Today, I’ve been repeatedly getting the attached rinti.exe sandoxed warning, which I’ve blocked every time except a couple, when I didn’t get to it in time. I thought blocking would be the end of it, but obviously not. Why is it repeating? I haven’t seen it before and a search doesn’t turn up any solid info about. Thanks,
[attachment deleted by admin]
When you didn’t catch it in time it will be blocked; it is the default deny principle of CIS.
I thought blocking would be the end of it, but obviously not. Why is it repeating? I haven’t seen it before and a search doesn’t turn up any solid info about. Thanks,To see the Properties of the file click on the name of the file, rinti.exe in your case, in the D+ alert. That may help to further determine what the file is.
It is possibly an adware: Malware scan of rinti.exe 2873eba99aa10aeae2f68aaf89d920f24d393eab - herdProtect . Try uploading it to Virus Total and see what the scanners there tell us and leave the url to the report.
I also saw the link you posted, but it seemed qestionable because there’s no other sites so definite about rinti.exe and the result of following the link is a security program install - and apparently not a very good one from the reivews.
Not sure what you mean by clicking on it in the D+ alert. Just clicking on the popup shows it’s not signed. Here are the results in VirusTotal: VirusTotal. It seems the vast majority of programs consider it ok. Under the file detail tab… “The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.” The file itself sets up in \Users…\Roaming\ with a folder name like f0qJ381CFQ.
The two files on Herd Protect and Virus Total have different file hashes so they are different files. The file at Herd Protect is submitted at March 18 where yours was submitted one day ago.
It is suspicious it is executed from the a Roaming folder. May be the file changes and will then get sandboxed again. See if resubmitting it today bring the scanners at VT to a different opinion.
Do you know what this program is? In case of doubt I would try to uninstall it assuming it has an installer. I am always weary of unknown program installed in the AppData folders. It’s a popular hang out for malware as it allows to duck under the radar.
I have no idea what program it’s associated with and a google search doesn’t help. It’s unsigned and no known vendor.
Make a copy of it and then delete it. If a program malfunctions, that’s probably the one that it’s associated with. You can always put it back from your copy if needed.
I already deleted it earlier today. No Comodo warnings since.
You know seeing how that is a sandbox elevation alert, you could view the file properties in CIS file list especially if you have file source tracking enabled for the sandbox, as file list info will tell you where the executable came from and what application created it. I would also run autoruns from sysinternals to find any references to the file that caused repeated execution alerts as it probably was being invoked by a schedule task.
From autoruns:
\Hubsy File not found: C:\Users\Gene\AppData\Roaming\f0qJ381CFQ\rinti.exe
A search didn’t find anything about hubsy. In Sandbox, the Sources screen is empty, if that’s where to look.
Under File rating settings choose File list and find the file in question, then right click on the file entry and select file details, a window will pop up that displays some details about the file. Look for Origin and Created by, see here for more info: https://help.comodo.com/topic-72-1-623-8441-File-List.html#file_list_details
It’s not there.