AB032E4F1EB61E46571420C2E876151E49.ps1 the script details are
"Expand-Archive -f ‘C:\ProgramData\ASUS\ASUS System Control Interface\AsusSoftwareManager\AsusLiveUpdate\’ 'C:\ProgramData\ASUS\ASUS System Control Interface\AsusSoftwareManager\AsusLiveUpdate' "

I have no idea what has happened or if I have been infected by something on the CIS installer or if these are two seperate events. Can anyone advise???

Can you tell the filepath of Microsoft Defender detection? It is mostly likely a false positive. You can do a scan using Eset Online Scanner and Kaspersky Virus Removal Tool, then open KillSwitch through Comodo GUI > Tasks > Containment Tasks > Watch Activity, then with KillSwitch opened press View > Show only Untrusted Processes, if nothing shows up and nothing is detected with these tools then your system is most likely clean.

As for the Blocked files, they are legitimate stuff belonging to ASUS, not sure why they were blocked? Do you have Cloud Lookup turned off or Modified the File Rating settings in Comodo in some way?

The tempscript pointing to Program Data folder is a in-memory Script which was turned into a file and then blocked by Comodo Embedded Code Detection feature.

Unfortunately it would appear that when Comodo CIS was installed and Windows defender AV was switched off, all access to the logs disappeared. I don’t understand how Windows Defender identified that particular Trojan from the CIS download as it is way over my head.

I ran Eset and MalwareBytes and HitmanPro and Comodo and nothing has been identified. But now when I open up CIS to the advanced GUI it is shwoing arising count of “unrecognised files” (over 1000 and rising by the second) and 53 unknown programs in the logs. I am wondering if somehow the CIS is corrupted and I should remove and re-install? I tried Kill switch as suggested. There were two entries, (Registry and Memory compression) but having read the KillSwitch help I am none the wiser and I feel I am out of my depth.

Those 2 entries in KillSwitch are ok. If you haven’t changed anything on File Rating settings which could cause this behavior in CIS, then I suggest you Uninstall using the Uninstaller Tool and install CIS V12.0.0.6882 which is the most stable build at the moment, using the Offline Installer.

The detection by Defender is more than likely a false positive. You did the right thing by scanning with additional scanners for verification. For verification you could also use TDSS Killer and Emsisoft Emergency Kit (EEK). I expect they won’t find anything but it never hurts to test when in doubt.

Open Unrecognized Files and Purge. That will usually get rid of most of the unrecognized files. Next step is to select the left overs and do a Lookup which may get rid off some more unrecognized files.

When CIS meets files it doesn’t recognize they will be allowed to run but with restrictions as a way of keeping you protected. Unrecgonized Files are in its self nothing to worry about. Almost of all of them are legit files that are simply not known (yet) to Comodo.

When EEK and TDSS Killer are not finding anything it is safe to assume your system is safe and not infected.

As to why Defender thought it saw a Trojan. AVs partially rely on generic signatures but they can sometimes flag legitimate programs as malware. You were using the online installer which will download the setup files from the internet. That looks like a trojan. Add to that it downloads files that when scanned are shown to interfere deep in Windows (that’s what security programs do as well as malware) and a false positive detection may happen.

you can always use kaspersky security cloud (free) with comodo firewall without problem it has right click virus :P0l scanner KSN reputation and kaspersky app advisor

My thanks all. After scanning the hell out of the laptop no infections were identified, so I uninstalled and re-installed as recommended by mmalheiros. All seems to be ok now so I think the problem is Solved. :slight_smile: :slight_smile: