FAQ: Requests & Input

_cat · June 6, 2007, 8:49pm

I’m cleaning up the CBO/BOC FAQ and moving posts out of this area.
It will eventually be locked.
We will need to have a submissions process in place.
Any suggestions on items to include (sources appreciated) please IM me.
Thanks!

_cat · June 6, 2007, 9:53pm

So far I have this…

Comodo BOClean Knowledgebase

Download Link, Install/Uninstall Instructions, & User Guide

https://forums.comodo.com/index.php/topic,8442.0.html (temp link)

BOClean manual in het Nederlands

https://forums.comodo.com/nederlands_dutch/boclean_manual_in_het_nederlands-t8332.0.html;msg60428#msg60428

Download Link:
http://www.comodo.com/boclean/CBO_download.html

Installation Instructions:
https://forums.comodo.com/index.php/topic,7641.msg59096.html#msg59096

Kevin McAleavey:

For anyone replacing their earlier BOClean, some RULES which need to be followed as far as installing the new version, however since I have no idea of when the support center or the documentation pages are going to be there … this is all I can offer …

#1. If you already have a copy of any earlier BOClean on your machine, UNINSTALL it first! If you have BOClean running on the traybar, right click it, select “shut down BOClean” and that will make it go away. Should you forget to do this, the remover will complain and tell you to do so. There is no harm done if the old BOClean were to be left running, however you’ll have two BOCleans running and that will waste resources. The two will not interfere with one another, but you only require one. Smiley

#2. In order to properly install the COMODO BOClean 4.23 onto a Vista machine, you MUST right click on the downloaded setup programme and select “Run as administrator” to install it properly. For XP and earlier, being administrator/owner is sufficient. A reminder screen will appear when started to warn that it must be installed under the administrator/owner account but people don’t read what’s right in front of their face. It’s NECESSARY to ensure that the kernel driver is properly loaded that the installation be done by administrator and under VISTA, it must be done under “Run AS” …

#3. Once installed, BOClean will NOT reboot the machine - this is done in order to protect any “works in progress” on the user’s machine from accidental loss. However, the kernel driver once installed MUST start at bootup and without a bootup to kick it off, it will not be present until the machine has been rebooted “at your earliest convenience.” BOClean will also start automatically after a reboot, it is NOT started by the installer based upon the need for its kernel driver to be present. This is the reason for the reboot requirement rather than just starting BOClean straight away.

Uninstall:
Prior to uninstalling you must shut BOClean down in order to stop the service so it may uninstall correctly. You can do this using the “Shut down BOClean” button on the user interface located in your task tray (alt click on the icon).

User Guide:
http://www.comodo.com/boclean/supboc.html

Register for free licence

https://forums.comodo.com/index.php/topic,8247.0.html (temp link)

Q: Do I have to remove BOClean and reinstall to get the Free Licence or will it be sent to my email address instead?

A: It’s been advised that prior releases of BOC and CBO be uninstalled prior to installing new releases. (see "Uninstall"link?)
When installing Comodo BOClean (CBO), you are prompted to enter an email address which is where the license will be sent.

Which Version ?

https://forums.comodo.com/index.php/topic,9347.0.html

Q: How can I tell which version of BOClean I have?

A: If your systray icon looks like a little vacuum cleaner, you have BOClean version 4.22 or earlier.
If, however, the systray icon looks like a little computer screen with some kind of thingie on it, then it’s CBO 4.23 or later.
Right clicking on the BOClean icon in your task tray will bring the GUI up displaying the version or you may browse to the .exe in it’s install folder and view it’s properties/version there.
At this time the GUI of CBO does not display the version.

What the tray icon colours mean.

https://forums.comodo.com/index.php/topic,8151.0.html

Green=examining startups (goes fairly quickly)
Blue = examining processes, threads and dependencies
Black = quiescent (nothing going on)
Red = detection has occurred OR you’ve opened the menu and BOClean is on hold until you close it.

On starting the system, it will be blue for quite some time as BOClean actually starts green but that’s usually over by the time the traybar icon appears on bootup. Blue sits there for quite a while as BOClean examines every single process, thread and dependency at startup. Once all is done, it settle into black unless something is started or it does its every ten second “recalibration” … when this happens, you’ll see a fast green or blue flick - starts green, goes blue but it happens so quickly if nothing’s happened in the past ten seconds that you might see one color or the other or a combination of both (particularly on LCD screens) … if anything starts or changes, it doesn’t wait for that ten seconds so you’ll see that flick should ANYTHING move or start.

Where does BOClean “quarantine” files?

C:\Documents and Settings\All Users\Application Data\BOC425\evidence.boc

Suspected False Positives?

https://forums.comodo.com/comodo_boclean_antimalware/comodo_boclean_submission_address_april_2008-t22343.0.html;msg156013#msg156013 (temp link)

Q: Where do we send the files that are being alerted on that we suspect are FPs?

A: You can email them to: malwaresubmit [ at ] avlab.comodo.com .
You may want to specify in the subject line “False Positive?” for clarity’s sake.
As usual, zip and password protect with “infected” including that information in the body.

How To Zip & Password Protect a File For Submission

To zip and password a file do this:
Right click on the file in question and choose “Send To: Compressed Folder”.

Then double click on the newly created compressed folder to open it in Windows Explorer.
In the toolbar at the top left choose “File”, Add a Password".

You’ll now have a password prompt box to type in “infected”.

COMODO BOC thinks MIRC is a trojan?

Kevin McAleavey post:2:

Yep … that’s correct. MIRC is the most frequently used core for what we call “pseudo-rootkits” to control bot networks because it’s “legit” and therefore ignored by just about every anti-everything on the planet. Since you’re deliberately using it, open BOClean’s excluder and drag the icon for it to the excluder box (if you’re not using Vista, you can drag a shortcut) and once it appears in there, close the excluder, close BOClean and restart it so it will pick up the fact that you want MIRC ignored and BOClean will leave you alone. Should another copy show up somewhere that you don’t know about it, BOClean will let you know.

But that, and a few other “legit tools” were included because of their frequent use as the core of many exploits and malwares. Sorry, but absolutely necessary to do that …

BOC vs CBO? What’s Changed?

A:

Kevin McAleavey post:2:

I can tell ya … (grin)

COMODO BOClean 4.23 (note the extremely minor version number change) will be the SAME as BOClean 4.22 for now … the only major changes are some nice graphics on it that say COMODO of course, and the solution for VISTA compatibility that worked just fine in 4.22 until Vista was actually released. Microsoft made some changes in how kernel drivers are handled and even though ours wasn’t a HARDWARE driver in the traditional sense, they required not only “signed code” but also a special “CROSS-certificate” from Microsoft in addition to the “signed code.” While I was still with Privacy Software Corp, we requested this from them back in December of last year and never got it. Now that we’re in COMODO’s hands, the logjam was broken and the certificates JUST arrived this past week. THAT was the major part of the delay. Once the code has been signed, then we have to go back and retest all of the 4.23 release to ensure that everything works properly as there have been quite a few reports of strange things happening with signed kernel code. Since it’s always been our tradition to avoid tossing coded corpses out of speeding cars in the dead of night, need a few more days to beat up things in our own labs to ensure it will work as reliably as its predecessor yet be happy under Vista.

And no, not handing out “release candidates” at this point either … but the 4.23 release, aside from the above, will be the SAME as 4.22 was. Once that’s out the door, next step is to take the existing code which is written in Borland C and then port it to Microsoft C (Microsoft’s C isn’t completely ANSI compatible whereas Borland was) so that my teammates at COMODO can get under the hood along with me and start making some SERIOUS improvements to it which will hopefully lead us to either a 4.30 or better yet that fabled 5.0 release as soon as is practical. Over the past two years, I’ve started to do a number of amazing things that I never had the time to FINISH. I think those unfinished things excited Melih even more than BOClean or any of our other existing stuff. Hopefully now that I have analysts and no longer have to do the malware, this will all come together sooner rather than later. There’s a lot of work ahead to be done and it’s great to finally have the opportunity to DO some of it again!

What exactly is BOCore.exe?

https://forums.comodo.com/index.php/topic,8379.0.html (temp link)

Q: What is BOCore.exe?

A: Quoting Nancy McAleavey on the release of BOclean 4.21:

What's new in BOClean 4.21? Note the new BOCORE service, a kernel monitor designed to catch nasties before they can "root." And for those who managed to grab "root," BOClean 4.21 can see them when your antivirus, antispyware and firewall CANNOT as BOClean always has been able to. The latest nasties can live at "kernel level" and hide from "user level," but BOClean 4.21's BOCORE *lives* in the bunker of the kernel level, unlike any other antimalware can do. BOCORE is only the beginning. We've seen the newest of nasties that can even hide at ROOT level, and that's the reason for BOClean 4.21 and the rush to get it out. When rootkits can hide from the kernel, there's serious nastiness ahead and BOClean 4.21 is ready once again with its baseball bat to take them out.

Q: Does it have to be running all the time or can it be stopped without ruining Boclean’s effectiveness.

A: In order to be effective it must be running.

Where’s the scanner?

Q: Does Comodo BOClean have a Scanner that scans for malware?

A: CBO doesn’t have a scanner in the way you might be used to thinking of.
It scans your system for you at startup and then every 10 seconds it recalibrates (checking that nothing has changed) while at the same time running resident in memory as a shield waiting for malware to uncloak before it can be processed.
CBO’s standing guard in memory watching what code actually does, (not what it says it’s going to do or looks like it’s going to do) gives it a very good shot at catching what AV’s commonly call a “zero day” which are generally a simple repack of already known variants.
Any other scanning functions that may have been included were “hidden” and only for testers to avoid redundant submissions. It was never an all inclusive scanner that showed what BOC detected and shouldn’t be relied on in determining if a file is malware.

Can I use Comodo BOclean as my only dedicated antispyware application.

A: While some may run it in this mode it’s suggested that most use CBO as part of a layered defense along with their anti-virus.

Update Issues

There are several posts on update problems with helpful answers.
Please read these first.
If you need to post after going through these, please include OS and CBO client information.

Is IE in “Offline” mode?
https://forums.comodo.com/index.php/topic,8280.0.html

Did you try the Updater in the startup folder?
https://forums.comodo.com/index.php/topic,8294.0.html

Did you give “Modify” and “Write” rights to the Limited users?
https://forums.comodo.com/index.php/topic,8280.0.html

Did you install in admin mode?
Have you rebooted?

Administrator cannot update:
https://forums.comodo.com/comodo_boclean_antimalware/administrator_cannot_update_resolved-t9321.0.html;msg68630#msg68630

The issue was IE - not Outlook Express - see:

http://support.microsoft.com/kb/q180946/
and
http://support.microsoft.com/kb/q195730/

Both links describe the IE issue. Interesting to note that the first linked KB article was last reviewed yesterday. Even though they both refer to IE 4 and/or 5, evidently the issue continued in IE6.
Also worthwhile noting that the issue does not appear to be resolved by MS, the registry change may not stick and they admit to such in the KB article.
Resetting :
HKEY_USERS\SID\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline to 0 resolved the issue on all the boxes in question.

Here’s another solution to get Comodo BoClean to update.

https://forums.comodo.com/comodo_boclean_antimalware/boclean_wont_update-t8940.0.html;msg65625#msg65625

Shutdown BOClean from systray.
Go to C:\Program Files\Comodo\CBOClean
Right-click BOC423.exe then click Properties.
Click the “Compatibility” tab
Under Privilege level
Check the box “run this program as administrator”
Click OK then close the properties.

Launch BOClean, right-click then click check for updates.

BOClean Database Is Corrupted

Sometimes it is possible to get a bad download - usually the very last packet getting somehow dropped.
BOClean checks its database before starting it and it has to be good.

Whenever this situation arises, the solution is to go to the start menu, programs listing, look for the COMODO group, COMODO BOClean and in there, is an item marked “Updater.” If selected, the updater will go fetch another copy of the database.

Start BOClean again and it should work.

It’s also been reported that

they need to stop BOCore and BOC425 before this fix will work.

4.22 End of Support

https://forums.comodo.com/comodo_boclean_antimalware/98_problem-t9965.0.html;msg73092#msg73092