Help: Backdoor. Win32 in cfp.exe

Comodo CIS is showing 1 threat detected:

Backdoor.Win32.Wuca.A@28594141 in C:\Program Files\COMODO\COMODO Internet Security\cfp.exe

I switched laptop on and left it, when I came back popup must have timed out as there was no popup on screen.

Log shows Detect Success 10:32:42 AM then next entry is Ask Success 10:32:48 AM

There is nothing in quarantine. cfp.exe is still in C:\Program Files\COMODO\COMODO Internet Security\ and when I scan it manually nothing shows up.

What do I do?

Hey and warm welcome to comodo forums!

With what did you ask it with? I ask because cfp.exe is not a malware. could you give us a screenshot?

Regards,
Valentin N

Here is screenshot of log. Hope this helps.

[attachment deleted by admin]

wow I surprised. send it as false positive (igonore → report as FP)

cfp.exe is the gui for CIS.

Regards,
Valentin N

Ok will do.

I have just completed full scan and nothing found.

I must admit my confidence in CIS (or at least the av part of it) goes down when I get results like this. I used to use Comodo Firewall along with Avast Free without any problems but, I recently reinstalled windows on my laptop and decided to give CIS a try. Despite this today I will continue to use CIS as long as I don’t get any more false positives like this :-\

FP will pop up but that’s better than having an ifection, at least if you ask me.

It is not possible to get this kind of an FP. First of all, CIS excludes its own files. If this is modified, CIS verifies the signatures of detected files.

This is just not possible.

1 - Can you please attach zipped version of cfp.exe here so that i can have a look?
2 - Have you modified exclusions settings in CIS? If not, can you please tell me what entries you have in Antivirus->Scanner Settings->Exclusions?

Can you please verify the log “Tasks Launched” and find the AV DB version that was loaded during the time of detection? And then report the DB version here?

Hi again and thanks for your help.

Here is the requested info:

  1. Zip file containing cfp.exe
  2. Screenshot of Exclusions
  3. Screenshot of Tasks Launched (Virus DB 7701 appears to have been in use at the time)

Hope this will help find the cause of this issue.

Regards

[attachment deleted by admin]

[attachment deleted by admin]

The signature is OK and the SHA1 matches my version of cfp.exe so this must have been a FP.
Your cfp.exe is not patched.

Detection was done on DB 7701 as there is no . in the detection name it’s not a cloud issue.

If it’s a false positive why has no one else had this issue?

The detection must be a bug as you still have the CIS path on your exclusions…

Not sure why there aren’t more reports tough, maybe it just appeared on your system because of some special software or setup.

Do you run any other security software no matter on-demand or real-time?

The only other security software is SuperAntiSpyware and Malwarebytes Antimalware. Both are the free on demand versions. (installed for safety in case CIS couldn’t clean something properly so they shouldn’t interfere with CIS)