Comodo detects wordpress blog admins and browser's cache as Unclassified Malware

Comodo Internet Security - CIS AV False Positive/Negative Detection Reporting
1

[b]NOTE: This is a repeat of the post I had made in another forum. Another member also reported the problem the same problem. But I realized it was the wrong forum and so, I am posting it again in this forum.

Please check the original thread below for further details
[/b]
https://forums.comodo.com/empty-t35743.0.html

Hi support,

I have seen that after today’s virus database update, Comodo is falsely showing various wordpress admin files as virus. I have checked the files and all of those are detected as virus. (:AGY)

Some of the files detected as malware by comodo include

wp-includes\js\jquery\interface.js

wp-includes\js\jquery\jquery.js

wp-admin\js\revisions-js.php

and many such files. This has become very irritating as I am a webmaster and blogger and almost all my wordpress blogs are showing falsely as malware. (:SAD)

Moreover, there is another file type which is showing as malware

It is usually inside the profile folder of the browser in the cache folder

It has shown Unclassified malware in both Firefox and Opera

But I am quite suspicious of these threats too because these have all started appearing today only after the comodo virus database update. I deleted two of my blogs completely thinking that it might have been problem with the server but it seems that there is false positive in comodo now. The worst part is that this file is a random one always shown at the same location.

For Firefox the Unclassified malware appers like

C:\Documents and Settings\Admin\Local Settings\Application Data\Mozilla Firefox\Profiles\kufarqw3.default\Cache\EA36A345d01

And for Opera the error appears like

C:\Documents and Settings\Admin\Local Settings\Application Data\Opera\Opera\profile\cache4\opr02YOE

This above mentioned Unclassified Malware is the most annoying because the virus alert keeps popping up again and again and only the last numbers and letters after cache or cache4 changes. I am quite worried and highly annoyed by these false positives. Please correct it and check whether these are actual errors or not.

Please correct it soon. The last update was a nightmare for a webmaster. (:SAD) I had already destroyed and destroyed two low traffic websites of mine after the Unclassified malware reports thinking someone might have hacked those hosting accounts. I am not able to do anything as the false positive at browser’s cache folder and wordpress admin keeps popping up again and again.

Thanks once again for the great product :ilovecomodo:

But please correct it soon and remove all the false positives

2

Hi comodo staff, please check this out and correct the problem

Thanks in advance

3

I have three Wordpress blogs that currently cannot be updated/maintained because of false positives. The virus signature database that started this problem is 1005. The false positive is Unclassified Malware@8362428. The file is actually a jQuery script:

/*

  • jQuery 1.2.6 - New Wave Javascript
  • Copyright (c) 2008 John Resig (jquery.com)
  • Dual licensed under the MIT (MIT-LICENSE.txt)
  • and GPL (GPL-LICENSE.txt) licenses.
  • $Date: 2008-05-27 12:17:26 -0700 (Tue, 27 May 2008) $
  • $Rev: 5700 $
    */

I have submitted the file using the Suspicious Files feature but I did not see any way to include an explanation. Have I missed something?

4

I also have this problem. It just started occuring within the last 2 days. I use Opera 9.63 most of the time. Now I am constantly Removing cache files that pop up in virus alerts. I am using the same sites that I have used in the past. I think they are false positives. I have not sent them in, because I am usually right in the middle of doing some research or something. the last cache file popped up when I was at stardock.com (and at mintywhite.com), and I’m pretty sure they do not have malware.

Is there a way to tell Comodo that any file it finds in my browser cache which it thinks is a virus/malware that it can just delete it?

Could you please check this out? The file is always a random number. Comodo calls it “Unclassified Malware[at]8362438” and it is located at “c:\users\username\appdata\local\opera\opera\profile\cache4\opr08NGR” - the name appears different each time.

Any ideas…help?? :SMLR
and, :ilovecomodo:

5

This is a temporary fix:

Open the “Browse” window by following these instructions:

http://qgs8sq.bay.livefilestore.com/y1pu9jktT3aP7QlwrjZbBt4fZQ8gAtcpA-LF1q1RI5sV5aLAQPR2Knjr9LCdPZh_Uc1JDzmPZiwvOAu_scOyYL8fw/CIS-AV_Excluded.png

Copy the directory location of the detected files.

Example:
C:\users[i]user[/i]\appdata\local\opera\opera\profile\cache4\opr08NGR

This folder may change for the different alerted files.
So, we exclude this folder:
C:\users\username\appdata\local\opera\opera\profile\

And leave off the “cache4\opr08NGR” because it could change with each alert.

http://qgs8sq.bay.livefilestore.com/y1pYjJZFbJ3V1175tWTKh-d3cLo3Amq-gOxqTsJyCuPn3E-zfXNm76POu5a1s2hTp5x6oqYZq6wXHc3SVpBdyIRqA/CIS-How-AV_Exclude.png

And for Firefox it could be:

C:\Users[i]user[/i]\AppData\Local\Mozilla\Firefox\Profiles\8eibdth6.default\Cache\0DA73F16d01

Note: This is for Vista. For XP you replace the "C:\Users[i]user[/i]\AppData\Local" with "C:\Documents and Settings\Admin\Local Settings\Application Data".

But for the most reliable method, just use the directory that the alert shows.

6

Thank you for your reply.

  1. When you say temporary fix, is that because Comodo is working on a permanent fix?

  2. In excluding this folder, I could be actually downloading viruses, if Comodo was not having false positives, correct? how likely is this?

I usually delete all cache files when I exit Opera, so I feel fairly certain that any possible “cache” viruses in that folder would be deleted.

thanks again for your help, I will try this.

7

  1. I’m not an employee of Comodo, so I’m not sure. But I know they do check these forums, so they probably see this topic. I hope it will get fixed soon.

  2. You are correct. Malicious files may be downloaded, and CIS won’t detected them. In this way you’d have to reply on D+ if those files were ever executed.

If you don’t want to run too much risk, you could try disabling the real-time scanner heuristics. This won’t sacrifice too much security, and might fix this FP problem.

8

Devs aim to fix FP now within 2 days, I’m pretty sure these boards gets checked like every 12 hours…

It’s indeed normal that CIS let’s you download the files. CIS has no webscanner and so can’t detect if you download virusses. When however you try to acces them, it will detect them :slight_smile:

Xan

9

Thanks for the fix Jeremy. However, I have turned off Comodo antivirus for now till the false positives are fixed. I have got another antivirus as backup and so that should not be a problem. I have kept the Comodo firewall active however.

10

Hi eXPerience, thanks for the reply. Please correct both the false positives including the wordpress admin false positives as well as the FP on browser’s cache folders.

Thanks once again in advance and please reply when the FP for both these are fixed so that I can activate the anti virus once again.

Cheers. :■■■■

11

Just to correct you. I’m not a comodo developer. I’m just a Comodo volenteer, a standart user like you :slight_smile:

Xan

12

I just finished dealing with this morning’s mess. Last night my regularly scheduled full system scan fopund 42 fals positives before looping on ftdisk.sys, forcing a reboot. I was using 477 and signature database 1008. Once my system came back up I checked for updates and Comodo reported none available; however, only a few seconds later it updated the signature database to 1012. Possibly my check was just timed badly, but it seems suspicious to me.

Anyway, for the moment it is not reporting malware when I visit my Wordpress admin pages, but a scan of the Wordpress 2.71 zip file still results in 3 false positives:

interface.js Unclassified Malware[at]8318454
ui.tabs.js Unclassified Malware[at]8403714
revisions-js.php Unclassified Malware[at]8403709

It is better, but I don’t think the issue is resolved.

13

But you’re a mod and it seems like you are always knowing more than us “poor little members”. 88)

14

:o, would my nickname have some Truth in it after all ?

Xan

15

Well it seems like all mods know much more about Comodo dev stuff than we…

16

My signature database just updated to 1016. As a quick test I scanned my Wordpress 2.71 files again, and this time I am happy to report that CIS came up clean. I’ve been able to use my blogs since 1012, so I am crossing my fingers that the problem is fixed, at least as far as Wordpress is concerned.

Despite the horrors of the past couple of days, I still think CIS is the best choice out there.

17

But you know much better than us about Comodo being the global mod in the forum ;D

I have activated the antivirus now and it seems initially that there is no problem :slight_smile:

But I will inform you great guys if there is any problem

Thank you and everybody who helped

Cheers :-TU

18

Great, I’m happy that it’s fixed, good job devs :-TU

But you know much better than us about Comodo being the global mod in the forum
That's just because I spend a lot of time here ;)
But I will inform you great guys if there is any problem Thank you and everybody who helped
Please do so, everyone will get better of it. And you guys are a part of the resolving of this problem :-TU, please help the devs the next time also :)

Xan

19

As a user, I personally don’t want add-ons to my browser that I do not have control over, whether while at a single site or in toto.

I have my view of my browser set a certain way to display the most real estate. Smarmy little add-ons designed to promote social invasion of my computers are not wanted.

At least give the user the opportunity to remove, in its entirety, the offending tool bar - And I Don’t Mean That Little Down Arrow That Only Hides The Buttons But Still Takes Up Space.