This should be important to Comodo since someone out there has figured out how to infect Comodo Programs Manager (3.1) to do its dirty work; what an insult.
Background of Incident:
While installing Soluto (Soluto.com: boot-up analyzer), Spybot Search and Destroy’s Teatimer detected a malicious program execution infected with Win32.Palevo. I was surprised to see that it listed the infected file as CPMInformation.exe from the Comodo Programs Manger folder, which had monitored the Soluto install and was apparently starting to report the install to me (small popup in System Tray). I do not know the exact function of CPMInformation.exe, nor was I able to find a listing on Comodo’s web site that shows the list of files that should be installed in the CPM folder. Other web sources do list CPMInformation.exe as being a component of CPM, at least for version 1.0.1.
This encounter is very odd because I have no reason to believe either Comodo Programs Manager or Soluto to be the true culprit here, at least not at this point. Comodo Programs Manager has monitored many installs since its last update (to 3.1). However, had Teatimer not been executing, the Win32.Palevo bug could have slipped by (MS Essentials did not catch it).
Clicking on the Teatimer OK button announcing the find deleted the CPMInformation.exe file (automatically checked option; otherwise, I could have saved it for analysis).
The Soluto install/Win32.Palevo encounter happened just after a fresh boot due to doing Windows Updates (I manually initiated Windows Update and the Check for Updates). The Windows updates consisted of: Software Updates: Root Certificate update, and a MS Security Essentials update, plus Hardware: Nvidia card update. The updates were installed without incident, and then prompted to reboot. Just moments prior to the Windows Update, I was prompted to update Safari Browser (from version 5.1.4 to 5.1.5) and that completed without incident. That is what gave me the idea that I should check for Windows Updates too, in case Safari wanted to reboot (it didn’t).
Since none of these updates seem likely culprits, I began checking to see what else I have installed recently on this computer. The last modified folders in my Programs Files folder were:
Soluto Today
NVIDIA Corporation Today
Safari Today
AvsP 5 days ago
Mozilla Thunderbird 5 days ago
TaskCoach 7 days ago
Opera 8 days ago
Zimba 11 days ago
DownloadToolz 12 days ago
DVD Photo Slideshow Professional 12 days ago
Only the first three were updated today, the others have had several reboots since being installed. Somehow something got the WIN32.Palevo installed into CPMInformation.exe, and it showed up during the Soluto install, which makes it the most suspicious. Soluto was listed in PC Magazine’s The Best Free Software of 2012 list, which is why I decided to give it a try on this PC.
I noticed one other Comodo CPM Forum entry relating to Soluto (Jan 2011) in that CPM did not monitor the install. Could there actually be an issue between these two? Did I catch a problem only because I had Spybot S&D Teatimer monitoring?
CPM must be defensive itself. If Programs Manager can be attacked/hacked/infected by some other application (during its install or otherwise), then an application install could make CPM look to be infected to anti-malware software, and while it is being held hostage by an anti-malware software program, the other program could thwart CPM’s monitoring ability and get whatever it wanted past it. This would be a serious security breech for CPM, which is expected to detect when bad software is being installed. Likewise, this can tarnish CPM’s reputation.
During the install of any program, Comodo Programs Manager always reports the install. Several days ago, I do recall seeing Comodo Programs Manager announce an install/update while I was doing editing work (not during an install). I did think that was a bit odd. I recall the pop-up short report showing an “update” of some software; it was something common though, such as Quick Time update installed, but I do not recall what exactly it was. Is there a log of things that Comodo Programs Manager has monitored? If not, there should be.
In the Programs Manager install folder, the CUSettings.ini file was updated today; the last updated before that is setup_cpm.exe (1/15/2012 8:00 PM)
I zipped the Comodo Programs Manager directory in case you care to inspect it (17,506 KB).
What can I provide to help Comodo solve/prevent this from re-occurring or happening for someone else?