FP - uTorrent 3.3.2.30303 Temp Files

I updated to uTorrent 3.3.2.30303 today. I’m getting an AV flag on a temp file while uTorrent launches. The flag is Heur.Packed.Unknown[at]4294967295 I have my Heuristics set on High. I can’t capture the .temp file, Windows won’t let me copy it. When “Cleaned”, it doesn’t show up in the CIS Quarantine folder. This has happened before:

https://forums.comodo.com/av-false-positivenegative-detection-reporting/fp-utorrent-33130017-temp-files-t97784.0.html;msg705251#msg705251

https://forums.comodo.com/av-false-positivenegative-detection-reporting/fp-utorrent-temp-files-t96780.0.html

I’ve attached my logs.

[attachment deleted by admin]

Hello L.A.R. Grizzly,

I have tried updating from uTorrent 3.3.2 Build 30260 to uTorrent 3.3.2 Build 30303 multiple times and did not get any file detected. In order to fix your False Positive we need the detected file.

Best regards,
FlorinG

I managed to trap them. It’s hard because Windows usually denies access. I’ve attached the files. Please note that the file names change every time uTorrent is launched. The files are created in the default Users Temp folder.

[attachment deleted by admin]

Hello L.A.R. Grizzly,

I have tried updating from uTorrent 3.3.2 Build 30303(SHA1:647dbadbd515855a774af3f26761e258eff99074) and did not get any file detected. In order to fix your False Positive we need the detected file. (Files can be copy in a Temp folder to another folder)

Best regards,
Qiuhui.■■■■

Did you tested with High Heuristics setting? The OP has mentioned detection with High Heur.

yeap, with High Heur. :slight_smile:

I attached the files in my last post above.

About file
SHA1:<5d2837c32c04f2dfc6671559eeddeea7a3786070>
SHA1:
SHA1: <uttD71C.tmp>
SHA1:<5b44683181d17dd0700c546593c3d5490b18ccf5> <uttD71C.tmp.new>

is not detected by Comodo Internet Security version <6.3.302093.2976> with database version <17352>.

The av alert and av event are my log files.

I just opened uTorrent again and got flagged. Two flags come up:

[attachment deleted by admin]

The files get flagged with Heuristics on High or Medium. Setting on Low gives no flags.

I scanned the file I sent you and it is immediately detected!

[attachment deleted by admin]

Hi L.A.R. Grizzly,

Okay ,I know is which file,
We’ll check it and get back to you soon.

Best regards
Qiuhui.■■■■

I also tested false.zip uploaded by you. And there were 4 files in the extracted folder as menetioned by Dev & no detection here with low, medium or high heur.

But when the zip is extracted it mentions file broken. I am extracting with 7zip latest stable.

CIS latest version.

Database 17352

Is your version latest & database same as above? If same then I am really confused with this CIS behavior as previously too we have seen something was detected on someones system & the same thing was not detected on others, why & whats the reason for this strange detection?

Extract the files, right click on uttDC71C.tmp.new and select Scan with Comodo Antivirus. This action gives an immediate flag (as shown in the screenshot above). I’m currently using DB 17352.

Edit – I’ve attached the file directly from my CIS Quarantine folder. It’s still detected in the current state.

[attachment deleted by admin]

false2.zip

How to change heur to high for rightclick scan?

I didn’t run the file. I set realtime heur to high & highlighted the file but was not detected.

I created a profile & set heur high & scanned the file & it is detected.

Advanced Settings->Security Settings->Antivirus->Realtime Scan

Advanced Settings->Security Settings->Antivirus->Scans

I don’t think highlighting the file is enough. You would have to try to run the file or do a right click scan. You could even scan the folder that the file is in.

But you accomplished it another way. See, I’m not crazy. The file is detected! :wink:

I had set realtime heur setting to high heur & scanned the file with rightclick scan but it was not detected.

That’s bizarre. I suppose that’s why the devs are having trouble with it.

Hi L.A.R. Grizzly,

This is to inform you that false-positive has been fixed.
You can update to AV database Version <17354> of Comodo Internet Security Version<6.3.302093.2976> and confirm it.

Best regards ,
Srinivasan.G

Confirmed fixed! DB: 17356

Thanks, Srinivasan.G, FlorinG, and Qiuhui.■■■■ for looking into this for us!

Thank you L.A.R. Grizzly for managing to capture the detected files.