Software mistakenly identified as Malware

The installers available through the following URLs are being falsely labeled by CIS as Malware@#1jm0mzwgei74s

http://www.buzzdock.com/download/BuzzdockSetup-o.exe

download.pagerage.com/PageRageFFSetup.exe
www.overapps.com/downloadsites/overappssetup.exe
download.bestvideodownloader.com\BestVideoDownloaderSetup.exe

I began contacting cisquestions back in early December 2011, but have not received correspondence in almost three weeks. The reason I received for the block was that YontooSetup-Silent.exe was installing in the background and was not mentioned in the product’s EULAs. Yontoo is the platform from which these products run and the picture below shows how much it is mentioned in the EULA.

Although the issue is still open through PBJ-434675, I have gotten very jealous of the turn around time I am reading about in these forums. Would you mind looking into this for me?

http://content.screencast.com/users/brandonmccormick/folders/Jing/media/06b9f994-6293-493a-a903-b3633d89c947/2011-12-20_1013.png

Hello brandon.mccormick,

Thank you for your submission. We’ll check it and get back to you soon.

Best regards,
FlorinG

Hi brandon.mccormick,

This is to inform you that false-positive has been fixed.
You can update to AV database Version <11200> of Comodo Internet Security Version<5.9.219863.2196> and confirm it.

Regards,
Ponmalar.S

You guys are awesome for getting back to me so quickly! Unfortunately, after my update to that definition number, all of the installers available through the URLs in my first post are still being labeled as malware during install. Below is a picture of one of the blocks if that helps:

http://content.screencast.com/users/ninjaboonbab/folders/Jing/media/01933d96-5190-4661-a847-468878879c1b/2012-01-06_0825.png

Thanks again!

Hello brandon.mccormick,

We’ll check this one also and get back to you.

Best regards,
FlorinG

Hi brandon.mccormick,

This is to inform you that false-positive has been fixed.
You can update to AV database Version <11205> of Comodo Internet Security Version<5.9.219863.2196> and confirm it.

Regards,
Ponmalar.S

After I confirmed that I was upgraded to the virus definition you mentioned, I am see seeing the block across the installers available through all of the URLs mentioned in my first post. From my understanding, the file causing the problem is a silent installer from Yontoo, the platform, that runs in the background. Here is a picture of the persisting block:

http://content.screencast.com/users/brandonmccormick/folders/Jing/media/b888d096-8654-4d7a-9ac3-2c6f58d73b00/2012-01-07_0904.png

If there is any more information I could provide you to resolve the blocks, I would be more than happy!

Hi brandon.mccormick,

Sorry for the inconvenience.That false-positive has been fixed.
You can update to AV database Version <11233> of Comodo Internet Security Version<5.9.219863.2196> and confirm it.

Regards,
Ponmalar.S

You guys are kicking ■■■■ with all of this. I am very sorry that the blocks seem to be so complicated. I updated to the newest definition number and verified that it is what you listed. I am getting a very strange error now, which still brings up the block screen labeling the installer as malware, but the product install only fails in Internet Explorer. Here is a screenshot:

http://content.screencast.com/users/brandonmccormick/folders/Jing/media/f118de30-7945-4e61-b72f-dc782873cda5/2012-01-10_0945.png

The file now being blocked seems to be YontooIEClient.dll, which would explain why the install is failing in IE.
Would you guys mind looking into this?

Comodo ROCKS!

Hello brandon.mccormick,

We’ll check this one also and get back to you soon.

Best regards,
FlorinG

Hello,

This False Positive has been fixed. You can check with virus signature database version 11244 and confirm.

Best regards,
FlorinG

I have already verified this morning that the suite of products is completely unblocked ;D! I will now take a trip over to the whitelist board and see if I can’t get cracking on that. It has been a pleasure working with you guys on the forums, and I hope I get the chance to talk to you guys again!

GRRRRRRRR.
More in-depth investigation showed a couple of blocks on files that were un-blocked for the other installers.
For the installers available through
http://download.yontoo.com/YontooSetup.exe
and
download.pagerage.com/PageRageIESetup.exe
the YontooIEClient.dll is blocked as malware

http://content.screencast.com/users/brandonmccormick/folders/Jing/media/aec4b34d-f2e7-4730-ada4-9769f13d33b6/2012-01-11_1253.png

And the installer available through
http://www.buzzdock.com/Pages/Download_Firefox.aspx
has YontooSetup-Silent.exe blocked as Heur.Suspicious

http://content.screencast.com/users/brandonmccormick/folders/Jing/media/63fb6b39-d715-469e-a303-ba66bb609a36/2012-01-11_1247.png

Hopefully this fixes it for good!

I have submitted these installers to be whitelisted on the appropriate forum. Until they get back to me, I am curious why just 2 days after nearly all of them were unblocked, they are blocked again?

Pagerage: http://screencast.com/t/X3a0c1C9ySI
DropDownDeals: http://screencast.com/t/WEDlSmFa83
Buzzdock: http://screencast.com/t/URbWlskkw9
Overapps: http://screencast.com/t/cqNDj4BpJ
BestVideoDownloader: http://screencast.com/t/1CVFBOkJN7i
Freetwittube: http://screencast.com/t/IWxJZWT2DDWS
Ezlooker: http://screencast.com/t/j98swtvxW

The file being detected in each case is YontooIEClient.dll. Nobody from the whitelist crew has gotten back to me yet, and I would like to ensure that as many users can access these installers in the meantime. I have two questions for you:

    1. Would you please unblock YontooIEClient.dll?
    1. More for my curiosity, why did this file get re-detected and reblocked?

Thanks COMODO!

If the YontooIEClient.dll changes on a regular basis then it may get detected each time it gets updated.

I have had a difficult time communicating with anyone in the Whitelist forum. So, I would appreciate it if we could continue addressing the issues here.

The installers available through the following URLs have the file “YontooSetup-Silent.exe” blocked as malware. Yontoo is the platform from which these programs run.

Mod Edit: Please note, these are direct download links.

Buzzdock
Overapps
BestVideoDownloader
EZlooker
Contenko

Thank you very much for your help!

Mod Edit: Direct download links as specified in section 8, item 10 of the Forum Policy states that direct download links must be labeled as such. In the future, please make this distinction. Thanks! :P0l