Small update:
No other changes were made.
Seems like Avast has a memory, even if nothing was detected the first time around…
Seems like Avast has a memory, even if nothing was detected the first time around…
This may very well be true. Or, it could be that Comodo has a “memory” and is still performing the memory injection even with Defense+ is turned off!
Here’s a interesting link about Panda’s Cloud AV that also performs unencrypted virus signature injection
http://forums.cnet.com/7723-7813_102-277583.html.
At this point, I am more concerned about MBAM Pro that is injecting multiple unencrpted signatures into memory. BTW - when this issue is brought up in their forum, the same type ambiguous responses are given.
In my opinion, the real question is if injecting unenrypted virus signatures into memory a desirable thing to do? I am still researching that.
Win 7 resource manager shows cmdagent.exe is running a copy of itself - don’t know what that is about.
Now this is very interesting. Cmdagent.exe is also calling out snxhk64.dll an Avast .dll! Is this evidence of code injection into cmdagent.exe by Avast?
Another way to think about things, initially, even though cmdagent is loaded in memory, if D+ is off, Avast doesn’t detect a threat. Once D+ has been activated, Avast sees cmdagent as a threat, regardless if it’s later disabled. So, whatever happens once D+ is enabled, either it’s not undone once it’s disabled, or Avast is seeing something that’s no longer there.
Now this is very interesting. Cmdagent.exe is also calling out snxhk64.dll an Avast .dll! Is this evidence of code injection into cmdagent.exe by Avast?
I just remember I excluded the Avast folders in Defense+ Execution Control Settings. I still would assume that cmdagent.exe would have prevented a non-Comodo .dll from attaching itself?
Hello,
I just ran a memory scan with Avast. No cmdagent threat identified, but 16 related to windows defender. FW and Def+ were active during scan.
[attachment deleted by admin]
Sensitivity needs to be set to high.
OK. Sensitivity was at normal level. Doing another at high level. Coming back.
Results of scan with sensitivity high exactly the same as the one I posted previously. Nothing found suspect for cmdagent, but for win defender that’s another story.
Very interesting indeed.
BTW - I turned off Win Defender real time and the same results as before except MBAM Pro is showing a few new unencryted signatures that were not there before. Yeeks!
As I run Windows Defender in real time, I’m not at all surprise to find these “alerts” in a memory scan. I would have been surprise of the contrary. It is normal that Avast looking for virus signature flags the unencrypted signatures loaded by Windows Defender in memory. If by any chance they were loaded in the cache, it doesn’t bother me as I clean pagefile.sys at shutdown.
For me the surprise is the alert that some of you are having with cmdagent as I thought only CAV will load virus signature in memory. But there must be a simple and rationale explanation.
There was someone on the Avast forum who also didn’t see this result in a scan, perhaps it’s just a settings thing. When I tested, it was a clean PC with a default install of CIS, no settings changed, likewise Avast, apart from the scan settings. I can reproduce this result every time.
More interesting to me is the mixed scan results between D+ disabled, enabled and then disabled again.
I made the scan just after booting the computer and was disconnected from the net. Comodo’s files were of course not in the exception for this scan. I’ll do the scan with the connection on and see if I get the alert. If yes, chances are that the cloud scanner is the explanation.
The problem is cause by the Comodo Cloud that the virus signatures is loaded into the “cmdagent.exe”, the problem doesn’t cause by Avast and it not FP Avast is simply saying the virus signatures shouldn’t be loaded into memory that trigger to “cmdagent.exe” by the Comodo Cloud. All I’m saying is if you just turn off the cloud feature so the virus signatures doesn’t loaded into the “cmdagent.exe” when Avast scan the memory when detected cause by “cmdagent.exe” by the Comodo Cloud, I’ve did this Avast scan test long ago before v5.4 came out because the virus signatures is loaded into the “cmdagent.exe” when Avast picked it up.
If you turn off the cloud feature it doesn’t show up in the Avast scan, and beside you don’t need Comodo cloud and sandbox when Avast free does almost the same job Avast has 8 shields and including Autosandbox otherwise this is a complete over killed have to many feature running together with Comodo FW and Avast and I’m not wasting your time and I’m not lying all you need is only Comodo FW/D+ nothing else.
It actually makes no difference if the cloud options are enabled or disabled in CIS. Remember the cloud options are enabled on a default install, they’re also active, regardless if D+ is enabled or not.
Well, just made a new scan with connection on. Avast still doesn’t flag cmdagent.exe.
Cloud scanning is enabled, Def+ in parano mode, proactive config, all execution control and monitoring settings active, sandbox enabled.
The problem is cause by the Comodo Cloud that the virus signatures is loaded into the “cmdagent.exe”, the problem doesn’t cause by Avast and it not FP Avast is simply saying the virus signatures shouldn’t be loaded into memory that trigger to “cmdagent.exe” by the Comodo Cloud. All I’m saying is if you just turn off the cloud feature so the virus signatures doesn’t loaded into the “cmdagent.exe” when Avast scan the memory when detected cause by “cmdagent.exe” by the Comodo Cloud, I’ve did this Avast scan test long ago before v5.4 came out because the virus signatures is loaded into the “cmdagent.exe” when Avast picked it up.
I don’t buy this either. MBAM Pro doesn’t do clould scanning and it shows many more encrypted signatures from an Avast memory scan.
I still believe that both Comodo and MBAM Pro are scanning at boot time using these signatures and they are left in memory as a result of that process. The question is if this is desirable or not. However, this does not explain why some people do not see these residual signatures as a result of a Avast memory scan. Best theory in that area these individuals have some type of memory wipe process running - known or unknown?
As Radaghast proved, the signatures can remain in memory even after a boot. However, this might occur because of that memory drain down issue where memory takes a certain period of time to fully discharge after power has been removed.
Boris, if you haven’t got a spare PC to play with, if you get a chance, would you mind performing the same test in a VM. Just load CIS with defaults, but no AV or Geekbuddy, and just Avast with a custom memory scan.
No worries if you haven’t got the time, I’m only curious…
Radaghast,
Just done what you asked. Fresh install of only FW with default settings (downloader 32bits) and last version of avast free. cmdagent.exe is still not caught by memory scan. (this time win defender was not installed nor another real time scanner).
[attachment deleted by admin]
Here’s another idea.
Maybe something to do with the amount of memory you have? I have 8 GB. Wiin 7 only uses a portion or that and allocates the excess to my video card extended memory for some reason although my card has 1 GB DDR3 memory. Is it possible those unencrypted signatures are resident in video card memory and that is what Avast memory scanner is detecting?
BTW - I use other anti-malware that scans memory. None has reported anything found.