Since December 25th 2013 Comodo Internet Security started showing infection alerts in random applications, about TrojWare.Win32.Magania.CLJ. The issue is caused by WindowBlinds. As soon as I turn off WindowBlinds the infection alerts go away. This issue is not new, I found two other threads about this in the comodo forums. Here are the links:
https://forums.comodo.com/virusmalware-removal-assistance-b58.0/-t75932.0.html
https://forums.comodo.com/av-false-positivenegative-detection-reporting-b154.0/-t84056.0.html
Although the reported malware name is slightly different, the issue is the same. The threads above are old enough, one is from 2011 and the other from 2012. My issue iinstead is quite recent; I’m using WindowBlinds since October 24th 2013 and until December 25th I never had any infection of the Win32.Magania malware. I’m pretty sure this is a CIS issue because WindowBlinds has remained at version 8.0.1 since October 10th, 2013 while CIS has been regularly updated on a daily basis.
To enforce the false positive declaration I have checked the PC performances, memory usage, network traffic and other parameters, and it all seems to work normally - no sign of infection activity. Also, my WindowBlinds application is not cracked, I regularly bought it and downloaded from the official website, so you can totally exclude any possibility of cracked infected software (and, even more, never used/installed a cracked version of WindowBlinds on my PC).
Next, there are a few informations on the programs.
Comodo Internet Security Premium 6.0
Antivirus and Firewall only have been installed
Program version: 6.3.302093.2976
Database version: 17533
WindowBlinds 8
Download: Stardock WindowBlinds: Skin and Theme your Windows Desktop
Program version: 8.0.1
Files used by WindowBlinds:
FILE (Last updated)
Wblind.dll (2013/10/08 19:32:ll) - most recent
Wblind64.dll (2013/10/08 19:32:43) - most recent
Wbsrv.dll (2013/06/18 15:44:40)
WB8Config.exe (2013/07/18 16:07:29)
Wbload.dll (2013/06/17 16:03:35)
Screen.exe (2013/06/06 15:52:23)
The false positive infections have been found in:
Minimalist GNU for Windows
http://sourceforge.net/projects/mingwbuilds/files/latest/download?source=files
Magic Partition Recovery 2.1
LinuxLive USB Creator 2.8.27
K-Lite Codec Pack 10.2
Winstep Nexus 12.2
http://www.winstep.net/products.asp
QtCreator 3.0.0
http://qt-project.org/downloads
…and more generally all executable files which get skinned by WindowBlinds, the above are only a few examples of trusted applications that I regulary use and are reported as infected. Other examples includes all the applications I compile with QtCreator, they get flagged as malware - as the programmer I am, flagging them as infected, makes me pretty angry (at every compile I get a new malware alert). If you want to try this one you may use any example application included with QtCreator, or even an empty console application.
Strangely, uTorrent, Notepad++, SumatraPDF, Paint.NET, SkinStudio (part of WindowBlinds) and probably other applications that I forgot, are not flagged as infected when launched. These applications are not in the WindowBlinds excluded files list, nor in the CIS exclusions list.
NOTE 1: The WindowBlinds files themselves are not reported as infected, not even the application EXEs (WB8Config.exe, Screen.exe).
NOTE 2: I will not attach these files to this post due to their very large size. Instead I’ll leave the download links. The file you download from the links will perfectly reproduce the issue (just tried a few right now). The infection is reported not only in the installer applications but also in executables installed by them.
NOTE 3 - IMPORTANT: Infections are ONLY detected when applications are RUN! Manually scanning an application without running it will not make CIS detect any infection. This is because WindowBlinds has to inject itself in the running executable.
My system runs Windows 7 Professional 64-bit, SP1 (the OS is original as well, no ■■■■■/activator/whatever used). I’m pretty sure the hardware specifications are not needed, so I’ll skip them. For any other information you might need just ask me. Also, let me know if i should report this issue to Stardock as well.