Probable conflict between Comodo Firewall 5.4 and Avast! 6.0.1125

Hello everybody!
I want to propose a problem I have detected a bit of time ago and that you’re still checking.
On my computer I have Avast! Free and Comodo with D +.
Since I upgrading to Comodo 5.4 and 5.5 yesterday, with my deep scan with custom settings of Avast!, I noticed this:

-Process-816 [cmdagent.exe] 0x00000000047C0000 Memory Block, Block Size 2097152 - -Severity: High- -Threat: Win32: FakeVimes-B [Trj]-

Among the options of the scan I also activated the memory check and this is the result, the process “cmdagent.exe” is detected as a threat .
Can someone help me? Does someone know the cause? Can I stay quiet or I have to worry?

Thanks to all!!! ;D

Don’t worry. Add the CIS installation folders to the Exclusions of Avast.

Already done but nothing change. ???

I am not familiar with Avast. I hope somebody else can tell how to work around this false positive. Please inform Avast about it. The error is on their side.

You need to zip cmdagent.exe and send it to virus[at] . It is also possible to send a f/p by mail from the Avast user interface.

I have Avast on a test machine, so if you could tell me the exact settings for D+ and your Avast scan, I’ll try to recreate.

I insert the screenshot…My Avast and my COMODO are in italian, I hope you understand the pics ;D
Thanks for the help!

[attachment deleted by admin]

I thought I had posted a reply to this issue but I guess not. Must be slipping in my old age …

This topic has been talked about extensively over on the Avast free forum.

First, these memory scan warnings are false positives if you want to call them that. The Avast experts have said that they show up in an Avast memory scan because they are unencrypted signatures. Of course, no one there elaborated on exactly what are “unencrypted signatures.”

Now I use Comodo firewall and Defense+ - no Comodo AV installed. However, I get the exact same alert you do when I run Avast’s memory scan. A more enlighted poster noted that Defense+ uses “virus” signatures" for validation purposes.

My Avast memory scan also shows anywhere from 5 to 7 of these “false” alerts from MBAM Pro alone.

I think what would finally put this issue to bed is if a Comodo developer confirmed that Comodo does inject “Fake-Vimes” signatures into memory for validation purposes.


To validate what?

What is the meaning of your insinuation?

Lighten up guys!

I am not implying or insinuating anything. I am asking a simple question. The same question that is being asked over at the Avast forum by many others. The FakeVimes signatures are used primarily to detect the current scouge of rouge malware. Hell, it is entirely possible Avast is injecting those signatures and playing dumb about it.

Attached is a screenshot of what Avast memory scanner finds for both Comodo and MBAM Pro.

If I had to speculate a theory on what is happening, it goes like this. The only real time anti-malware software I have running besides Avast is Comodo and MBAM. Both processes are doing some type of non-malicous memory injection. Avast’s memory scanner see this, doesn’t know what it is, and is mis-identifying it as malware.

Best Comodo and MBAM resolve this with Avast since the less technically inclined stop using Comodo and MBAM at the extreme or keep posting the same question on each manufacturers forum.

[attachment deleted by admin]

I was just asking what this “enlightened poster” feels D+ uses virus signatures to validate…

Yes, I’ve spoke about this problem on Avast forum and then? What is the problem??
On Avast forum someone has suggested me to ask something about on this forum because I could have some problem in FW configuration…
So if this is true, I want to solve it.

I stop to ask if you’re right about my problem.But, I must admit that after seeing your screenshot I believe in you and I can stay quiet

CIS does inject guard32.dll for 32 bits systems and guard64.dll for 64 bits systems in each process. The guardxx.dll is injected to help reduce the number of D+ alerts.

It is my conviction that what Avast reports is a false positive.

For what it’s worth, I ran the scan with your settings and Avast made the same detection (image) I added The Comodo installation folders to Exclusions but it made no difference. The ‘threat’ is only detected when memory is part of the scan. Clearly this is false positive that Avast needs to fix.

[attachment deleted by admin]

Ok guys!! Thanks to everybody that helped me!!! Now I can stay quiet about this!! ;D

Well, I don’t know if this is resolved or not? Below from a poster on the Avast forum. Now I also run Win Defender in real time but Avast is not detecting it on it’s memory scan.

BTW - Avast mods are adament that the cmdagent.exe unencryted signature detection is not a FP.

Max, Donz.

I also run Comodo, Firewall and D+, but I have never ran Comodo AV. When I do a memory scan with Avast, I do not get any unencrypted virus signatures into memory from Comodo. I get Windows Defender though because it is running. I wonder, have you ever had Comodo AV running in your machines?




Dim 9200/XPS 410. C2D E6600; 2.40 GHz. 2GB RAM
Xp Pro_86 Spk 3. IE 8 & FF 4.
Avast 6.0.1203. CIS 5.5 (Firewall/D+); Win Defender. SpywareBlaster. Win Patrol Plus. WOT. MBAM on demand.

I never installed the AV when I ran the test.

I think Avast should contact Comodo. Let them sign up here and contact egemen. That should get things straightened out quickly.

I just noticed something odd. Maybe this is normal. Don’t know.

On my screenshot of Defense+ rules, all the Comodo programs have a red Comodo icon associated with them. However cmdagent.exe does not? Is that normal?

I have checked out cmdagent.exe and looks OK. It has a valid Comodo certificate assigned.

[attachment deleted by admin]

The valid certificate tells it all; this is the real deal.

Cmdagent.exe does not have an icon. You will also see that when you look up cmdagent.exe with Explorer. Nothing to worry about.