Safe File MRT.exe Treated as Unrecognized

Microsoft Malicious Removal Tool (MRT.exe) is treated as “Unrecognized” despite being rated as “Trusted” in local host File Rating database.

C:\Windows\System32\MRT.exe 122905848KB 2/26/2015 21:14:44 MD5 000A77BDB94C42A90137E8368D3A47AA

Cannot submit larger %windir% files due to file size limit when submitting files to Comodo.

Limit should be removed\excepted for any Microsoft digitally signed files from System32 and SysWOW64 paths.

Can you reproduce the problem & if so how reliably?:

Yes. Reproducible every time - at will.

If you can, exact steps to reproduce. If not, exactly what you did & what happened:

1: Configure CIS for anti-executable\default-deny using the following settings:

A. Security Settings > File Rating > File Rating Settings > De-select “Trust applications signed by Trusted Vendors.”
B. Security Settings > File Rating > File Rating Settings > De-select “Trust files installed by Trusted installers.”
C. Security Settings > Defense+ > Auto-sandbox > Create rule as follows: Block - All Applications - Unrecognized

When MRT.exe attempts to write to C:\Windows\debug\mrt.log or create a new folder C:\Windows\Temp\MPGEAR.DLL it will generate an “Unrecognized” HIPS alert. Also, when MRT.exe attempts to connect to the network it will generate an “Unrecognized” firewall alert.

This can easily be verified by the following steps:

1: Open cmd.exe
2: Type MRT.exe
3: Enter

One or two sentences explaining what actually happened:

Microsoft Malicious Removal Tool (MRT.exe) is a “Safe” application. When it performs its legitimate duties on the system, CIS treats it as “Unrecognized.” This results in erroneous HIPS and firewall alerts.

One or two sentences explaining what you expected to happen:

I did not expect any CIS alerts for Microsoft Malicious Removal Tool (MRT.exe) as it is a “Safe” system application.

If a software compatibility problem have you tried the advice to make programs work with CIS?:

Not Applicable.

Any software except CIS/OS involved? If so - name, & exact version:


Any other information, eg your guess at the cause, how you tried to fix it etc:

I fixed the issue by creating both HIPS and firewall “Windows System Application” rules for MRT.exe.

Exact CIS version & configuration:

CIS - Proactive Protection

Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:

D+\HIPS, Autosandbox\BBlocker, Firewall & AV; All

Have you made any other changes to the default config? (egs here.):

Yes. CIS configuration attached.

NOTE: Issue not configuration related; I tried different configuration\settings - it did not correct issue.

THE ISSUE IS NOT SYSTEM DEPENDENT; I have tried on different machines - Intel, AMD, i3, i5, A8, A10, desktop, laptop.

Have you updated (without uninstall) from CIS 5, 6 or 7?:


 [b]if so, have you tried a a a clean reinstall - if not please do?[/b]:

Not Applicable.

Have you imported a config from a previous version of CIS:


 [b]if so, have you tried a standard config - if not please do[/b]:

 Yes.  Issue is independent of configuration\settings.

OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:

Windows 8.1 x86-64 OEM (Toshiba\AMD), “Always notify,” Administrator, No VM used.

NOTE: CLEAN INSTALL Windows 8.1, < 1 week. No “bloat\crapware” installed.

Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:

a=None b=None

A. CIS configuration.
B. Screenshots.
C. Logs.

[attachment deleted by admin]

This reported issue with MRT.exe appears to be fixed after recent updates.

Please move report to “Outdated\Resolved.”

Thank You,


Moved back on request.


Required default-deny settings required to reliably reproduce issue have been appended to initial report.

Best Regards,


On my Intel system the identical issue occurs with Windows Defender commandline utility: MdCmdRun.exe


Other Windows system files after Windows updates.

Best Regards,


Hi ,
This is a normal phenomenon .When you de-select "Trust applications signed by Trusted Vendors."and “Trust files installed by Trusted installers” ,CIS will believed that all software is unrecognized ,so ,the exe will be blocked

If that were the case then my system would be unbootable… since CIS would block all Trusted software - including all OS files required to run the system.

I think those settings are not supposed to be applied to any file rated as “Trusted” and included on CIS’ local File List.

Best Regards,


If you remove all files from file list ,click ok ,then you run some apps , this time ,you view the file list ,you will find these apps will are recognized unrecognized

Hi Guys,
I kind of think with this scenario a lot of other factors may take place behind the scenes.
MRT.exe requires high privileges with great ability to manipulate files and other actions.
Due to its capabilities and actions, I imagine it could be regarded as malware type behaviour by heuristics which could be overriding the trusted status.
I do not use MRT so I am not sure of it actions, when it runs it maybe even creating another temporary MRT.exe for all I know.
Just my thoughts.

Kind regards.

Hello All,

If you configure CIS as I have explained in my original post, you will find that CIS will block only a few files that are digitally signed by vendors on the TVL. Also, the behavior is system specific.

I do not use MRT.exe, but is still updates in the background. CIS blocks these actions until allow rules are created.

The core problem is this…

CIS should never block any file:

  • digitally singed by TVL vendor; and
    rated as Trusted on the local system File List

If a file is rated as Trusted by Admin, User or Cloud - and is in local database - then changing global settings should not cause CIS to block it.

MRT.exe is rated as a Trusted file… both locally and in the cloud… but CIS keeps detecting it as Unrecognized.

I have tested this over and over and over…

The settings I outlined cause CIS to detect only a few digitally signed TVL files as Unrecognized… and it is the same ones repeatedly and consistently within AMD\Intel platforms. However, different digitally signed TVL files are blocked on AMD versus Intel systems.

IF the settings were designed to treat all digitally signed TVL files as Unrecognized then it should be the same across both AMD and Intel platforms - which it is not.

It is nothing but a quirk that can cause confusion.

Best Regards,


You did not disable the cloud look up. You will get “leak” from the cloud. This leak may also explain the system specific differences.

If I disable or enable Cloud query the result is the same…MRT.exe is blocked; CIS is treating MRT.exe as Unrecognized.

MRT.exe is published by Microsoft and digitally signed - so CIS should not block it regardless of the settings.

Best Regards,


Looks like another instance of this bug as MRT.exe is 120MB big it is still treated as unknonw/installer even when it is defined as trusted in the local file list. So this has nothing to with changing the setting of trust applications signed by trusted vendors.

Probably a duplicate of Bug 1467.
I think it’s better to move this one to “Resolved” section for now. @hjlbx, do you agree?


Hello qmarius,

I agree - even if it is not precisely identical issue - as I think all the File Rating system issues are closely related.

Best we can do is make Comodo aware of it…

Best Regards,


I will link your report.

Moving this one to “Resolved” section.
Thank you.