Thanks to CIS I won a battle with Fake AV

Yesterday I was surfing the web when the Microsoft yellow shild appeared in my desktop telling me I had an update. Trusting microsoft I accepted the update. Minutes later many software windows appeared in my screen telling me that I was full of viruses and trojans and offering me a way (US$) to clean up all this male ware, I though it was odd because CIS never gave me any alert.

I started to examine these windows and couldn’ f find any microsoft logo and tryed to close them but keeped appearing, so I concluded it was a Fake AV. then tryed the usual stuff: stop new processes and delete files but couldn’t do anything from Windows. Then Opened COMODO CIS Defense+ and took a look at the active processes list finding two new that weren’t signed and with weird names, so I decided to stop and block this processes gaining control of my laptop again, all windows telling me I was infected stoped. Then in CIS Defense+ unrecognized files menu searched and deleted all weird files and runned a scan, finding my laptop as it should be: Clean.

Thanks guys and keep the good work, I know some people that couldn’t get ridd of this Fake AV, so the ended formating the PC and installing everything again.

Did a CIS prompted you for “unknown program that has no digital signature wants unlimited access to your computer”?
Did you select Allow or Sandbox?

Note that if you had restarted your pc the fake av would have gone.
It because autosandboxing. It wouldn’t add itself to the autostart entries.

Or as a GakunGak said.
It depends that this was an installer or not.

Yes CIS asked me if I wanted to grant full access to a program signed by Microsoft and I clicked yes.

Yesterday afternoon I received an email from Sophos talking about Fave AV installing in machines as Windous Updates.

Wow, that’s strange :stuck_out_tongue:

It better to click “Sandbox” if you are unsure.

Hi jigauno,

In case you quarantined files, possible to send via Comodo Antivirus Database | Submit Files for Malware Analysis
to lab.

You mentioned CIS showed alert that application was signed by Microsoft, had it been signed by Microsoft, CIS might not have raised alert as it considers Microsoft signed apps as safe.

It will be great if you could get files for us for further investigation.


It was probably unsigned but using the ‘Microsoft’ name to impose as a real MS file.

Can you please verify the CIS logging for ‘Alerts Displayed’ this should contain the full text shown in the alert, This could also provide details about names used etc.

You can get to the logging to go to Defense+, View Defense+ Events, press the More button and then on the left menu select ‘Alerts Displayed’ please try to find the elevated privileges alert and past the results for ‘description and advice’ here.

Probably was something like “Although this application was signed by Microsoft, it is not being whitelisted by Comodo yet”…, something like that :wink:

Dear Ronny and umesh:

Sadly I ereased all files so I can´t submit them, but looking at Defense+ Events I can tell you their names:


Hope this list helps.



No worries, files are autosubmitted anyway so they probably got it somewhere on Comodo servers being analyzed by CIMA and other stuff :-TU :wink:

Can you please try to find these?
names are a problem because 9 out of 10 they are ‘random’.

Please find attached the alert to this post.

[attachment deleted by admin]

This is nasty, shell32.dll was abused to load the malware. And the alert show’s it’s signed but not whitelisted by Comodo.

What makes me wonder, you said you did allow the alert to run unlimited?
The log files shows it’s action was ‘Time-out’ which would not have allowed it to run unlimited.
Unanswered alerts are always ‘deny’.

Can you please verify if there are more alerts if you press the ‘Entire period’ button on the top menu?

Defense+ view processes kill & block is an awesome feature. :slight_smile: You send em’ straight to prison!


Microsoft Windows Component Publisher is in the TVL…
I must admit, I would have been fooled too…

Indeed! Any chance of “hide safe processes” like in killswitch? :wink: :-TU

This makes me think is it better to untick the option run installer outside the sandbox for average users. Looking at the alert description I too would have allowed it 100% as it says its signed by Microsoft.


yes we are thinking about putting our killswitch into cis…

Don’t think too much!
Just put it in… ;D

here is where an advanced user of CIS differentiates himself, myself I know that anything from Microsoft is already in the TVL or cloud white list, so I would think, why is this process asking for unlimited rights and why is CIS even telling me it wants them when I know everything by MS is already signed.

This is a main reason why I set CIS to block using the sandbox and suppress alerts for novice users.

It would be nice to add it into “view active processes” , obviously as mentioned its already got the kill and block feature, add process to trusted files. So adding killswitch functionality into it would be a bonus.