Silently quarantining items when AV disabled?

Product Version: 4.0.141842.828

I was converting some archives that I had by decompressing them to a folder then recompressing them as a different archive. At the end of the compression process, my archive program would give a warning that one of the files it tried to compress was missing. Indeed when I looked at the path, the file was missing. I decompressed the original archive and obtained the missing file again. Once again, I tried creating a new archive and had the same problem.

I had to use ProcMon to find out that it was cmdagent that was moving the file to a quarantine location. Looking at the Quarantined Items page, I saw three instances of my missing file described as “UnclassifiedMalware” with no number.

That’s not the issue here. My Virus Scanner Settings show Real Time Scanning to be “Disabled”, Automatically quarantine threats found during scanning is “unchecked”, and Show alerts/notification messages is “checked”. So why is it that COMODO is scanning my files, quarantining my files automatically and not asking me if it should do so with an alert? I’m absolutely baffled as to how this is logically happening. Any of those three settings should have made this scenario impossible.

That doesn’t sound right to me. Is this a clean installation of CIS?

OS: Windows 7, 64-bit

It previously had a copy of COMODO 3.x which had to be uninstalled since you can’t upgrade to 4.x. I did not import a configuration export from the 3.x version.

Under the Antivirus Events, it shows as Malware Name: UnclassifiedMalware; Action: Quarantine; Status: Success.
Under the Defense+ Events, it shows as Flags: Sandboxed As, Scanned Online and Found Safe, Scanned Online and Found Malicious, Safe; Target: (Blank)

Despite the Defense+ logs (very oddly) having multiple flags, it shows that perhaps it was Defense+ that triggered something. Defense+ isn’t really in the business of randomly scanning files however.

The only half-logical explanation I could come up with was that SuperFetch was somehow causing it. SuperFetch probably noticed that the archiver had touched the file or noticed that the archiver was iterating through the files of a particular folder and decided to cache them all to RAM. AV still shouldn’t have done anything because active scanning is off. However SuperFetch also has a habit of pseudo executing files that it can, looking for references to other files to cache. This suspect file was a DLL, which is something SuperFetch would indeed try to “execute”. I remember getting a ton of alerts from COMODO 3.x during idle times when SuperFetch would try to execute a dozen random files on my system.

Would SuperFetch trying to execute these files, thus Defense+ checking the file against it’s local database cause AV to also scan the file… and because of the indirect method of AV being passed the file(not being from the Real Time Scanner), ignore the Real Time Scanner options and do everything silently?