Trojan bypassed Firewall adding many Allow rules

Hi, an unknown program (mostly a trojan/virus) bypassed the firewall and automatically added many “Allow rules” to the firewall. I only realised this when my antivirus detected and quarantined the trojan.

  • I use Custom Policy for Comodo Firewall, & it is not password protected.

If there is any way to help improving comodo firewall by supplying more information, I’m waiting for your response. Thx.

Can you provide a little more detail, such as the name of the malware and which rules it created. Also, do you still have the log files for the firewall and D+, if you use it?

In Firewall:

App Path: AppData\Local\Temp[u]is-AD555.tmp[/u]\OCSetupHlp.dll

It copied itself to 4 different paths where only the underlined part changes.

These 2 rules were created:
Allow Tcp Out to 204.232.180.209 Destination Port 80
Allow Tcp Out to 72.21.211.171 Destination Port 80

I use both Firewall & D+, but I don’t think neither Firewall or D+ detected the trojan.

  • What’s the location where I can find the last log file for the Firewall or D+?

I use MSE 2.0 as AV.

Its says the trojan is quarantined & named: Trojan:Win32/Orsam!rts

Logs ==> FW > view FW events
Def+ > view Def+ events

is-AD555 seems to be a channel of You tube
204.232.180.209 ==> Rakspace Hostings
72.21.211.171 ==> Amazon.com

Do you use a software from Open Candy Inc.?

ok sry for the bother, I figured it out. I actually ran a setup for a program, not from the original site, and it happened to contain a trojan.

If the trojan was in the installer of a program then your only chance is the AV picking it up. D+ won’t alert as you allowed the installer.

thx for the info.

According to the instance happened, who did not feel better ids module is added to the comodo firewall. Why firewall comodo, IDS were removed!? ???
IDS can help improve network security. However, is incomplete.
I think it is better to use the module in the firewall. And using the comodo firewall IDS & IPS makes perfect. :110: