Comodo Firewall Virus Issue

Hi,

I have automatically update Comodo Firewall, but Sophos antivirus is constantly picking up mal/gampass-B in a file which I can not catch now.

Please let me know if I need to do anything about this.

Thanks

Do you mean that you cannot locate the malware that is being caught, or that Sophos is automatically quarantining it?

If it keeps finding the same files over and over again then your computer may be infected. If this is so please see this guide:
What You Need To Know About Removing Infections and Securing Your Computer

Hi Tester1,

Few comments and questions regarding your request and the answer by Chiron494.

1) It is not clear why and how the request is related to Comodo’s automatic update, and why you wrote: "but Sophos “constantly picking” up some infection…
I mean what is the link? How can you see those events (the Comodo update & flagging by Sophos) are related?

2) the name of the alleged infection (any) is pretty much useless and does not provide information whatsoever.
It is important to know what was flagged / the precise name(s)/ location(s) / etc.

3) definitely you rather follow the advices given in the link provided by Chiron494

4) At the same time there was a good question about “automatically quarantining”
If so, just keep in mind that you (or anybody else) should not set any security to “auto-”/quarantine / delete / heal.

The options (they could be in several places in Settings) must be set to “notify only” as soon as any security (AV) was installed.

Otherwise. one day that “feature” will damage your system beyond repair
(well ,… the only repair will be the System reinstallation)

In some cases System will recover after reboot but there are way too many cases when it will not if some system components are removed.
Even if the detection was correct you cannot allow the security to remove some system components that being infected (substituted) by malware. The procedure of recovering such components in most cases is not as trivial as quarantining/deleting them – special malware removal Tools are required and special methods of “substituting back”, so to speak, are needed.

5) As for the second part of Chiron494’s comment : “If it keeps finding the same files over and over again then your computer may be infected…” I may disagree.

Yes it may be the case, but there could be another case:

“Something” (that is currently unknown) was flagged by Sophos. And it will be flagged many times. It does not mean that it is a genuine infection.
You may have the Software installed that no other users have.
You have to submit that code to the vendor (Sophos in your case) in order to find out whether it is False Positive detection or not.
If nobody did that before and you are “the only one” having that code Sophos’s developers will never know and “the thing” will be continuously flagged forever even if that is a mistake.

Cheers!

I too have Sophos Anti Virus and SAV reported found and “quarantined” Mal\Gampass-B in C:\Program Files\COMODO\Firewall\Repair\mach32.dll

Following the path to mach32.dll, shows the size of the file to be 1117kb and the certificate details show it belongs to Comodo Security Solutions.

I have asked Comodo for an answer but all they have done is refer me to the Forum - seems there is more expertise out amongst the users than there is in the Tech Suppt Dept of Comodo.

I have asked Sophos for an answer as to whether the find is a False Positive.

I have sent the file to both parties and have not received any satisfactory answers from either.

Problem is, Comodo is Free, so why will Comodo bother with people like me who use free software - and Sophos is a Free Trial - same thing applies, although I have had a follow up from them but with no more information.

Yes its a False Positive from sophos, i would recommend that you make sophos AV ignore that file.

Thank you for the prompt reponse.

Hi Lakesaver,

That is not true and nothing to do with Comodo being free.

As I pointed above, the only right way is to send the suspect to the vendor (Sophos)

I cannot tell why they did not respond… Usually that shouldn’t be the case whether product is free or moreover the Trial.
I was sending files to different vendors having many on-demand scanners here - there was not the case of rejection
That would be “a bit” silly thing to do by any vendor, since that is not in their interests having FPs.

… but I am absolutely sure that you would not be rejected if you’ve sent the same file in parallel to Comodo’s lab for analysis as well, despite that is not Comodo’s fault in this case.

My regards

Have now had a response from Comodo - their Tech Support is looking into the issue.

Sophos are also looking into it because they don’t like false positives.

I am grateful to the Forum users for taking the time to comment.

Sophos Tech Support have replied that it is a False Positive. Not yet had a reply from Comodo Tech Support.

All,

Has anything been done about Sophos detected mach32.dll as a virus?

Thanks

Hi Tester1 ,

Can you please clarify your request? What should be done?

You always submit files to the vendor of the security that produces flaggings.
That was done and FP was confirmed by Sophos

But probably I am missing something (I mean Comodo’s involvement)

My regards

I too got this. Comodo of course should be worried, because if its product is being detected as containing a virus, many people will simply allow the AV to get rid of the file, and most likely uninstall Comodo without consulting anything.

Now of course, if you have Sophos AV on your computer, one might wonder why you aren’t also running Sophos’ Firewall product, which comes bundled with the AV.

Hi dunxd ,

Unless I am missing something (despite I reread this “old” thread) I simply cannot get few points:

  1. the FP was from Sophos

  2. In case the user is not sure - the detection has to be submitted to the vendor
    (Sophos in this case);

  3. why would one “most likely ??? uninstall Comodo” :o … in such circumstances;

  4. Sorry to put that bluntly … but this statement :
    “if its product is being detected as containing a virus, many people will simply allow the AV to get rid of the file”
    is simply wrong
    that is based on the assumption that some people are not experienced enough yet …(but they will if they want to learn) to understand that

  • we cannot live without FPs … and never will;
  • that we must never use auto-quarantine/auto-delete irrespectively … no mater what security is in use … etc.

So, basically the statement “without consulting anything” is in the category of a “pure ignorance” … Well, that is one of the ways actually some are deploying :

  • something detected / remove / system crashed - reinstall the system
    or
  • just never use any security… if anything goes wrong - perform fresh Clean System re installation / use image / apply backed up data. The latter is “must do” regardless whether one is using security or not
... if you don't have at least two data backups ... you do not care ...

Cheers!