Hello everybody!
I want to propose a problem I have detected a bit of time ago and that you’re still checking.
On my computer I have Avast! Free and Comodo with D +.
Since I upgrading to Comodo 5.4 and 5.5 yesterday, with my deep scan with custom settings of Avast!, I noticed this:
Among the options of the scan I also activated the memory check and this is the result, the process “cmdagent.exe” is detected as a threat .
Can someone help me? Does someone know the cause? Can I stay quiet or I have to worry?
I am not familiar with Avast. I hope somebody else can tell how to work around this false positive. Please inform Avast about it. The error is on their side.
You need to zip cmdagent.exe and send it to virus[at]avast.com . It is also possible to send a f/p by mail from the Avast user interface.
I thought I had posted a reply to this issue but I guess not. Must be slipping in my old age …
This topic has been talked about extensively over on the Avast free forum.
First, these memory scan warnings are false positives if you want to call them that. The Avast experts have said that they show up in an Avast memory scan because they are unencrypted signatures. Of course, no one there elaborated on exactly what are “unencrypted signatures.”
Now I use Comodo firewall and Defense+ - no Comodo AV installed. However, I get the exact same alert you do when I run Avast’s memory scan. A more enlighted poster noted that Defense+ uses “virus” signatures" for validation purposes.
My Avast memory scan also shows anywhere from 5 to 7 of these “false” alerts from MBAM Pro alone.
I think what would finally put this issue to bed is if a Comodo developer confirmed that Comodo does inject “Fake-Vimes” signatures into memory for validation purposes.
I am not implying or insinuating anything. I am asking a simple question. The same question that is being asked over at the Avast forum by many others. The FakeVimes signatures are used primarily to detect the current scouge of rouge malware. Hell, it is entirely possible Avast is injecting those signatures and playing dumb about it.
Attached is a screenshot of what Avast memory scanner finds for both Comodo and MBAM Pro.
If I had to speculate a theory on what is happening, it goes like this. The only real time anti-malware software I have running besides Avast is Comodo and MBAM. Both processes are doing some type of non-malicous memory injection. Avast’s memory scanner see this, doesn’t know what it is, and is mis-identifying it as malware.
Best Comodo and MBAM resolve this with Avast since the less technically inclined stop using Comodo and MBAM at the extreme or keep posting the same question on each manufacturers forum.
Yes, I’ve spoke about this problem on Avast forum and then? What is the problem??
On Avast forum someone has suggested me to ask something about on this forum because I could have some problem in FW configuration…
So if this is true, I want to solve it.
I stop to ask if you’re right about my problem.But, I must admit that after seeing your screenshot I believe in you and I can stay quiet
CIS does inject guard32.dll for 32 bits systems and guard64.dll for 64 bits systems in each process. The guardxx.dll is injected to help reduce the number of D+ alerts.
It is my conviction that what Avast reports is a false positive.
For what it’s worth, I ran the scan with your settings and Avast made the same detection (image) I added The Comodo installation folders to Exclusions but it made no difference. The ‘threat’ is only detected when memory is part of the scan. Clearly this is false positive that Avast needs to fix.
Well, I don’t know if this is resolved or not? Below from a poster on the Avast forum. Now I also run Win Defender in real time but Avast is not detecting it on it’s memory scan.
BTW - Avast mods are adament that the cmdagent.exe unencryted signature detection is not a FP.
Max, Donz.
I also run Comodo, Firewall and D+, but I have never ran Comodo AV. When I do a memory scan with Avast, I do not get any unencrypted virus signatures into memory from Comodo. I get Windows Defender though because it is running. I wonder, have you ever had Comodo AV running in your machines?
I just noticed something odd. Maybe this is normal. Don’t know.
On my screenshot of Defense+ rules, all the Comodo programs have a red Comodo icon associated with them. However cmdagent.exe does not? Is that normal?
I have checked out cmdagent.exe and looks OK. It has a valid Comodo certificate assigned.