Post here your unfixed FP's (only after 2 days)

alaertsxan · March 10, 2009, 2:16pm

Please post here all unfixed FP’s . Please only post them when they’re not detected after 2 days.

Please include,

your original FP post
when you last tested CIS against it + what database

When the FP is fixed, please delete your post in this topic again !

Thanks,

Xan

umesh · March 10, 2009, 2:20pm

Thanks eXPerience,
This will help us to clean up whatever is left.

Thanks
-umesh

evil_religion · March 10, 2009, 9:23pm

https://forums.comodo.com/false_positivenegative_reporting_is_this_a_malware_that_cis_hasnot_detected/again_heurpebomb_in_browser_cache-t35714.0.html
First post.
Last tested with DB 1046.

umesh · March 11, 2009, 12:48pm

https://forums.comodo.com/false_positivenegative_reporting_is_this_a_malware_that_cis_hasnot_detected/again_heurpebomb_in_browser_cache-t35714.0.html First post. Last tested with DB 1046.

Hi, I have responded here: https://forums.comodo.com/false_positivenegative_reporting_is_this_a_malware_that_cis_hasnot_detected/again_heurpebomb_in_browser_cache-t35714.0.html;msg258622#msg258622

Thanks
-umesh

ganda · March 11, 2009, 2:33pm

yo!
what about the b2e.exe
i’ve posted it several times, but i can’t remember where my posts are 88)

but i remember it’s been removed from BOClean database :-La

MJ.nfl · March 11, 2009, 9:51pm

RAR Slayer v1.1.exe
Sent it via mail.

Virus total results

http://www.virustotal.com/analisis/e28c42883cc2ab0c8a1f6f60f1f1f626

CPU Athlon 64 X2 4600+
Windows XP pro, service pack 3, 32 bit
CIS 3.8.65951.477
Antivirus - default settings
Firewall - custom policy mode
Defense+ - clean PC mode
Administrator account

Last scan today. Virus database 1049

umesh · March 11, 2009, 10:04pm

Hi,
We will have a look at this today.

Thanks
-umesh

donnyd · March 11, 2009, 10:11pm

eXPerience:

Hey guys,

It seems you reported 1 or more FP’s to Comodo. Now it seems that some FP still haven’t been fixed. I would like to ask you guys to report them again in this special topic. Please include :

your original FP post

when you last tested CIS against it + what database

When the FP is finally fixed, I would also like to request that you delete your post there, it will be easier for the devs then.

When I first report the FP this is what I came up with, I then put what I felt was FP in the exclusion list and it continued to flag the files that were in the exclusion list including the files that were quarantined. Log below:
Table : Antivirus Logs
Date Created : 2/13/2009 10:24:43 AM
Log Scope : Last 7 Days
Records count : 58
Date/Time Action Location Malware Name Status
2/12/2009 4:43:49 PM Detect C:\System Volume Information_restore{6D3FBDEF-8C21-4647-9BF3-72176E328E86}\RP151\A0018919.exe Unclassified Malware@4237958 Success
2/12/2009 4:44:49 PM Ignore C:\System Volume Information_restore{6D3FBDEF-8C21-4647-9BF3-72176E328E86}\RP151\A0018919.exe Unclassified Malware@4237958 Success
2/12/2009 4:44:49 PM Detect C:\System Volume Information_restore{6D3FBDEF-8C21-4647-9BF3-72176E328E86}\RP151\A0018919.exe Unclassified Malware@4237958 Success
2/12/2009 4:45:08 PM Ignore C:\System Volume Information_restore{6D3FBDEF-8C21-4647-9BF3-72176E328E86}\RP151\A0018919.exe Unclassified Malware@4237958 Success
2/12/2009 4:45:08 PM Detect C:\System Volume Information_restore{6D3FBDEF-8C21-4647-9BF3-72176E328E86}\RP151\A0018919.exe Unclassified Malware@4237958 Success
2/12/2009 4:45:29 PM Quarantine C:\System Volume Information_restore{6D3FBDEF-8C21-4647-9BF3-72176E328E86}\RP151\A0018919.exe Unclassified Malware@4237958 Success
2/12/2009 4:56:23 PM Detect C:\Program Files\Auslogics\AusLogics Registry Defrag\axforms10.bpl Heur.Pck.MEW Success
2/12/2009 5:43:22 PM Detect C:\My Downloads\My Downloads\copytodvd4se.exe Application.Win32.FraudTool.MacroVirus.~A@2937430 Success
2/12/2009 5:44:02 PM Detect C:\Program Files\Auslogics\AusLogics Registry Defrag\axforms10.bpl Heur.Pck.MEW Success
2/12/2009 5:44:03 PM Detect C:\Program Files\CachemanXP\CachemanXPLauncher.exe Heur.Packed.Unknown Success
2/12/2009 5:44:44 PM Detect C:\Program Files\Comodo\COMODO Internet Security\Quarantine\A0018919.exe Unclassified Malware@4237958 Success
2/12/2009 5:47:12 PM Detect C:\System Volume Information_restore{6D3FBDEF-8C21-4647-9BF3-72176E328E86}\RP103\A0014036.exe Heur.Packed.Unknown Success
2/12/2009 5:47:25 PM Detect C:\System Volume Information_restore{6D3FBDEF-8C21-4647-9BF3-72176E328E86}\RP114\A0014488.exe Heur.Packed.Unknown Success
2/12/2009 5:47:25 PM Detect C:\System Volume Information_restore{6D3FBDEF-8C21-4647-9BF3-72176E328E86}\RP114\A0014495.dll Heur.Packed.Unknown Success
2/12/2009 5:50:11 PM Detect C:\System Volume Information_restore{6D3FBDEF-8C21-4647-9BF3-72176E328E86}\RP75\A0008025.dll Heur.Packed.Unknown Success
2/12/2009 5:50:11 PM Detect C:\System Volume Information_restore{6D3FBDEF-8C21-4647-9BF3-72176E328E86}\RP75\A0008035.exe Heur.Packed.Unknown Success
2/12/2009 5:51:07 PM Detect C:\System Volume Information_restore{6D3FBDEF-8C21-4647-9BF3-72176E328E86}\RP82\A0012050.dll Heur.Packed.Unknown Success
2/12/2009 5:51:34 PM Detect C:\System Volume Information_restore{6D3FBDEF-8C21-4647-9BF3-72176E328E86}\RP99\A0013767.dll Heur.Packed.Unknown Success
2/12/2009 5:51:34 PM Detect C:\System Volume Information_restore{6D3FBDEF-8C21-4647-9BF3-72176E328E86}\RP99\A0013776.exe Heur.Packed.Unknown Success
2/12/2009 5:59:50 PM Detect C:\WINDOWS\system32\mfc45.dll Heur.PEBomb Success
2/12/2009 6:07:30 PM Ignore C:\My Downloads\My Downloads\copytodvd4se.exe Application.Win32.FraudTool.MacroVirus.~A@2937430 Success
2/12/2009 6:07:30 PM Ignore C:\Program Files\Auslogics\AusLogics Registry Defrag\axforms10.bpl Heur.Pck.MEW Success
2/12/2009 6:07:31 PM Ignore C:\Program Files\CachemanXP\CachemanXPLauncher.exe Heur.Packed.Unknown Success
2/12/2009 6:07:31 PM Ignore C:\System Volume Information_restore{6D3FBDEF-8C21-4647-9BF3-72176E328E86}\RP103\A0014036.exe Heur.Packed.Unknown Success
2/12/2009 6:07:32 PM Ignore C:\System Volume Information_restore{6D3FBDEF-8C21-4647-9BF3-72176E328E86}\RP114\A0014488.exe Heur.Packed.Unknown Success
2/12/2009 6:07:32 PM Ignore C:\System Volume Information_restore{6D3FBDEF-8C21-4647-9BF3-72176E328E86}\RP114\A0014495.dll Heur.Packed.Unknown Success
2/12/2009 6:07:32 PM Ignore C:\System Volume Information_restore{6D3FBDEF-8C21-4647-9BF3-72176E328E86}\RP75\A0008025.dll Heur.Packed.Unknown Success
2/12/2009 6:07:33 PM Ignore C:\System Volume Information_restore{6D3FBDEF-8C21-4647-9BF3-72176E328E86}\RP75\A0008035.exe Heur.Packed.Unknown Success
2/12/2009 6:07:33 PM Ignore C:\System Volume Information_restore{6D3FBDEF-8C21-4647-9BF3-72176E328E86}\RP82\A0012050.dll Heur.Packed.Unknown Success
2/12/2009 6:07:34 PM Ignore C:\System Volume Information_restore{6D3FBDEF-8C21-4647-9BF3-72176E328E86}\RP99\A0013767.dll Heur.Packed.Unknown Success
2/12/2009 6:07:34 PM Ignore C:\System Volume Information_restore{6D3FBDEF-8C21-4647-9BF3-72176E328E86}\RP99\A0013776.exe Heur.Packed.Unknown Success
2/12/2009 6:22:04 PM Detect C:\WINDOWS\system32\mfc45.dll Heur.PEBomb Success
2/12/2009 6:23:06 PM Ignore C:\WINDOWS\system32\mfc45.dll Heur.PEBomb Success
2/12/2009 6:23:06 PM Detect C:\WINDOWS\system32\mfc45.dll Heur.PEBomb Success
2/12/2009 6:23:15 PM Ignore C:\WINDOWS\system32\mfc45.dll Heur.PEBomb Success
2/12/2009 6:23:15 PM Detect C:\WINDOWS\system32\mfc45.dll Heur.PEBomb Success
2/12/2009 6:23:20 PM Quarantine C:\WINDOWS\system32\mfc45.dll Heur.PEBomb Success
2/12/2009 6:24:28 PM Quarantine C:\Program Files\Comodo\COMODO Internet Security\Quarantine\A0018919.exe Unclassified Malware@4237958 Success
2/12/2009 6:24:28 PM Quarantine C:\WINDOWS\system32\mfc45.dll Heur.PEBomb Success
2/12/2009 6:39:41 PM Detect C:\Program Files\Auslogics\AusLogics Registry Defrag\axforms10.bpl Heur.Pck.MEW Success
2/12/2009 6:39:42 PM Detect C:\Program Files\CachemanXP\CachemanXPLauncher.exe Heur.Packed.Unknown Success
2/12/2009 6:40:34 PM Detect C:\Program Files\Comodo\COMODO Internet Security\Quarantine\A0018919.exe1 Unclassified Malware@4237958 Success
2/12/2009 6:40:34 PM Detect C:\Program Files\Comodo\COMODO Internet Security\Quarantine\mfc45.dll Heur.PEBomb Success
2/12/2009 6:47:41 PM Quarantine C:\Program Files\Comodo\COMODO Internet Security\Quarantine\A0018919.exe1 Unclassified Malware@4237958 Success
2/12/2009 6:47:41 PM Quarantine C:\Program Files\Comodo\COMODO Internet Security\Quarantine\mfc45.dll Heur.PEBomb Success
2/12/2009 11:40:13 PM Detect C:\System Volume Information_restore{6D3FBDEF-8C21-4647-9BF3-72176E328E86}\RP151\A0019151.dll Heur.PEBomb Success
2/13/2009 2:39:51 AM Detect C:\System Volume Information_restore{6D3FBDEF-8C21-4647-9BF3-72176E328E86}\RP151\A0019151.dll Heur.PEBomb Success
2/13/2009 6:39:51 AM Detect C:\System Volume Information_restore{6D3FBDEF-8C21-4647-9BF3-72176E328E86}\RP151\A0019151.dll Heur.PEBomb Success
2/13/2009 9:18:52 AM Detect C:\Program Files\Auslogics\AusLogics Disk Defrag\is-UMABG.tmp Heur.Pck.MEW Success
2/13/2009 9:19:05 AM Ignore C:\Program Files\Auslogics\AusLogics Disk Defrag\is-UMABG.tmp Heur.Pck.MEW Success
2/13/2009 9:19:35 AM Detect C:\Program Files\Auslogics\AusLogics Disk Defrag\AxPackage10.bpl Heur.Pck.MEW Success
2/13/2009 9:19:42 AM Ignore C:\Program Files\Auslogics\AusLogics Disk Defrag\AxPackage10.bpl Heur.Pck.MEW Success
2/13/2009 9:25:15 AM Detect C:\Program Files\Auslogics\AusLogics Registry Defrag\is-TV8VC.tmp Heur.Pck.MEW Success
2/13/2009 9:25:19 AM Ignore C:\Program Files\Auslogics\AusLogics Registry Defrag\is-TV8VC.tmp Heur.Pck.MEW Success
2/13/2009 9:25:22 AM Detect C:\Program Files\Auslogics\AusLogics Registry Defrag\axpackage10.bpl Heur.Pck.MEW Success
2/13/2009 9:25:27 AM Ignore C:\Program Files\Auslogics\AusLogics Registry Defrag\axpackage10.bpl Heur.Pck.MEW Success
2/13/2009 9:28:52 AM Detect C:\Program Files\Auslogics\AusLogics Disk Defrag\is-V7N3F.tmp Heur.Pck.MEW Success
2/13/2009 9:28:56 AM Ignore C:\Program Files\Auslogics\AusLogics Disk Defrag\is-V7N3F.tmp Heur.Pck.MEW Success
End of The Report

Today I removed the files from the exclusion list with the exception of //Comodo.**** and ran the scan again with the lateset version and DB and this is what it flaged:
Table : Antivirus Logs
Date Created : 3/11/2009 12:15:51 PM
Log Scope : Today
Records count : 2
Date/Time Action Location Malware Name Status
3/11/2009 12:03:08 PM Detect C:\System Volume Information_restore{6D3FBDEF-8C21-4647-9BF3-72176E328E86}\RP99\A0013776.exe Heur.Packed.Unknown Success
3/11/2009 12:11:20 PM Quarantine C:\System Volume Information_restore{6D3FBDEF-8C21-4647-9BF3-72176E328E86}\RP99\A0013776.exe Heur.Packed.Unknown Success

It seems the system volume info is always flaged as a threat and whats the story with this file?
C:\WINDOWS\system32\mfc45.dll

Thanks,
donnyd

Ramanan · March 12, 2009, 7:42am

Hi Lt.ganda,

CIS is not detecting the file b2e.exe with/without heuristics. Please verify it with the latest base update. If you still find the detection in CIS, please submit the sample to AVLab.

Thanks,
Ramanan

ganda · March 12, 2009, 8:32am

nope, still there with database #1049

[attachment deleted by admin]

alaertsxan · March 12, 2009, 11:35am

This is what I got over pm

Original post: https://forums.comodo.com/false_positivenegative_reporting_is_this_a_malware_that_cis_hasnot_detected/qfecheck_fp-t36252.0.html

Last test: today with DB 1049

Thanks
Hakan

Xan

Ramanan · March 13, 2009, 10:56am

Hi Lt.ganda,

Please check with the latest base update.

Thanks,
Ramanan

Ramanan · March 13, 2009, 11:01am

Hi MJ.nfl,

The file in question is detected by heuristics and is a cracking application. Although it is not a “maliclious software”, the purpose of the detection is to warn the user about potentially unwanted/dangerous applications. Moreover, such cracking applications are packed/protected by some non standard programs which are used almost only by malicious files. This detection is one such generic detection. If someone still wants to use the crack application, the user can just add the file to exclusion list.

Thanks,
Ramanan

monkeytails · March 14, 2009, 11:52am

False Positive in relation to BOClean files (evidence.boc) has reappeared although different threat this time.

See attached image file.

Should I upload to avlab again?

Edit: reappeared with Database version 1049 and still present with Database version 1056

[attachment deleted by admin]

sureshk · March 15, 2009, 7:02am

Hi monkeytails,

Thanks for reporting,
FYI : evidence.boc is a backup file ,which BOClean takes before removing the file on detection.

That might not be a FP.

Thanks and Regards,
Suresh.

monkeytails · March 15, 2009, 2:43pm

Checked BOClean logs and shows a detection of leaktest.exe.

If this a backup that BOClean creates (Am I understanding you correctly?), then the AV of CIS will always detect the backup file. Again correct me if im wrong.

So should I delete this file or permanently exclude it or the folder from scaning…???

regards

monkeytails

Edit: have answered my question by looking at the BOClean on line help…will delete from computer.

Thanks for your help.

wrapper · March 17, 2009, 10:22pm

HI,

I am posting this at the request of Experience. My initial False Positive report is below, along with the message from Suresh that the problem was fixed.

On the morning of 03/17/09 I had to restore a backup to my laptop, and took the opportunity to install the latest CIS (3.8.65951.477, data base 1062) and BOClean 4.27. Almost immediately, CIS showed 1 threat found, and it was the same ALCXSENS.SYS driver mentioned in my initial post, again as a Heur.Pck.tElock . What was very strange was that after an hour or so, the summary screen shows no threats found, (down from 1 earlier) yet the Antivirus events log still shows the detection.

I don’t know that it matters, but I am running XP Home SP3 on a Gateway laptop with an AMD Athlon 64 3400+ with 1 GB memory, and the CIS settings are all default.

Wrapper

wrapper post:1:

Hi,

I had a problem with an earlier version of CIS saying “the virus database is not updated” and/or “the AV engine is not started,” so I updated to the latest version 3.8.65951.477 db version 1039, heuristic scan set to “low,” and started to scan the main drive and the “restoral” drive setup by Gateway yesterday, 3/09/09. The Heur.Pck.tElock popped up several times, with different files, all of which had been on the PC for months to even years without incident. I submitted the files to Virustotal, and they were all OK. What was very strange to me was that on the analysis of the alcxsens.sys driver (a Sensaura WDM 3D Audio Driver) showed that Comodo had no problem with the file, yet my installation flags it as an error.

I’ll email this report as well.

Wrapper

Topic Summary
Posted on: March 10, 2009, 08:56:24 AMPosted by: sureshk
Insert Quote
Hi wrapper,

FP has fixed.Please confirm with our latest Updated base.

Thanks for Reporting.

Thanks and Regards,
Suresh.

sriramp · March 31, 2009, 9:35am

Hi oldCoCo3user,
Can you please send the suspected file to us. Please visit this link on https://forums.comodo.com/false_positivenegative_reporting_is_this_a_malware_that_cis_hasnot_detected/how_to_report_false_positivessuspicious_files_how_to_submit_them-t36051.0.html
to know more on submission of files.

Regards,
Sriram.P

sriramp · April 7, 2009, 1:02pm

Hi oldCoCo3user,

Thank you for submitting the file. The reported False Positive has been fixed.

Regards,
Sriram.P

rabrown · May 7, 2009, 4:24am

I reported archlp.dll as an FP during the weekend. It is part of Arcsoft’s Total Media Theater installation. Copy of the file was submitted through CIS RC 2. Not yet fixed in ver 1154. Identified as unclassified malware@14955904.

Richard