Malwarebytes false positive

Scanning with Malwarebytes identified an infected file dll.dll. in my System32 as Trojan.downloader.

Having checked it out it is a Comodo file, so I reported it to them and they have now removed it from their definitions.

If anyone else has had this quarantined you can safely restore it. If you then scan again it will not be reported as malware.

dll.dll is a strange name for a file. Do you have any other Comodo products other than CIS/CFP?
Does Dll.dll version info state what Comodo product bundle that file?

Hi gibran, :slight_smile:

Yes I use most Comodo programs and it is not necessarily from CIS, I just thought this board might be the best place to post under, but move it if you think there is a better place.

You can see the Malwarebytes forum topic here:

If you scroll down to the bottom of the last link I posted you will see Comodo.

dll.dll is part of Comodo Leak Tests.

Yep as JoWa confirmed it looks like that dll is part of CLT.

Comodo Firewall Test Suite is available there.

I ran that leaktest suite myself many times and I wasn’t able to find any dll.dll in \system32.

You can safely delete that file.
Please check if there is a copy of clt.exe or drivers.sys in system32 folder.

Yes I have run the leaktest, It seems that file should have been in a temp folder, but it is definitely in system32. The Threatexpert reports show that it is the same file, not just one named the same, so that is strange.

I have neither clt.exe or drivers.sys in system32 or anywhere else now.

I confirmed that dll.dll is is required for Injection: CreateRemoteThread PoC of CLT testsuite version
If that test is failed the dll.dll will be copied in system32 folder, however it will deleted after the result is provided.

Please test the CLT version you got again to confirm this behaviour.

If still dll.dll is not deleted please report your CLT version too.

I downloaded and ran the tests now, as I had not kept CLT before. When I allowed the tests the dll.dll was removed from system32 as you said and all were failed. I see that file is in the clt folder also.

That threatexpert report lead to the IE windows showing Comodo which the test opens.

I think I had the old version of the tests before, so maybe that left the file behind.

Thanks for confirmin this. :-TU

I guess all aspects are sorted. :slight_smile:

Thanks Gibran, it has been interesting and I have informed Malwarebytes in case they had any doubts.

There has been a malware file of similar name DLL.dll but it is obviously not the same one.

I posted here in case the file was important and someone else had had it quarantined and needed to restore it.


You are welcome.

One of the way to spot malware when throubleshooting a PC is the name.
A commmon occurence is that the names are typos of legitimate executable or system services.
In some case have some obscure or generic names.

Often the executable filename hints at the software or the task carried by that component.

In this case I guess that file was named dll.dll because the PoC involved a mock-dll to carry the leaktest.