Heuristic reports false positives

BigMike · February 14, 2009, 9:47am

Hi I updated yesterday to version 3.8 and first thing I had to do was to disable the heuristic in real time scanner
I did a full scan with enabled heuristic and this are the reported programs, which are hopefully not dangerous:

AIMP ( AIMP )


Heur.Packed.Unknown ...\AIMP\AIMP2t.exe
Heur.Packed.Unknown ...\AIMP\bass.dll
Heur.Packed.Unknown ...\AIMP\PlugIns\bassmidi.dll
Heur.Packed.Unknown ...\AIMP\PlugIns\aimp_library.dll
Heur.Packed.Unknown ...\AIMP\PlugIns\bass_alac.dll
Heur.Packed.Unknown ...\AIMP\PlugIns\bass_flac.dll
Heur.Packed.Unknown ...\AIMP\PlugIns\bass_ofr.dll
Heur.Packed.Unknown ...\AIMP\PlugIns\bass_tta.dll
Heur.Packed.Unknown ...\AIMP\System\aimp_shell.dll
Heur.Packed.Unknown ...\AIMP\System\bass_enc.dll

SUPER ( SUPER © Video Converter | Video Encoder | Free 3D Video Converter | Free 3D Video Encoder )



Heur.Suspicious.Attribs ...\SUPER Konverter\cygwin1.dll
Heur.Suspicious.Attribs ...\SUPER Konverter\cygz.dll
Heur.Pck.tElock ...\SUPER Konverter\ff2ogg.exe
Heur.Pck.tElock ...\SUPER Konverter\mencoder\mencoder.exe
Heur.Pck.tElock ...\SUPER Konverter\mencoder\mplayer.exe
Heur.Suspicious.Attribs ...\SUPER Konverter\Setup.exe
Heur.Suspicious.Attribs ...\SUPER Konverter\spk\Movawin.spk
Heur.Suspicious.Attribs ...\SUPER Konverter\spk\Rm7dmod.spk
Heur.Suspicious.Attribs ...\SUPER Konverter\spk\Smabwin.spk
Heur.Suspicious.Attribs ...\SUPER Konverter\spk\Rm8dmod.spk
Heur.Pck.tElock ...\SUPER Konverter\SUPER.exe
Heur.Pck.UPX-Scrambler ...\SUPER Konverter\x264.exe
Heur.Suspicious.Attribs ...\SUPER Konverter\_Setup.dll
Heur.Suspicious.Attribs C:\WIN\meta4.exe
Heur.Packed.Unknown C:\WIN\MOTA113.exe
Heur.Suspicious.Attribs C:\WIN\system32\aac_parser.ax
Heur.Suspicious.Attribs C:\WIN\system32\ac3DX.ax
Heur.Suspicious.Attribs C:\WIN\system32\AVCDX.ax
Heur.Suspicious.Attribs C:\WIN\system32\AVSredirect.dll
Heur.Suspicious.Attribs C:\WIN\system32\CoreAAC.ax
Heur.Suspicious.Attribs C:\WIN\system32\cygwin1.dll
Heur.Suspicious.Attribs C:\WIN\system32\cygz.dll
Heur.Suspicious.Attribs C:\WIN\system32\DiracSplitter.ax
Heur.Suspicious.Attribs C:\WIN\system32\flvDX.dll
Heur.Suspicious.Attribs C:\WIN\system32\i420vfw.dll
Heur.Suspicious.Attribs C:\WIN\system32\MatroskaDX.ax
Heur.Suspicious.Attribs C:\WIN\system32\msfDX.dll
Heur.Suspicious.Attribs C:\WIN\system32\RealMediaDX.ax
Heur.Suspicious.Attribs C:\WIN\system32\RLAPEDec.ax
Heur.Suspicious.Attribs C:\WIN\system32\RLMPCDec.ax
Heur.Suspicious.Attribs C:\WIN\system32\RLOgg.ax
Heur.Suspicious.Attribs C:\WIN\system32\RLSpeexDec.ax
Heur.Suspicious.Attribs C:\WIN\system32\RLTheoraDec.ax
Heur.Suspicious.Attribs C:\WIN\system32\RLVorbisDec.ax
Heur.Suspicious.Attribs C:\WIN\system32\Smab0.dll
Unclassified Malware@4800749 C:\WIN\system32\VistaUltm.dll
Heur.Suspicious.Attribs C:\WIN\system32\x.264.exe
Heur.Suspicious.Attribs C:\WIN\system32\yv12vfw.dll
Heur.Pck.UPX-Scrambler C:\WIN\x2.64.exe

TuneUp 2009 ( AVG TuneUp | Clean & Speed Up Your PC | Free Download )


Heur.Packed.Unknown ...\TuneUp Utilities\AppInitialization.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\cmCommon.bpl
Heur.Pck.MEW ...\TuneUp Utilities\cmDisplay.bpl
Heur.Pck.MEW ...\TuneUp Utilities\cmNetwork.bpl
Heur.Pck.MEW ...\TuneUp Utilities\cmSystem.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\cmWizards.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\CommonForms.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\ehs_d6.bpl
Heur.Pck.MEW ...\TuneUp Utilities\GR32_D6.bpl
Heur.Pck.MEW ...\TuneUp Utilities\MainControls.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\Internet.bpl
Heur.Pck.MEW ...\TuneUp Utilities\MSI_D6.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\SmallUnits.bpl
Heur.Pck.MEW ...\TuneUp Utilities\SysInfo.bpl
Heur.Pck.MEW ...\TuneUp Utilities\Traces.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TuApplications.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUDiskCleanerClass.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUIcoEngineerDirTree.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUInstallHelper.exe
Heur.Packed.Unknown ...\TuneUp Utilities\TUOperaClass.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUShell.bpl
Heur.Pck.MEW ...\TuneUp Utilities\TUTMSComponents.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUShredder.bpl
Heur.Pck.MEW ...\TuneUp Utilities\VirtualTreesR.bpl
Heur.Pck.MEW ...\TuneUp Utilities\VisControls.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUOperaClass.bpl
Heur.Pck.MEW ...\TuneUp Utilities\TUTMSComponents.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUShredder.bpl
Heur.Pck.MEW ...\TuneUp Utilities\Traces.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\ehs_d6.bpl
Heur.Pck.MEW ...\TuneUp Utilities\MSI_D6.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUDiskCleanerClass.bpl
Heur.Pck.MEW ...\TuneUp Utilities\SysInfo.bpl
Heur.Pck.MEW ...\TuneUp Utilities\VirtualTreesR.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUShell.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUIcoEngineerDirTree.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\CommonForms.bpl
Heur.Pck.MEW ...\TuneUp Utilities\VisControls.bpl
Heur.Pck.MEW ...\TuneUp Utilities\MainControls.bpl
Heur.Pck.MEW ...\TuneUp Utilities\GR32_D6.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\SmallUnits.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\AppInitialization.bpl

DivX Author ( http://www.divx.com/en/products/software/windows/author )


Heur.Packed.Unknown ...\DivX\DivX Author\DivX Author 1.5\AudioPCM.vme
Heur.Packed.Unknown ...\DivX\DivX Author\DivX Author 1.5\EffcvBlend.vme
Heur.Packed.Unknown ...\DivX\DivX Author\DivX Author 1.5\EffcvLayerImageEffect.vme
Heur.Packed.Unknown ...\DivX\DivX Author\DivX Author 1.5\EffcvSlideShow.vme
Heur.Packed.Unknown ...\DivX\DivX Author\DivX Author 1.5\EffcvVideoFilter.vme
Heur.Packed.Unknown ...\DivX\DivX Author\DivX Author 1.5\ImageBitmap.vme
Heur.Packed.Unknown ...\DivX\DivX Author\DivX Author 1.5\ImagePSD.vme
Heur.Packed.Unknown ...\DivX\DivX Author\DivX Author 1.5\MovieDVD.vme

Finally I got a warning about:


Heur.Suspicious.Attribs C:\Documents and Settings\All Users\DRM\IndivBox.key

damilner · February 19, 2009, 7:54pm

I also just updated to 3.8 and started seeing false positives before shutting down the heuristic scan.

Tivo\Desktop\Vcl60.bpl Heur.Pck.MEW

windows=system32\drivers\SSHDRV76.sys Heur.Pck.PKLITE32

WD-retired · February 20, 2009, 12:12am

Me too…getting

Heur.Pck.MEW

all over the place.

Breen · February 20, 2009, 12:31am

Guys if You are certain that these detections are false (check on virustotal.com), please send samples to COMODO reaserch https://forums.comodo.com/false_positivenegative_reporting_is_this_a_malware_that_cis_hasnot_detected/reporting_false_positivessuspicious_files_submitting_them_to_the_lab-t27062.0.html;msg197464#msg197464

I think it’s better to send samples of FP to COMODO than only posting it on forum.

SA_Jack · February 20, 2009, 2:24am

Hi:
I Downloaded CIS 3.8.64739.471 this afternoon and it appears that a number of heuristic problems with respect to false positives and working with the “Exclusions” list have been resolved. Initially I had a a few false positives, and there was a direct correlation between the heuristic level (Low, Medium, High) and the number of virus hits I saw. However, on the current release, the anti virus module now properly handles “Exclusions” (Context Menu Scan, Manual, & Scheduled). I had initially placed my false positives as exclusions, however, with the prior version not properly dealing with exclusions (except in Context Menu Scan), these files were tagged in Scheduled and Manual scans. Now they are not. I then removed these false positives from the “Exclusions” list, and they were not tagged using Low and Medium heuristic settings with all three (3) scan types. (I haven’t tried High as yet).

From my point of view, this update addressed the only real issues I had with CIS 3.8.X. Great job. Can’t wait for inclusion of BOClean in the near future. -SA Jack

SWENG · February 21, 2009, 12:19am

I’ve been getting a lot of those too.
You might want to consider adding a few useful options to the results window:

An option to copy location of file to clipboard
An option to go to file location
An option to submit file to Comodo for further scanning
(I checked all the false positives in virustotal.com)

pelokee · February 22, 2009, 5:56pm

After several rounds of testing, I think the solution at this point is to turn the heuristics feature OFF. This feature was just introduced to the Comodo product in the 2/14/09 update, so we aren’t losing any functionality that we didn’t have before.

For my full writeup, feel free to visit - Comodo tech support has acknowledged the issue and claims to be working on it.

Surfinusa · February 25, 2009, 5:15pm

I also have got the same problems with FP with the latest 19th February 2009 CIS Release.

I was getting virus warnings everywhere, every few seconds a new one would be identified.

Sounds like you guys hit the mark when you figured out the Heuristic issue.

I didn’t know till now since I read your responses. I am still using the 14th February 2009 Release CIS.

I hope they get this fixed soon so I can upgrade it.

For now it doesn’t seem that the auto updater giving me any trouble before it wanted me to upgrade to the 19th February 2009 Version.

Ramanan · February 28, 2009, 6:21am

BigMike post:1:

Hi I updated yesterday to version 3.8 and first thing I had to do was to disable the heuristic in real time scanner
I did a full scan with enabled heuristic and this are the reported programs, which are hopefully not dangerous:

AIMP ( AIMP )


Heur.Packed.Unknown ...\AIMP\AIMP2t.exe
Heur.Packed.Unknown ...\AIMP\bass.dll
Heur.Packed.Unknown ...\AIMP\PlugIns\bassmidi.dll
Heur.Packed.Unknown ...\AIMP\PlugIns\aimp_library.dll
Heur.Packed.Unknown ...\AIMP\PlugIns\bass_alac.dll
Heur.Packed.Unknown ...\AIMP\PlugIns\bass_flac.dll
Heur.Packed.Unknown ...\AIMP\PlugIns\bass_ofr.dll
Heur.Packed.Unknown ...\AIMP\PlugIns\bass_tta.dll
Heur.Packed.Unknown ...\AIMP\System\aimp_shell.dll
Heur.Packed.Unknown ...\AIMP\System\bass_enc.dll



Heur.Suspicious.Attribs ...\SUPER Konverter\cygwin1.dll
Heur.Suspicious.Attribs ...\SUPER Konverter\cygz.dll
Heur.Pck.tElock ...\SUPER Konverter\ff2ogg.exe
Heur.Pck.tElock ...\SUPER Konverter\mencoder\mencoder.exe
Heur.Pck.tElock ...\SUPER Konverter\mencoder\mplayer.exe
Heur.Suspicious.Attribs ...\SUPER Konverter\Setup.exe
Heur.Suspicious.Attribs ...\SUPER Konverter\spk\Movawin.spk
Heur.Suspicious.Attribs ...\SUPER Konverter\spk\Rm7dmod.spk
Heur.Suspicious.Attribs ...\SUPER Konverter\spk\Smabwin.spk
Heur.Suspicious.Attribs ...\SUPER Konverter\spk\Rm8dmod.spk
Heur.Pck.tElock ...\SUPER Konverter\SUPER.exe
Heur.Pck.UPX-Scrambler ...\SUPER Konverter\x264.exe
Heur.Suspicious.Attribs ...\SUPER Konverter\_Setup.dll
Heur.Suspicious.Attribs C:\WIN\meta4.exe
Heur.Packed.Unknown C:\WIN\MOTA113.exe
Heur.Suspicious.Attribs C:\WIN\system32\aac_parser.ax
Heur.Suspicious.Attribs C:\WIN\system32\ac3DX.ax
Heur.Suspicious.Attribs C:\WIN\system32\AVCDX.ax
Heur.Suspicious.Attribs C:\WIN\system32\AVSredirect.dll
Heur.Suspicious.Attribs C:\WIN\system32\CoreAAC.ax
Heur.Suspicious.Attribs C:\WIN\system32\cygwin1.dll
Heur.Suspicious.Attribs C:\WIN\system32\cygz.dll
Heur.Suspicious.Attribs C:\WIN\system32\DiracSplitter.ax
Heur.Suspicious.Attribs C:\WIN\system32\flvDX.dll
Heur.Suspicious.Attribs C:\WIN\system32\i420vfw.dll
Heur.Suspicious.Attribs C:\WIN\system32\MatroskaDX.ax
Heur.Suspicious.Attribs C:\WIN\system32\msfDX.dll
Heur.Suspicious.Attribs C:\WIN\system32\RealMediaDX.ax
Heur.Suspicious.Attribs C:\WIN\system32\RLAPEDec.ax
Heur.Suspicious.Attribs C:\WIN\system32\RLMPCDec.ax
Heur.Suspicious.Attribs C:\WIN\system32\RLOgg.ax
Heur.Suspicious.Attribs C:\WIN\system32\RLSpeexDec.ax
Heur.Suspicious.Attribs C:\WIN\system32\RLTheoraDec.ax
Heur.Suspicious.Attribs C:\WIN\system32\RLVorbisDec.ax
Heur.Suspicious.Attribs C:\WIN\system32\Smab0.dll
Unclassified Malware[at]4800749 C:\WIN\system32\VistaUltm.dll
Heur.Suspicious.Attribs C:\WIN\system32\x.264.exe
Heur.Suspicious.Attribs C:\WIN\system32\yv12vfw.dll
Heur.Pck.UPX-Scrambler C:\WIN\x2.64.exe

TuneUp 2009 ( AVG TuneUp | Clean & Speed Up Your PC | Free Download )


Heur.Packed.Unknown ...\TuneUp Utilities\AppInitialization.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\cmCommon.bpl
Heur.Pck.MEW ...\TuneUp Utilities\cmDisplay.bpl
Heur.Pck.MEW ...\TuneUp Utilities\cmNetwork.bpl
Heur.Pck.MEW ...\TuneUp Utilities\cmSystem.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\cmWizards.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\CommonForms.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\ehs_d6.bpl
Heur.Pck.MEW ...\TuneUp Utilities\GR32_D6.bpl
Heur.Pck.MEW ...\TuneUp Utilities\MainControls.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\Internet.bpl
Heur.Pck.MEW ...\TuneUp Utilities\MSI_D6.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\SmallUnits.bpl
Heur.Pck.MEW ...\TuneUp Utilities\SysInfo.bpl
Heur.Pck.MEW ...\TuneUp Utilities\Traces.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TuApplications.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUDiskCleanerClass.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUIcoEngineerDirTree.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUInstallHelper.exe
Heur.Packed.Unknown ...\TuneUp Utilities\TUOperaClass.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUShell.bpl
Heur.Pck.MEW ...\TuneUp Utilities\TUTMSComponents.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUShredder.bpl
Heur.Pck.MEW ...\TuneUp Utilities\VirtualTreesR.bpl
Heur.Pck.MEW ...\TuneUp Utilities\VisControls.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUOperaClass.bpl
Heur.Pck.MEW ...\TuneUp Utilities\TUTMSComponents.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUShredder.bpl
Heur.Pck.MEW ...\TuneUp Utilities\Traces.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\ehs_d6.bpl
Heur.Pck.MEW ...\TuneUp Utilities\MSI_D6.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUDiskCleanerClass.bpl
Heur.Pck.MEW ...\TuneUp Utilities\SysInfo.bpl
Heur.Pck.MEW ...\TuneUp Utilities\VirtualTreesR.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUShell.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\TUIcoEngineerDirTree.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\CommonForms.bpl
Heur.Pck.MEW ...\TuneUp Utilities\VisControls.bpl
Heur.Pck.MEW ...\TuneUp Utilities\MainControls.bpl
Heur.Pck.MEW ...\TuneUp Utilities\GR32_D6.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\SmallUnits.bpl
Heur.Packed.Unknown ...\TuneUp Utilities\AppInitialization.bpl

DivX Author ( http://www.divx.com/en/products/software/windows/author )


Heur.Packed.Unknown ...\DivX\DivX Author\DivX Author 1.5\AudioPCM.vme
Heur.Packed.Unknown ...\DivX\DivX Author\DivX Author 1.5\EffcvBlend.vme
Heur.Packed.Unknown ...\DivX\DivX Author\DivX Author 1.5\EffcvLayerImageEffect.vme
Heur.Packed.Unknown ...\DivX\DivX Author\DivX Author 1.5\EffcvSlideShow.vme
Heur.Packed.Unknown ...\DivX\DivX Author\DivX Author 1.5\EffcvVideoFilter.vme
Heur.Packed.Unknown ...\DivX\DivX Author\DivX Author 1.5\ImageBitmap.vme
Heur.Packed.Unknown ...\DivX\DivX Author\DivX Author 1.5\ImagePSD.vme
Heur.Packed.Unknown ...\DivX\DivX Author\DivX Author 1.5\MovieDVD.vme

Finally I got a warning about:


Heur.Suspicious.Attribs C:\Documents and Settings\All Users\DRM\IndivBox.key

Hi BigMike,

These FP’s are fixed, please update to latest CIS V477 and update virus signature database to latest.

Thanks
Ramanan

g13 · June 7, 2009, 7:38am

Yes Heuristic reports very false positives still :-TD

bequick · June 7, 2009, 7:45am

Yes,but comodo has the greatest community i’ve ever seen and i’m pretty sure that’s just temporary issue.If you’re scared of bears,don’t go to the forest.

dph987 · October 23, 2009, 12:18am

What would be really helpful is a short (or optionally detailed ) report detailing WHAT action was interccepted, or comodo virus scanner found, and WHY it thinks its a virus.

This would give more info to the user to make an executive decision regarding the message.