Yesterday I was surfing the web when the Microsoft yellow shild appeared in my desktop telling me I had an update. Trusting microsoft I accepted the update. Minutes later many software windows appeared in my screen telling me that I was full of viruses and trojans and offering me a way (US$) to clean up all this male ware, I though it was odd because CIS never gave me any alert.
I started to examine these windows and couldn’ f find any microsoft logo and tryed to close them but keeped appearing, so I concluded it was a Fake AV. then tryed the usual stuff: stop new processes and delete files but couldn’t do anything from Windows. Then Opened COMODO CIS Defense+ and took a look at the active processes list finding two new that weren’t signed and with weird names, so I decided to stop and block this processes gaining control of my laptop again, all windows telling me I was infected stoped. Then in CIS Defense+ unrecognized files menu searched and deleted all weird files and runned a scan, finding my laptop as it should be: Clean.
Thanks guys and keep the good work, I know some people that couldn’t get ridd of this Fake AV, so the ended formating the PC and installing everything again.
You mentioned CIS showed alert that application was signed by Microsoft, had it been signed by Microsoft, CIS might not have raised alert as it considers Microsoft signed apps as safe.
It will be great if you could get files for us for further investigation.
It was probably unsigned but using the ‘Microsoft’ name to impose as a real MS file.
Can you please verify the CIS logging for ‘Alerts Displayed’ this should contain the full text shown in the alert, This could also provide details about names used etc.
You can get to the logging to go to Defense+, View Defense+ Events, press the More button and then on the left menu select ‘Alerts Displayed’ please try to find the elevated privileges alert and past the results for ‘description and advice’ here.
This is nasty, shell32.dll was abused to load the malware. And the alert show’s it’s signed but not whitelisted by Comodo.
What makes me wonder, you said you did allow the alert to run unlimited?
The log files shows it’s action was ‘Time-out’ which would not have allowed it to run unlimited.
Unanswered alerts are always ‘deny’.
Can you please verify if there are more alerts if you press the ‘Entire period’ button on the top menu?
This makes me think is it better to untick the option run installer outside the sandbox for average users. Looking at the alert description I too would have allowed it 100% as it says its signed by Microsoft.
here is where an advanced user of CIS differentiates himself, myself I know that anything from Microsoft is already in the TVL or cloud white list, so I would think, why is this process asking for unlimited rights and why is CIS even telling me it wants them when I know everything by MS is already signed.
This is a main reason why I set CIS to block using the sandbox and suppress alerts for novice users.
It would be nice to add it into “view active processes” , obviously as mentioned its already got the kill and block feature, add process to trusted files. So adding killswitch functionality into it would be a bonus.
You send em’ straight to prison!