First-time CAV full scan FPs

First time using comodo AV after switching from symantec. A full scan was requested. The scan took 2 hours and reviewed around 920000 files across 3 harddrives of 412GB of data consisting of over 200 programs and around 30 games using the virus database 5232. Heuristics were set to Low. 8 Files were flagged infected, all of them false positives. The following files were falsely flagged by COMODO’s AV upon scanning the system:

-a bunch of tmp.bat files in \appdata\local\temp which were left by a previous installer. They were flagged as Heur.Dual.Extension[at]-1 and contain very short instructions:
“ping -n 2 127.0.0.1
del C:\Users\Searinox\AppData\Local\Temp\UTT586~1.EXE”
the only differences between them were which temp exe they were deleting.

-the file C:\Program Files (x86)\Your Freedom\rt\binthe file w2k_lsa_auth.dll from an older version of Your Freedom. YF is a proxy client located in System Restore. Current release’s version of the DLL does not get flagged.

-the file HookLib.dll from the Worms game folder. HookLib is used by an addon called WormKit that is developed by a person called CyberShadow, hired by Team17 to keep updating Worms Armageddon, and is posted on the official Team17 forums http://forum.team17.com/showthread.php?t=37390 Name: UnclassifiedMalware[at]8423927

-AdBannerRemoverPlus, a messenger enhancer focused on ad removal http://www.situsinformasiinternet.com/2009/09/adbannerremoverplus-v1040.html and has no malware functionality.
CRC-32: 4d78fbfe
MD4: fdf6e15cc8f4bf4c0601d861ae7c1695
MD5: 275169ce4bb8110c39bb186c93bd7247
SHA-1: 5243c76344ec61b7c0724bfa944fa705d01ed60e
Name: UnclassifiedMalware[at]107861216

-IrfanView’s plugins package version 4.25. Latest version(4.27) does not get flagged.

-MakeSplash.exe, a splash animation creator for the Nintendo DS operating system called Moonshell, version 2.10. http://home.att.ne.jp/blue/moonlight/ Folder is 201002161705_moonshell210stable\misctools\MakeSplashAniForMS2

-a harmless jpg picture with the following specs

CRC-32: fc57ae09
MD4: 3bb2fcf608d827ad1363c9ac131fcb07
MD5: 68fedfadedbf53d63a2092be87392dcf
SHA-1: 933de811e32b9e32a05e111a9ccf4da55d9850c7

Name: UnclassifiedMalware[at]16213474

-a harmless flash animation with the following specs

CRC-32: b0d4e494
MD4: 0e93ef93c628d161c37aede5b195ee11
MD5: fe9b53202a9e1be336dc5796b9d73ff7
SHA-1: 9dcc6047edaef2f85267cdde4a681069b31343e1

I have a dozen of FP’s with CAV.
Maybe two of them had names with it but the rest is labeled Heur. or Unknown Malware.
I consider everything with Heur or Unknown as FP.
Heuristics setting is default (Low) , can’t imagine what would be on High 88)

Hi Searinox,

Thanks for reporting.

Could you please submit above detected files at Comodo Antivirus Database | Submit Files for Malware Analysis in order to verify it.

Regards,
Haja

Submitted all the files.

If you report them here:

they’ll be fixed quickly.

I added those files to exclusions and I’ll submit them ASAP.
Thanks for the link :-TU

So far they fixed everything in one go except the flash and the tmp.bat. I don’t know what to do about the bat to get it more clearly to them. As for the flash, if it doesn’t get fixed could you please have the checksums reported in person or re-reviewed? I hope that they’re not avoiding it due to its well, nature, and I don’t feel comfortable bugging the AV team with it. Still it’s an FP and like all FPs must be indiscriminately fixed.

Hi Searinox,
Thanks for reporting.

Could you please submit above detected files at Comodo Antivirus Database | Submit Files for Malware Analysis in order to verify it.

I have already submitted the files.

I received automated responses in my email today that FPs were confirmed on everything EXCEPT the flash and the bat files. This does not surprise me as I had similar experiences, I remember sending malware for analysis to Symantec before and their system STILL not confirming that it was.

The bat file is the most obvious of all. You can clearly tell something is wrong when you open a text document, type the following into it

ping -n 2 127.0.0.1
del C:\Users\Searinox\AppData\Local\Temp\UTT586~1.EXE

save it and then give it the tmp.bat extension, and immediately Comodo pops up.

The flash file contains no links to the original artist and is just an animation that interacts with the user in letting them choose what to do. In other words it is just images and vector graphics instructions, and doesn’t do anything else.

For further info, I checked with VT. As a heads up, I did update my virus definitions just now.

BAT FILE http://www.virustotal.com/analisis/c2e72e2e0b878f202f256b636078198fac515140963e51a4fb0960ad2ea37f36-1277712988 Reported that Comodo detects NOTHING. This is probably because either the file is not flagged unless it uses the .tmp.bat extension which might not be preserved by VT, or the path is valid, since C:\Users\Searinox IS a valid path for me. The question then is, why is it not a FP on VT’s comodo, but is on my machine?

FLASH FILE
http://www.virustotal.com/analisis/e1884611e5b31133124a159ef9a3715317defc8990d682787c81a0423528fc1c-1277662318 The flash file confuses me as a handful of AVs pick it up as a frame trojan. I guess I’ll probably not get advanced details from the team, maybe it is indeed exploiting an old vulnerability or part of its code appears like it is? I’m waiting for an answer from your team about what you think, since the file is indeed flagged, yet appears to do nothing harmful.

[b]UPDATE: I just got a second email on the tmp.bat this time telling me they fixed it. However, I watched the way they gave me the SHA suspicious and I wondered, are they just fixing an FP for THAT file? So I went ahead and made a tmp.bat with the same content

ping -n 2 127.0.0.1
del C:\Users\Searinox\AppData\Local\Temp\UTT586~1.EXE

Saved it and as expected it didn’t get detected BUT the moment I changed ONE digit in that file’s name and turned “UTT586~1.EXE” into “UTT586~2.EXE” it got detected AGAIN. I do want to point out the top of my first post: “a bunch of tmp.bat files”, there are others that delete different .exes from the temp folder and THOSE still get detected.

Have a talk with the team to fix the behaveior at its core, not just add a checksum whitelist for ONE occurrence. Thank you.[/b]

Hi Searinox,

This File is not False Positive and also detection name of this file will be updated. Please check our naming convention here: https://forums.comodo.com/av-false-positivenegative-detection-reporting/cis-malware-naming-rules-for-potentially-dangerous-applicationsriskware-t38506.0.html;msg277700#msg277700.

UPDATE: I just got a second email on the tmp.bat this time telling me they fixed it. However, I watched the way they gave me the SHA suspicious and I wondered, are they just fixing an FP for THAT file? So I went ahead and made a tmp.bat with the same content

ping -n 2 127.0.0.1
del C:\Users\Searinox\AppData\Local\Temp\UTT586~1.EXE

Saved it and as expected it didn’t get detected BUT the moment I changed ONE digit in that file’s name and turned “UTT586~1.EXE” into “UTT586~2.EXE” it got detected AGAIN. I do want to point out the top of my first post: “a bunch of tmp.bat files”, there are others that delete different .exes from the temp folder and THOSE still get detected.

Dual extensions are usually used by malware to disguise as genuine files. There is generic detection where if file has more than one extension, it will be given verdict as Heur.Dual.Extensions.There can be very few odd cases where genuine files may also have double extensions.In such situations, if user knows they are false-positive, he can add to exclusion list.

Thanks and Regards,
Haja

So there was indeed some form of weird code somewhere in the flash. Okay.

As for the temp… tmp.anything is a fairly widespread extension in the temp folder, I’ve seen many installers create such files. Handling them so rashly can create issues by hampering installation procedures and leading to incomplete installs that then become difficult to fix or remove. Please have more clauses added to prevent such future incidents. In the meantime, this file was detected by heuristics, so I am turning them off.