CIS still talkative

Just installed CIS Premium, default settings.

Popups attached. (Not sure I was fast enough to get shots of every one.)

Main Issue since install, can’t connect to any gmail IMAP accounts via Thunderbird (shots 23, 24). Is this a known problem? EDIT: Removing and recreating the accounts fixed it.

[attachment deleted by admin]

Have you reported False Positives?

some of them aren’t FP sadly, that’s why is annoying.
About sandbox, it’s because these apps aren’t signed.
About AV alerts, I can see 1 FP (hdsentinel), winvnc isn’t an heuristic alert, they added it in their database as ApplicUnsaf which means it could be dangerous if you didn’t installed it yourself (but still annoying). About oodled, maybe it’s an annoying alert like vnc. What is the CloudBehaviour alert for IRclient ?

Then, there’s a bunch of firewall alerts because these apps try to connect outside, nothing unusual here.

The only real dangerous alert I can see here is gf2. These apps wasn’t signed (and that’s why it was sandboxed), and it tried to access a protected COM interface (hence the D+ alert).

TR;DR: sandbox alerts are normal, firewall alerts are normal, AV alerts are misleading.

If you sure your computer is clean.
Then Switch to Traning mode for a while.
I always do this for 1-2 days after install CIS.

The only real dangerous alert I can see here is gf2. These apps wasn’t signed (and that’s why it was sandboxed), and it tried to access a protected COM interface (hence the D+ alert).

nothing dangerous in this alert.

Please note there will be no events logged in training mode, also you should only use training mode for short periods only.

If you have Show balloon messages these do show in training mode, but nothing is logged.


I see only 1 D+ alert that required a user input. And the alert was simple and clear and it was in “Orange” colour (not RED).

The majority of them are Firewall alerts. If you don’t want a firewall then don’t install it, just install Anti - Malware side of CIS (which is AV+D+). Any other firewall would have given you these alerts (if they didn’t they would not be a firewall :slight_smile: )


Thanks for the advice. You may want to see this for the back story.
The PC is clean. It’s just that CIS doesn’t know it and has to be told.
I was able to answer all the questions but I did have to think about some of them a bit.
gf2.exe is Garbage Finder
IRClient.exe is Internet Remote Control
oodled,exe is O&O Drive LED
HDSentinel, UltraVNC & AlfaClock are self-explanatory

Screensaver was also blocked (see shots) but I’ve cleared it now.

[attachment deleted by admin]

You can submit these applications in this thread.

@Melih: is there a way to remove AV alerts like the one with UltraVNC ?

Hi Syl,

We have a naming policy described here:

In a corporate environment admin may not like presence of these tools to be available in user system and would definitely be interested in knowing it. At the same time as these applications can be misused by malware also. Considering these factors they are flagged by AV module but named appropriately.


Yep. Remember that you can easly add those file to exception
list :slight_smile:

Yep, I know this thread and I already read your answer when I asked if it was a FP.
Now I ask something a little bit different :slight_smile:
I don’t want to see these alerts, is there an option in CIS to reduce the threshold?

What does CloudBehavior means?
What does UnclassifiedMalware means?
I suppose they aren’t FP, and they aren’t explained in your thread.

If you point to this thread everytime I ask, it means CIS lack something…

It was the same problem with SecureDNS when you blocked Demonoid and Rapidshare.
I don’t want to see these alerts, only real threats.

It means it was found suspicious by CIMA.

This is malware that has not yet been analyzed closely enough to be classified, but is very likely malicious.

So… it may be another FP then?

And while it’s unclassified, it may be another alert about a “dangerous” application, but we don’t know…

A few more alerts today. All are clean.
I had the same problem as yesterday with the screensaver again so I changed to an MS one.

I know I can uninstall/turn off the firewall,
I know I can change to “training mode”,
but this is the recommended installation and the default settings.

As I’ve said before, I can use CIS very effectively. I’m just seeing what it might be like to be a noob in the brave new world of CIS usability.

[attachment deleted by admin]

Latest Database Version:
Release Date (all times GMT):
11-Nov-2010 10:04:12
Number of Definitions Added Today:
Total Definitions:

Heur.Suspicious 990
UnclassifiedMalware 9154

That’s why like I said before Comodo has to find some ways to more efficiently classify and verify each and every of the above samples. Many of them might be false positives. It is already getting out of hands. I bet 90%+ of 5899079 total definitions belongs to those two categories. Computer that is infected with an UnclassifiedMalware/Heur.Suspicious that is actually a rookit/keylogger causes way more devastation than one that is infected with another UnclassifiedMalware/Heur.Suspicious which is actually a less harmful virus. Without formal classification and identifiable names, you never know what those UnclassifedMalware/Heur.Suspicious truly are.

who care about the name ?

I care, because Comodo has a lot of FP and unjustified classification and we need to make a decision because of that.

It looks like Comodo is really good at blocking malware only because it is really good at blocking. :frowning:
A few more examples today.

[attachment deleted by admin]

Please report the applications that you are being prompted for here. Then check in a few days and see how many fewer popups you have.

Not only will this make it easier to use CIS on your computer but it will also help the other people in the CIS community that have the same applications installed. Comodo is working on making it less talkative, but the thing you can do to help the most is to report any applications that you receive popups for.