Comodo Firewall 3.11 download possibly infected with Win32/ZMist virus?

Dawg · August 28, 2009, 4:36am

Hello,

While downloading the 3.11 version of Comodo Firewall, released on 25th August 09, from the Comodo website, my NOD32 virus scanner alerted me that the file was infected with the Win32/ZMist virus, which it subsequently quarantined. Having looked up this virus, it looks like a particularly invisible one, which most AV programs do not pick up.

I have recently downloaded other programs, and the alert did not show.

Has anyone else encountered this problem? I’d also like to know whether you folks at Comodo are aware of this potentially serious security threat.

I deleted the downloaded file, and won’t install Comodo 3.11 until I am sure that it is not infected. :-\

Thanks.

slg123 · August 28, 2009, 5:18am

Most probably a False Positive by Nod32.

Endymion · August 28, 2009, 5:27am

Hallo Dawg,

It looks like if was Nod’s misdetection (False Positive) as Nod32 online scanner don’t detect CIS_Setup_3.11.108364.552_XP_Vista_x32.exe released on 25th anymore.

Though to it could also be that nod was correct but this mean your system was already infected and as a result that CIS installer was infected soon after the download.

Whenever in such cases is advisable to leave such files in the quarantine and rescan then after a while after submitting it to Nod AV labs, since you already deleted the quarantined executable before attempting to download CIS installer again please do a full scan with nod.

Dawg · August 28, 2009, 10:51am

Thank you for your comments everyone.

I will check out the false-positive issue. Hopefully this is what is causing the problem.

I have done a full in-depth scan with NOD and there was no sign of ZMist.

The alert happened quite soon after 3.11 began downloading, well before completion, and there have been no other alerts with other downloads since I got this computer some months ago.

Will report back.

slg123 · August 28, 2009, 11:00am

Looks like the part file (temporary file for download) was being detected.

mineja · September 1, 2009, 6:57pm

I have just (a few minutes ago) encountered the same problem. In my case the alert from NOD32 was almost instantly after clicking [download]. Running XP with NOD32 2.70.39. updated half an hour ago. In 4 days (at least) I thought Comodo would have sorted this out and posted a response. I will plod on with the earlier version firewall currently installed.

HeffeD · September 1, 2009, 7:51pm

How exactly is Comodo supposed to sort out a false positive from a competing product? ???

You can sort it out yourself by reporting the problem to the folks who produce NOD32.

Dawg · September 2, 2009, 3:46am

Hi,

From my end, I emailed samples@eset.com a couple of days ago reporting the issue. No response as yet.

Mineja - I would suggest that you alert NOD also as I imagine that the more enquiries they receive the more likely they are to investigate.

Endymion · September 2, 2009, 10:17am

Is there anyone who still got that FP?

Days ago I used Eset on-line scanner on CIS installer, downloaded soon after its release, and I didn’t get the Zmist FP.

This is strange ???

bulgroz · September 2, 2009, 10:36am

Strange that NOD reports the exe file as a virus immediately upon clicking the download button. I thought that NOD or any other scanner would need access to the file before it could scan it. Could it be the scripting behind the download button that causes the detection?

Just a thought.

I have scanned the file with Bit Defender 2009, McAfee 8.7 enterprise and Kaspersky 2010. Nothing found.

Cheers