False positive with WindowBlinds 8.0.1, random infected EXEs

T3STY · January 2, 2014, 5:34am

Since December 25th 2013 Comodo Internet Security started showing infection alerts in random applications, about TrojWare.Win32.Magania.CLJ. The issue is caused by WindowBlinds. As soon as I turn off WindowBlinds the infection alerts go away. This issue is not new, I found two other threads about this in the comodo forums. Here are the links:

https://forums.comodo.com/virusmalware-removal-assistance-b58.0/-t75932.0.html

https://forums.comodo.com/av-false-positivenegative-detection-reporting-b154.0/-t84056.0.html

Although the reported malware name is slightly different, the issue is the same. The threads above are old enough, one is from 2011 and the other from 2012. My issue iinstead is quite recent; I’m using WindowBlinds since October 24th 2013 and until December 25th I never had any infection of the Win32.Magania malware. I’m pretty sure this is a CIS issue because WindowBlinds has remained at version 8.0.1 since October 10th, 2013 while CIS has been regularly updated on a daily basis.
To enforce the false positive declaration I have checked the PC performances, memory usage, network traffic and other parameters, and it all seems to work normally - no sign of infection activity. Also, my WindowBlinds application is not cracked, I regularly bought it and downloaded from the official website, so you can totally exclude any possibility of cracked infected software (and, even more, never used/installed a cracked version of WindowBlinds on my PC).

Next, there are a few informations on the programs.

Comodo Internet Security Premium 6.0
Antivirus and Firewall only have been installed
Program version: 6.3.302093.2976
Database version: 17533

WindowBlinds 8
Download: Stardock WindowBlinds: Skin and Theme your Windows Desktop
Program version: 8.0.1
Files used by WindowBlinds:
FILE (Last updated)
Wblind.dll (2013/10/08 19:32:ll) - most recent
Wblind64.dll (2013/10/08 19:32:43) - most recent
Wbsrv.dll (2013/06/18 15:44:40)
WB8Config.exe (2013/07/18 16:07:29)
Wbload.dll (2013/06/17 16:03:35)
Screen.exe (2013/06/06 15:52:23)

The false positive infections have been found in:

Minimalist GNU for Windows
http://sourceforge.net/projects/mingwbuilds/files/latest/download?source=files

Magic Partition Recovery 2.1

LinuxLive USB Creator 2.8.27

K-Lite Codec Pack 10.2
http://www.free-codecs.com/download/k_lite_codec_pack.htm

Winstep Nexus 12.2
http://www.winstep.net/products.asp

QtCreator 3.0.0
http://qt-project.org/downloads

…and more generally all executable files which get skinned by WindowBlinds, the above are only a few examples of trusted applications that I regulary use and are reported as infected. Other examples includes all the applications I compile with QtCreator, they get flagged as malware - as the programmer I am, flagging them as infected, makes me pretty angry (at every compile I get a new malware alert). If you want to try this one you may use any example application included with QtCreator, or even an empty console application.
Strangely, uTorrent, Notepad++, SumatraPDF, Paint.NET, SkinStudio (part of WindowBlinds) and probably other applications that I forgot, are not flagged as infected when launched. These applications are not in the WindowBlinds excluded files list, nor in the CIS exclusions list.

NOTE 1: The WindowBlinds files themselves are not reported as infected, not even the application EXEs (WB8Config.exe, Screen.exe).
NOTE 2: I will not attach these files to this post due to their very large size. Instead I’ll leave the download links. The file you download from the links will perfectly reproduce the issue (just tried a few right now). The infection is reported not only in the installer applications but also in executables installed by them.
NOTE 3 - IMPORTANT: Infections are ONLY detected when applications are RUN! Manually scanning an application without running it will not make CIS detect any infection. This is because WindowBlinds has to inject itself in the running executable.

My system runs Windows 7 Professional 64-bit, SP1 (the OS is original as well, no ■■■■■/activator/whatever used). I’m pretty sure the hardware specifications are not needed, so I’ll skip them. For any other information you might need just ask me. Also, let me know if i should report this issue to Stardock as well.

Priyadharsini · January 2, 2014, 5:42am

Hi T3STY,

Thank you for reporting this.
We’ll check it and get back to you soon.

Regards,
Priyadharsini.G

Priyadharsini · January 2, 2014, 12:22pm

H T3STYi,

The sample you have mentioned to us false-positive is not detected by Comodo Internet Security version <6.3.302093.2976> with database version 17539.

Please make sure the Antivirus database is updated and check again. If detection is still present, please submit the file on Comodo forums at
https://forums.comodo.com/false_positivenegative_reporting_is_this_a_malware_that_cis_hasnot_detecte-b154.0/

Regards,
Priyadharsini.G

T3STY · January 3, 2014, 1:50am

As I said in the 3rd note above, there is no real infection!!!
When the skinning application WindowBlinds is running and skins applications it injects itself in the running application’s memory. The false positive is only detected when you run any executable application that will get skinned by WindowBlinds.
To reproduce the false-positive alert do as follows:

install WindowBlinds (trial version will work as well)
activate a skin from the WindowBlinds configuration application (for instance, I am using the Echo skin - The Windows Classic and Windows Aero skins are Windows’ default skins, they will not trigger the false positive; choose any skin but those)
in CIS activate real-time scanning and any option for application startup memory scanning
now run any executable from the list I gave you, or try running other applications as well
What you should see:
when you have WindowBlinds running with a skin activated, any application should get skinned by WindowBlinds; but on application startup CIS will alert about a TrojWare.Win32.Magania malware in the application. That’s the false positive you want to look for.
when WindowBlinds is not running (the Windows classic theme or the default Windows Aero skin is activated, or if you right-click the WindowBlinds tray icon and choose “Unload WindowBlinds” ) CIS will not detect any malware, and the malware alert will not pop up. CIS will not
in both cases WindowBlinds is running or not, if you manually scan the applications CIS will not find any malware in them

So please, make sure you made those steps to reproduce the false positive and let me know.

In the event you will not be able to reproduce the false positive, can you give me some help about whitelisting that malware in CIS so the alert will not get triggered anymore?

qiuhui · January 4, 2014, 1:25am

Hi T3STY,

This is to inform you that false-positive has been fixed.
You can update to AV database Version <17549> of Comodo Internet Security Version<6.3.302093.2976> and confirm it.

Best regards
Qiuhui.■■■■

T3STY · January 5, 2014, 2:38am

I have just updated to the latest AV base available (17555) and I confirm it is now fixed.

Thank you very much!

T3STY · January 5, 2014, 4:22am

I’m sorry but I have to change the sentence above: the issue is not fixed yet, the false positive alert does still appear.
After I restarted the PC it was just like nothing has changed. CIS does still behave as I described in previous posts. The only thing that seems to stop these alerts is disabling the real-time scan, but I cannot do this as it would leave me almost unprotected.

Let me know if I can make any tests and give any useful information to properly fix this.

FlorinG · January 9, 2014, 5:14pm

Hello T3STY,

This issue should be fixed now, please check if everything is alright on your side.

Best regards,
FlorinG