CIS Possible False Positive PeerBlock History.DB-Journal Detected As Rootkit

Hello,

I just installed Comodo Internet Security Premium Version: 5.3.176757.1236
Virus Database: 7596

I did a full scan and a file in the PeerBlock folder was detected as a rootkit:

Date Location Malware Name Action Status

2011-02-06 01:27:41 c:\Program Files\PeerBlock\history.db-journal

Rootkit.HiddenFile[at]0 Quarantine Success

I have attached the scan log, a KillSwitch log, and a HiJackFree log.

For some odd reason the file does not show up in the quarantine or in the PeerBlock folder anymore; even though I had CIS set to auto-quarantine and at the end of the scan I was given the option of what to do so I decided to go try to submit the file to VirusTotal but it was gone, so I told CIS to just quarantine it.

I even have my computer set to show hidden files, but I still do not see it in the PeerBlock folder and it does not show up in the quarantine inside the CIS interface.

Is there a way to access the Comodo Quarantine in the Program Files folder?

Whenever I try I get an Access Denied warning, even though I am the administrator.

Anyway, I think it is a false positive, but I could be wrong.

I downloaded PeerBlock from:

http://www.peerblock.com/

Thanks,
-John Jr :slight_smile:

[attachment deleted by admin]

Hi goodjohnjr,

Thanks for reporting.We will check this.

Regards,
Haja

You are welcome and thank you very much. :slight_smile:

This could be a glitch in the Rootkit engine.

.journal files are short lived files for DB updates, so imagine that the scanner finds this file RAW on disk and ask Windows API for it, but in the mean time it got already deleted then the RAW and API results don’t match.
That’s where a rootkit scanner will flag it as suspicious.

Normally you should try to limit disk activity during rootkit scanning to an absolute maximum (close as many apps as possible).

Thank you for explaining that, that makes sense, but I have Peer Block set to start with my computer and it is always running in real time, so… ;D

Fortunately this is not a big deal or anything, but maybe it can be fixed or adjusted in the future. :wink:

Other than that and memory (probably virtual memory usage of hard drive space) and definitely noticeable slowing down of my computer during scans (the worst of any anti-virus I have tested), I am enjoying the Comodo CIS and Comodo CE scanning experience.

But the slow down during scans has been an issue during the last few versions, it is annoying but I can survive it for now, but I would definitely love to see that improved; sometimes KillSwitch shows CIS and CE scans using over 1gb or memory and even browsing during scans can lag more than other anti-virus scanners I have tested.

I have tested Immunet, Microsoft Security Essentials, Panda Cloud AV, AVG 2011 Free, Avira Antivir Personal, Avast 5, etc. the last few versions and Comodo CIS; and Comodo CIS and now Comodo CE still have a more noticeable impact on my system during scans.

For example I will attach a KillSwitch log to this message, I am doing a Comodo CE scan while only browsing the internet and it is using almost 900mb of memory, this goes up and sometimes slightly down, but it generally keeps slowly climbing over time. :wink:

Just during scans. :wink:

It is probably all my fault since I do set the Heuristics to High, Real-Time Scanning set to On Access, Scan Memory On Start, Do Not Scan Files Larger Than (Sometimes on the default of 20mb, usually set to 1024mb or sometimes 999999mb, so that all files are scanned), Scan Archives, Cloud Scanning, Rootkit Scanning, and Submit Unknown Files For Analysis; I like thorough scans to try to catch everything that I can, especially after a Alureon variant bypassed CIS and Windows Defender on me last month, that caught me by surprise. (An unofficial Fallout New Vegas update patch was the source, I know shame on me ;), but I can provide a link if you want to test it for your database since CIS had failed to detect any of the the threats back then, just let me know) (I have attached the link in a text file, the malware was hidden inside the update patch file and it would create files in the User Temp, Windows Temp, and maybe a few other places, such as the MBR or whatever; such a nasty little infection, it corrupted my Task Scheduler/Default Programs Menu/And more.) >:-D

Malwarebytes, Hitman Pro, Avast 5, Super AntiSpyware, Norton Power Eraser, and Emsisoft Antimalware helped me to remove most of the infection though; but my system is still damaged, I will probably re-format one of these days.

When I submitted some of the detected threats to VirusTotal at least 50% of the 43 scanners detected malware, but Comodo/Windows Defender/Immunet/Clam AV did not; pity, but you can’t always block everything, but I was somewhat disappointed and surprised a little.

I had CIS on almost maximum settings, the Sandbox was set to limited and the installation would fail which is common for many legitimate installers and non-legitmate, so I then had to run it un-sandboxed (which I usually have to do when most of my installers fail when sandboxed); I did scan the file first as usual and after installing it, but CIS did not detect one thing back then.

I scan my system with several backup scanners every week and I noticed my computer was lagging and some White Smoke Translator tried to install on its own, so I knew I was infected at that point and the battle began; yeah I was stupid messing with an unofficial update patch, but that malware was pretty darn sneaky and bypassed my defense setup of that time which was: CIS (On highest settings almost), Windows Defender, OpenDNS, Secunia PSI, and Peer Block running in real-time.

Thank goodness I scan with several backup scanners several times a week. :wink:

It even had a bootkit, some rootkits, some trojans, maybe a virus or two also; nicely hidden in the exe that is bigger than the CIS default 20mb scan setting ;).

But I had CIS set to scan files up to 999999mb and heuristics on high and it still did not detect anything :smiley: ; but that was over a month ago so things may have changed since I did submit some of the files to CIMA and through the Comodo Website Form. :wink:

I did learn a few things though and I got to test out many programs. :wink:

Anyway enough of my jibber jabber, keep up the good work, I enjoy watching yall improve. :slight_smile:

Attachment removed please do not attach Malware or possible malware to your posts

[attachment deleted by admin]

You could run a scan with the network disabled :wink:

Fortunately this is not a big deal or anything, but maybe it can be fixed or adjusted in the future. ;)

Other than that and memory (probably virtual memory usage of hard drive space) and definitely noticeable slowing down of my computer during scans (the worst of any anti-virus I have tested), I am enjoying the Comodo CIS and Comodo CE scanning experience.

But the slow down during scans has been an issue during the last few versions, it is annoying but I can survive it for now, but I would definitely love to see that improved; sometimes KillSwitch shows CIS and CE scans using over 1gb or memory and even browsing during scans can lag more than other anti-virus scanners I have tested.


Yes running a CIS full scan is better to run when you don’t use the system as it’s really ■■■■■■■ Disk IO during the scan… I hope they provide a priority setting in the future.

And also Yes if you set the file limits that high you can expect memory usage to grow that large for certain file-types, no longer for archives as they are scanned on disk instead of in memory like in previous versions.

A priority setting like Microsoft Security Essential has, would be a great feature to have in the next version, great idea!

Thank you for responding and for the suggestions. :slight_smile:

Hello,

I know we can not post possibly malicious web links in our message, now I found out that we can not even put the possibly malicious link in a text file instead, so how do we report possibly malicious websites? (I am just curious) :wink:

Thanks,
-John Jr :slight_smile:

Once a Moderator (I think) mentioned The Malware Research Group to me, and I thought I messaged the CEO about joining a year ago (are almost a year) at the suggestion of the Moderator, but I never received a reply or invite. (:NRD)