CIS installed on infected system, flags everything as infected

I know that it is not a good idea to install CIS on an infected system. But, unless we face something weird/special, there is only a little chance that we already identify the system to be infected.

When ever I install CIS on systems of my friends, and those systems already have “Sality” infection present, I face a strange problem.

Unlike other AVs out there, CIS gets installed perfectly and starts reporting every “.exe” file as infected by “Sality”. It is only realized after a very careful and thorough observation that CIS’s own processes are all infected themselves.

If I run CRD and do a scan, I see that cmdagent.exe, cistray.exe and all these Comodo processes are themselves infected.

The worst thing is Comodo deletes all these files, and there is yet no cleaning. (Sometimes, it tries to clean, which is more worse since, it does take very long to do this and does not work…) This makes the system un-bootable after restart.

I have seen AVAST giving a warning message when installed on a Sality infected system that “AVAST identified modified/tampered AVAST processes, Please reinstall AVAST and run a boot time scan”

I am surprised that CIS does not do this. Since, CIS can also observe all its processes (hash verify-not through D+) and if any tampering is found, can immediately notify the user.

This has been observed by me many times. I would like to see Comodo improve in this direction. So, I am reporting it here now.

Its really not suggested to install anything on an infected system. If the system is infected, its best to boot from removable media or another system entirely and scan the HDD w/out the native O/S running.