Security Tool Virus

Just wanted to say have been using Comodo for a while now and I have recommended it to my family but my mother-in-law had her computer infected by Security Tool Virus which seems to be pretty old by virus standards. Came out sometime in october of 2009. Was wondering why it wasn’t caught by Comodo? Is there a setting that I missed or something that I can change to prevent this from happening again. Not sure if this is the right forum to post.

Hello littledog,

Can you please tell us the following information about the “infected” computer:

[ol]- What version of CIS werre you using?

  • What are the firewall, defense plus, and antivirus settings of CIS?
  • Was the antivirus signature database up-to-date (if you happen to know which virus signature database number at the time of detection, please provide it)?
  • Did you have any other real-time protection running on the computer?
  • Which antimalware/antivirus scanner or scanners did you use to detect the “Security Tools Virus”. Was the virus detected by mulitple scanners? Did you scan the virus file using or, and if so, what were the results? [/ol]

There are a two possibilities why the CIS did not detect the “virus”:

The first possibility is that the is a virus, and Comodo did not detect it. If you still have the file (e.g. it is in quarantine), then you can submit the file to Comodo (they will analyze it, and if it is a virus, they will add it to the detections).

The second possibility is that the scanner that detected the file actually reported a false positive (i.e. the file is not malicious, but the scanner incorrectly reported it as malicious). If this was the case, then Comodo was correct and the other scanner was wrong.

Scanning the file with or can often help distinguish between the two scenarios described above. Anyhow, if you still have the file, submit it to Comodo using this webpage.


As said elsewhere in this forum this same day, Security Tool is not strictly speaking a virus, but a rogue.

It is downloaded from the user himself clicking a faked security link, and Comodo or other security softwares can’t help voluntary behavior from the user; moreover, and concerning comodo, the initial infection is downloaded to Temp Files, not monitored for content changes by defense+, and that is why the infection occurs.

Of course, Comodo shall detect it on the next scan, as can be checked at virustotal or similar, but the disinfection is a somewhat long procedure, involving manual disinfection or using Malware antibytes in safe mode.

I might make a mistake, but the only antivirus in these conditions is yourself: do not click on unsollicited links or popups; avoiding them when they hack a normal site (e.g. google) is more difficult, as one must be aware, before clicking, of the fake nature of the link: in the most common situation, these links have a php extension and random keywords making no sense, like “trojan” and soforth.