Comodo D+ Heuristics And Notepad

why is the built-in notepad.exe program in windows being picked up as malware according to the D+ malware heuristics?

a false positive?

is anyone else getting this?

here’s a screen shot,

also isn’t there supposed to be text above the icons explaining what’s happening? like this (progam) is trying to install global hook or (program) is trying to execute (program) etc,

I recently (within the week) got an error with comodo firewall and I sent it to comodo,

I’ll probably be reinstalling comodo and see if that helps.

EDIT: I exited and then restarted comodo firewall and the text above the icons came back tough I don’t understand why it went away in the first place.

[attachment deleted by admin]

D+ isn’t telling you thats malware but warning you if you dont know what it is then don’t allow it. But since its notepad then allow it.

but the heuristics built into comodo firewall is picking it up as possible malware behavior with normal program execution it doesn’t pop-up saying that.

Well read your screen shot. Its says if you do not know if notepad is a virus.Which it clearly isn’t. D+ has give me warning about safe products also.Atleast you know its working like it should.

but that’s not how the D+ heuristic engine is supposed to work thats how the D+ hips module is supposed to work the heuristics engine is throwing off a false positive that part of the D+ module is only supposed to alert you of programs that look like malware behavior how does an obviously safe windows program look like a malware?

I’ve only ever had the heuristics engine alert me of one program which changed settings in windows and I could understand why the heuristics engine picked that up because it did look like malware the way it worked.

EDIT: added attachment

the attachment shows how a “normal” pop up looks for a program execution in D+ nothing stating a malware behavior from the heuristics.

[attachment deleted by admin]

If you doubt Comodo then simply download the GRC leaktest, PC Flank test and the System Shutdown Simulator and you will see it passes all tests. Even when you rename the GRC test like your suppose to Comodo still warns you.

I don’t doubt comodo at all I happen to prefer it over all other firewalls and it’s my favorite HIPS so far as well thats why I’m using it,

I’m just wondering why it’s heuristics engine is picking up notepad.exe as malware when it’s obviously not it wouldn’t bother me at all if it just gave me the normal program execution alert but it’s giving me the malware heuristics alert instead.

READ THE F****** MANUAL. The notepad program is spotted by the D+ module because it is acting like POSSIBLE malware. Namely it is being called by program and executed where you might not expect it to be.

That’s what the warning says. So what’s wrong with that? Why not just trust all programs called by another program? Duh. Well when a program is called by another program sometimes that means the 1st even if “trusted” program has been “infected” and is calling another program that is not to be “trusted” or that the program called is not to automatically to be trusted in this context.

For example, a program reformatting your disk might be quite alright but NOT when called by your web browser…

This warning allows you to say this possibly suspicious behavior is to be allowed. Either this time, or any time, or after warning, or whatever you want.

it’s being executed by explorer.exe nothing strange about this request and I don’t get this heuristics pop-up with any other program being executed by explorer.exe only with notepad.exe and I don’t ever remember getting this type of pop-up before (I started fresh with the D+ again recently)

and I"d appreciate it if you kept your language under control I’ve read the help files and studied comodo’s firewall and D+ module since it came out of beta in november I know how to use it.

Thank you Gizzy…no need to be rude.

I don’t think that a heuristic that was written quickly and claims to detect 60% of malware can be very reliable.
AFAIK if a program is in comodo safelist it should not generate a heuristic alert if defense+ find it suspicious but if the program was updated recently it will not be in the safe list. I suggest you to upload notepad.exe to a online service such as Virustotal (and to Comodo too).

Very odd situation. I’ve just deleted all rules for notepad, the exceptions which allow explorer to run it, and tried starting it every way I could think of. No alerts.

Are you running paranoid level in D+ or anything like that? Have you created custom settings to monitor, or control applications?


I have it set to “Train With Safe Mode”

nothing out of the ordinary for settings,
image execution control is set to normal,
all monitor settings are checked,

I already had rules set up in my policy for notepad I forgot about so I didn’t get this heuristics pop up before I’ll have to go through my rules and see if I can find the program that previously executed notepad,

I deleted the rules for notepad and tried to execute it again but get the same heuristics pop-up,

an upload to virustotal came up clean and if I click the icon for notepad on the pop-up and get the properties window it says it hasn’t been modified since 2004,

I uploaded it to comodo as well,

it seems like just a false positive from comodo’s heuristics but I don’t understand why I never got it before and no one else seems to be getting it,

I’m using the newest version of Comodo firewall,

and I just checked and I get the same heuristics pop-up under clean pc mode, train with safe mode, and paranoid mode,

my firewall settings are set higher than the normal but I don’t think that would cause this,

and I don’t expect the heuristics to be all that reliable but I never got this alert for notepad before and no one else seems to be getting it and it should be a safe file in comodo I’m using train with safe mode so that setting checks with comodo’s safe files.