[FP]Heur.Dual.Extensions

Comodo Internet Security :: 3.10.102363.531
Virus Signature Database Version :: 1703
Heuristics :: High
No password
autoparch was detected as Heur.Dual.Extensions

[attachment deleted by admin]

Hi ComputerHelpCatalin ,

The reported FP will be fixed in next updates.

-Chandra Mohan

Hi ComputerHelpCatalin,

The reported FP has been fixed in DB 1712

-Chandra Mohan

After yesterday’s fiasco with daisy, I’m starting to lose confidence with Comodo. This morning, my overnight scan reported 4 hits on Heur.Dual.Extensions - is this really a problem or is another case of false reporting?

I’ve quarantined the items but how do I go about checking them out? When I submit them for analysis the results say already submitted. How do I find out what the results are?

The 4 hits are…
gtb6BDC.tmp.exe (part of Google toolbar)
mom.Test.CMD.exe (this is reported twice as its in 2 different places, in C:\Windows\Assembly.…
and in C\Program Files\ATI Technologies.… )
_SCHCT_Sprint.exe.exe (in C:Windows\Installer.…)

Hi robsta ,

Please submit the detected files to our analysis.

-Chandra Mohan

Hi robsta,

Dual extensions are usually used by malware to disguise as genuine files. There is generic detection where if file has more than one extension, it will be given verdict as Heur.Dual.Extensions.
There can be very few odd cases where genuine files may also have double extensions.
In such situations, if user knows they are false-positive, he can add to exclusion list and also inform to us by submitting files via:

CIS does not have inbuilt interface to submit false-positive. So we request you to please use above mentioned web interface to submit false-positive to us, additionally you can also report those files here.

Thanks
-umesh

Thanks Umesh,

However, when I submit the files for analysis from quarantine I get a result of already submitted. When I tried to open the Quarantine folder (to email the file) I was denied access. I was also denied access when I tried to use the url you provided in your reply.

Please advise.
Thanks.

Hi robsta,

However, when I submit the files for analysis from quarantine I get a result of already submitted.

Yes, in case we already have a file, you may get this message.

When I tried to open the Quarantine folder (to email the file) I was denied access.

Yes, this folder is protected by CIS.

I was also denied access when I tried to use the url you provided in your reply.

Not sure what you mean here. Can you please give more details?

In order to get us file, you can take following steps:

  1. Disable real-time scan.
  2. Re-store file from Quarantined Items
  3. Upload via http://internetsecurity.comodo.com/submit.php

Thanks
-umesh

Thanks Umesh,

I restored the files as you suggested but could only submit 2 of them because I couldn’t find the c:\windows\installer directory or the c:\windows\assembly\GAC_MSIL directories. I guess they must be hidden.

Not being able to look at the directories made it difficult to quarantine the files again. It would be a good idea (I think) if it were possible to quarantine an item from the ‘View Anti-Virus’ events panel. This way one could quickly put an item back into quarantine.

On reflection, it would be useful (I think) to be able to run the virus scan against those files which have been quarantined. This way one could periodically check quarantined items and restore items which had previously been detected as false positives.

I also think that it would be useful to show the Virus Signature Database Version on all reports. If one runs a scan overnight, and if the database is updated, one doesn’t necessarily know in the morning which version they were reported under. When corrections made to rectify false positives and a note to this effect is made on the forum, one would then know whether or not one is dealing with false positives that have been corrected and files can be restored accordingly.

Thanks.

Hi robsta,

It’s a good suggestion. We will see if we can have it included in next major CIS release.

Thanks
-umesh