False positives check

triple · December 27, 2008, 5:40pm

I would like to see a feature that gives cavs the possibility to check the quarantine folder after each update, in this way the quarantine folder gets scanned and compared with the updates and sig database to see if there has been quarantined legitimate files and programs.
Also I would like to see the ability to right click found threats and send them to comodo to let them examine the files and see if it is a false positive.

(V)

Rexdoron · May 28, 2009, 12:44am

This is a goooooood idea. If your wish comes true, I wouldnt have to restore my quarantine items, do a scanning and see if it’s still a virus or not!

OmeletGuy · May 28, 2009, 12:46am

Yes this is very helpfull to deal with FP. ;D

Hope V4 will have this

Citizen_K · May 28, 2009, 1:30pm

+1 on both counts.

Whoop-dee-doo · May 28, 2009, 1:55pm

Me too.

The example pic below (made by a user) was posted in the usability forum

[attachment deleted by admin]

mjj09 · May 28, 2009, 2:04pm

I’ve sent several FP’s in months ago, and they are still being detected as viruses.

Oh well, you got my vote…

HeffeD · May 28, 2009, 4:05pm

Maybe Comodo views them as suspicious? What are they classified as?

mjj09 · May 29, 2009, 5:29am

The first one:
Heur.Pck.tElock (.dll file)
https://www.virustotal.com/analisis/0a13e29b4c15854affde048bef5c0947ec7efc496b5e1c109114409015e4429d-1243574689

The second one is software to update the HOST file:
TroWare.Win32.TrojanDownloader.Small.ahhr@16465392
https://www.virustotal.com/analisis/0db06cfb83c1444ec7da50c5f1d3cc53e30625606b98089952b79ea586e34529-1243574445

I just add them to the exception list and forget about it. The first file is not detected by the VirusTotal v1211. I have the same definition and it’s detected (of course I have everything set to high though).

languy99 · May 29, 2009, 5:38am

I would say the second one is a trojan not a FP

mjj09 · May 29, 2009, 6:02am

It’s a small file (13kbs). It simply connects to mvps.org and downloads/replaces the HOST file with the current version. I know a lot of the AV’s detect it as a Trojan, but I feel they are FP’s.

Comodo says it connects to TCP 209.68.48.119:80 (msvp’s site). No other connections to the outside world. It does indeed update the HOST file, and I have yet to see any additional processes execute when running it.

languy99 · May 29, 2009, 6:08am

can you pm a link to it so I can check it out

slg123 · May 29, 2009, 6:15am

+1 :-TU :-TU :-TU :-TU :-TU :-TU

Indeed a very useful option to have.

Petit · May 29, 2009, 7:00am

Also it shpould have “Automatic Rescan Quaratine” too.
To define some previously detected item in quarantine was a false positive.

languy99 · May 29, 2009, 5:23pm

here is more research on the host file program

http://camas.comodo.com/cgi-bin/submit?file=0db06cfb83c1444ec7da50c5f1d3cc53e30625606b98089952b79ea586e34529

http://anubis.iseclab.org/?action=result&task_id=193fb565382db7f44715fa7c4a6d121cb&format=html

http://www.filterbit.com/results.cgi?uid=rvkzp91idz593lya8c8i270li81v05kt

from what I can find it does what it says, so I would label it at a potentially unwanted program, the main problem is that it can be combined with other malware to really mess up your system.

Citizen_K · May 30, 2009, 1:03am

Please don’t hijack this topic. Make sure to submit your FP’s following How to report False Positives/Suspicious Files & How to Submit them ; notice that using CIMA does not provide feedback and the mentioned topic does.

The FP guys are usually very prompt in their responses and they even have the Post here your unfixed FP’s (only after 2 days)topic.

devenroy · July 1, 2009, 1:39pm

+1 that will be benificial. :a0