Virus missed during scan

Dear friends

I have started using Comodo AV during version 2 Beta and now I am using CAV 3.8.65951.477.
Now things are really good, and I am optimistic that CAV will top eventually. In fact I was eagerly looking around av-comparative and av-test for reviews every quarterly. I read in one of the thread that Melih is intending to participate somewhere in September 2009, which is really awesome.

Now there is a slight issue with a virus missed during scan. I did the following test.

[Step 1] I installed CCleaner and remove all temp files and fix the registry
[Step 2] I installed Avira 9 Personal and do a Full Scan, and it detected 5 malwares (1 in C:\Program Files, 4 in registry).
[Step 3] I leave the virus intact, and uninstall Avira 9 and re-run step 1.
[Step 4] I installed & updated CAV and do a Full Scan, and it detected 4 malwares (1 in C:\Program Files, 3 in registry)
[Step 5] While CAV is still there, I downloaded and installed Ad-Aware Anniversary Edition 8. I reboot my laptop. Then I do a Ad-Aware update.
[Step 6] I do a manual update & rerun CAV with a Full Scan, and it still detected only 4 malwares in the same location. I chose to remove the 4 infections this time.
[Step 7] Then I run Ad-Aware Full Scan, and to my surprise, CAV pop up an alert stating that it had detected an infection (the one in the registry that it had missed in Step 4 and Step 6).

Hmm what could have happened?

I have attached a screenshot of the popup in Step 7. My apology to the CAV team that I had submitted this as a suspicious file to you. I couldn’t find a way to stop the upload. Please forgive me on this.

[attachment deleted by admin]

Evening “bestfreeav”

My name is Jacob Kilgore,
I’m one of the Moderators here at Comodo Forums
I would like to try to solve your Issue as Quick as Possible

I Thank you for all your good comments

Can you please post the information/steps & Screen shot in this topic

For the issue that it missed one,
I could only say or guess
It was because when scanning with Ad-Aware It scans what ever Ad-Aware Scans and it must of been when Ad-Aware scaned the “System Restore” or when the OS Was creating a Restore Point and that was when CAVS Detected it

I couldn’t answer your question with fact because i really don’t know

Sorry

- Jacob Kilgore
C-O-M-O-D-O Forum Moderator

Thank your Mr Jacob for your kindest quick response.

I would really want to make CAV a good AV by providing more accurate feedbacks.
(I hope CAV is forever free)

So I had turned off all my System Restore for my disks. Uninstalled Ad-Aware, and CAV. And I reinstalled Avira 9 Personal to do a full scan. After which I will post the result in the thread here. Then I will uninstall Avira & reinstall CAV to do a similar scan and post the result for your referral.

Dear Jacob and members

I did the following.

1. Uninstall Ad-Aware Anniversary Edition

2. Ensure that there are no other on-demand scanner onboard

3. Uninstall CAV, Avira 9 Personal.

4. Use CCleaner to remove all temp files & clean up the registry

5. Disconnect from internet.

6. Install Avira 9 Personal (updated already) and do a Full Scan. The result is in the attachment below. Avira detected several malwares in the email archives. I did not remove/repair/quarantine any of them.

7. Uninstall Avira, and reboot.

8. Redo Step 4.

9. Install CAV 3.8.65951.477 (Virus Signature Database Version: 1084), and do a Full Scan. Result is also as attached. CAV did not detect the virus as Avira had. I have also attached the screenshot of my manual scanning settings for your referral.

I will uninstall CAV and install Avast 4.8 Home edition and do a Full Scan tomorrow. I will post the result back here again. I hope this aid Comodo in improving the system.

(Edit: File Removed; Please Follow Forum Policy; No Malware Uploaded On Public Boards

Answer is very simple and easy.

In the default settiong on windows, you can’t access ‘System Volume Information’ for security reason.
So you should change folder access authority.
After then you and antivirus software can access that folder.
Then remove infected file by youself or let antivirus delete it.
Also delete system restore files(if still exist).

Have a nice day.

Hi Creasy

Thank you very much for attempting to answer my question, but you missed the point.

You said “you can’t access ‘System Volume Information’ for security reason”.
If you re-read my 1st post again, you will notice that CAV has detected 3 out of 4 malwares inside of the System Volume Information. So there is no reason why it can’t. The question is the 4th missed virus, where Avira managed to pick up but CAV missed.

As I have recommended my company to switch from Sophos to Avira, I would very much wanted to re-propose them a new antivirus - Comodo Anti-Virus. That is why I am very keen to improve CAV on my part as a home user.

Now referring back to my last post (the one before Creasy reply), I have attached a zip file but was removed. It’s alright - I will re-post it as picture & text in quote.

Avira AntiVir Personal Report file date: Wednesday, March 25, 2009 16:24

Scanning for 1315646 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : CHRIS

Version information:
BUILD.DAT : 9.0.0.387 17962 Bytes 3/24/2009 11:04:00
AVSCAN.EXE : 9.0.3.3 464641 Bytes 2/24/2009 04:13:26
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 02:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 03:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 02:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 04:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 12:33:26
ANTIVIR2.VDF : 7.1.2.199 1008640 Bytes 3/22/2009 05:14:19
ANTIVIR3.VDF : 7.1.2.211 64000 Bytes 3/24/2009 05:14:21
Engineversion : 8.2.0.126
AEVDF.DLL : 8.1.1.0 106868 Bytes 1/27/2009 09:36:42
AESCRIPT.DLL : 8.1.1.67 364923 Bytes 3/25/2009 05:14:54
AESCN.DLL : 8.1.1.8 127346 Bytes 3/25/2009 05:14:51
AERDL.DLL : 8.1.1.3 438645 Bytes 10/29/2008 10:24:41
AEPACK.DLL : 8.1.3.11 397687 Bytes 3/25/2009 05:14:49
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/26/2009 12:01:56
AEHEUR.DLL : 8.1.0.111 1679736 Bytes 3/25/2009 05:14:44
AEHELP.DLL : 8.1.2.2 119158 Bytes 2/26/2009 12:01:56
AEGEN.DLL : 8.1.1.30 336245 Bytes 3/25/2009 05:14:25
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 06:32:40
AECORE.DLL : 8.1.6.6 176501 Bytes 2/17/2009 06:22:44
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 06:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 00:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 02:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 06:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 02:32:09
AVARKT.DLL : 9.0.0.1 292609 Bytes 2/8/2009 23:52:24
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 02:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 07:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 00:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 02:32:10
RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 03:45:45
RCTEXT.DLL : 9.0.35.0 87297 Bytes 3/11/2009 07:55:12

Configuration settings for the scan:
Jobname…: Complete system scan
Configuration file…: c:\program files\avira\antivir

desktop\sysscan.avp
Logging…: low
Primary action…: interactive
Secondary action…: ignore
Scan master boot sector…: on
Scan boot sector…: on
Boot sectors…: C:, D:, F:,
Process scan…: on
Scan registry…: on
Search for rootkits…: on
Integrity checking of system files…: off
Scan all files…: All files
Scan archives…: on
Recursion depth…: 20
Smart extensions…: on
Macro heuristic…: on
File heuristic…: medium

Start of the scan: Wednesday, March 25, 2009 16:24

Starting search for hidden objects.
‘38569’ objects were checked, ‘0’ hidden objects were found.

The scan of running processes will be started
Scan process ‘avscan.exe’ - ‘1’ Module(s) have been scanned
Scan process ‘firefox.exe’ - ‘1’ Module(s) have been scanned
Scan process ‘avgnt.exe’ - ‘1’ Module(s) have been scanned
Scan process ‘sched.exe’ - ‘1’ Module(s) have been scanned
Scan process ‘avguard.exe’ - ‘1’ Module(s) have been scanned
Scan process ‘cssurf.exe’ - ‘1’ Module(s) have been scanned
Scan process ‘SynTPEnh.exe’ - ‘1’ Module(s) have been scanned
Scan process ‘atiptaxx.exe’ - ‘1’ Module(s) have been scanned
Scan process ‘explorer.exe’ - ‘1’ Module(s) have been scanned
Scan process ‘ati2evxx.exe’ - ‘1’ Module(s) have been scanned
Scan process ‘hpqwmiex.exe’ - ‘1’ Module(s) have been scanned
Scan process ‘sqlwriter.exe’ - ‘1’ Module(s) have been scanned
Scan process ‘NMSAccessU.exe’ - ‘1’ Module(s) have been scanned
Scan process ‘spoolsv.exe’ - ‘1’ Module(s) have been scanned
Scan process ‘svchost.exe’ - ‘1’ Module(s) have been scanned
Scan process ‘svchost.exe’ - ‘1’ Module(s) have been scanned
Scan process ‘svchost.exe’ - ‘1’ Module(s) have been scanned
Scan process ‘svchost.exe’ - ‘1’ Module(s) have been scanned
Scan process ‘svchost.exe’ - ‘1’ Module(s) have been scanned
Scan process ‘ati2evxx.exe’ - ‘1’ Module(s) have been scanned
Scan process ‘lsass.exe’ - ‘1’ Module(s) have been scanned
Scan process ‘services.exe’ - ‘1’ Module(s) have been scanned
Scan process ‘winlogon.exe’ - ‘1’ Module(s) have been scanned
Scan process ‘csrss.exe’ - ‘1’ Module(s) have been scanned
Scan process ‘smss.exe’ - ‘1’ Module(s) have been scanned
25 processes with 25 modules were scanned

Starting master boot sector scan:

Start scanning boot sectors:

Starting to scan executable files (registry).
The registry was scanned ( ‘52’ files ).

Starting the file scan:

Begin scan in 'C:'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Program Files\hMailServer\Data\live.email.bak\tma34\01{0181A070-F101-48AB-

A744-75415827BBAF}.eml
[0] Archive type: MIME
→ IPLOGS.zip
[1] Archive type: ZIP
→ IPLOGS.exe
[DETECTION] Is the TR/FraudPack.81408 Trojan
C:\Program Files\hMailServer\Data\live.email.bak\tma34\0A{0ACCA1E5-1DD6-4DE0-

BCE6-E213A3C383C8}.eml
[0] Archive type: MIME
→ user-EA49943X-activities.zip
[1] Archive type: ZIP
→ user-EA49943X-activities.exe
[DETECTION] Is the TR/Spy.Goldun.axt Trojan
C:\Program Files\hMailServer\Data\live.email.bak\tma34\1B{1B0AAB3D-9142-40B0-

B195-816D395EBAA9}.eml
[0] Archive type: MIME
→ user-EA49943X-activities.zip
[1] Archive type: ZIP
→ user-EA49943X-activities.exe
[DETECTION] Is the TR/Spy.Goldun.axt Trojan
C:\Program Files\hMailServer\Data\live.email.bak\tma34\24{24F79B7D-96DC-4D0E-

836C-7DD5CCC2EB94}.eml
[0] Archive type: MIME
→ user-EA49943X-activities.zip
[1] Archive type: ZIP
→ user-EA49943X-activities.exe
[DETECTION] Is the TR/Spy.Goldun.axt Trojan
C:\Program Files\hMailServer\Data\live.email.bak\tma34\27{27374B15-E4E2-499F-

AE40-CE0563D3C7F7}.eml
[0] Archive type: MIME
→ user-EA49943X-activities.zip
[1] Archive type: ZIP
→ user-EA49943X-activities.exe
[DETECTION] Is the TR/Spy.Goldun.axt Trojan
C:\Program Files\hMailServer\Data\live.email.bak\tma34\34{34258933-2880-494A-

9599-7CBE1BCCE344}.eml
[0] Archive type: MIME
→ eTicket_K2.zip
[DETECTION] The file contains an executable program that is disguised by a

harmless file extension (HIDDENEXT/Worm.Gen)
→ eTicket_K2.doc.exe
[DETECTION] Contains recognition pattern of the WORM/Autorun.muu worm
C:\Program Files\hMailServer\Data\live.email.bak\tma34\49{49E4F6E1-5B04-4076-

8A14-6E2071DE16C7}.eml
[0] Archive type: MIME
→ user-EA49943X-activities.zip
[1] Archive type: ZIP
→ user-EA49943X-activities.exe
[DETECTION] Is the TR/Spy.Goldun.axt Trojan
C:\Program Files\hMailServer\Data\live.email.bak\tma34\4C{4CA1FC32-3477-44A3-

98D1-171272A08A2D}.eml
[0] Archive type: MIME
→ user-EA49943X-activities.zip
[1] Archive type: ZIP
→ user-EA49943X-activities.exe
[DETECTION] Is the TR/Spy.Goldun.axt Trojan
C:\Program Files\hMailServer\Data\live.email.bak\tma34\53{5354F5AA-2BBF-4292-

8049-2FF8840D56F0}.eml
[0] Archive type: MIME
→ IPLOGS.zip
[1] Archive type: ZIP
→ IPLOGS.exe
[DETECTION] Is the TR/FraudPack.81408 Trojan
C:\Program Files\hMailServer\Data\live.email.bak\tma34\5C{5CAC09D1-2030-4482-

9C19-8626B9E848E3}.eml
[0] Archive type: MIME
→ user-EA49943X-activities.zip
[1] Archive type: ZIP
→ user-EA49943X-activities.exe
[DETECTION] Is the TR/Spy.Goldun.axt Trojan
C:\Program Files\hMailServer\Data\live.email.bak\tma34\72{722FEADC-5478-41BE-

AF24-B0554916272D}.eml
[0] Archive type: MIME
→ user-EA49943X-activities.zip
[1] Archive type: ZIP
→ user-EA49943X-activities.exe
[DETECTION] Is the TR/Spy.Goldun.axt Trojan
C:\Program Files\hMailServer\Data\live.email.bak\tma34\82{82AECFCE-67CD-49C7-

BC72-9EBB0A4612B0}.eml
[0] Archive type: MIME
→ Contract_I2_9.2008.zip
[DETECTION] The file contains an executable program that is disguised by a

harmless file extension (HIDDENEXT/Worm.Gen)
→ Contract_I2_9.2008.doc.exe
[DETECTION] Contains recognition pattern of the WORM/Autorun.mwj worm
C:\Program Files\hMailServer\Data\live.email.bak\tma34\83{839585BE-4B7C-4BAD-

B5EA-5C6B820A5080}.eml
[0] Archive type: MIME
→ user-EA49943X-activities.zip
[1] Archive type: ZIP
→ user-EA49943X-activities.exe
[DETECTION] Is the TR/Spy.Goldun.axt Trojan
C:\Program Files\hMailServer\Data\live.email.bak\tma34\83{83B21A18-8425-496C-

9387-8D7D21BA8A97}.eml
[0] Archive type: MIME
→ user-EA49943X-activities.zip
[1] Archive type: ZIP
→ user-EA49943X-activities.exe
[DETECTION] Is the TR/Spy.Goldun.axt Trojan
C:\Program Files\hMailServer\Data\live.email.bak\tma34\86{860D1DF7-327C-4496-

A598-8996919CD559}.eml
[0] Archive type: MIME
→ user-EA49943X-activities.zip
[1] Archive type: ZIP
→ user-EA49943X-activities.exe
[DETECTION] Is the TR/Spy.Goldun.axt Trojan
C:\Program Files\hMailServer\Data\live.email.bak\tma34\91{9171C4A1-C24A-440E-

AE44-D9EE55E932FD}.eml
[0] Archive type: MIME
→ Fees_2008-2009.zip
[DETECTION] The file contains an executable program that is disguised by a

harmless file extension (HIDDENEXT/Worm.Gen)
→ Fees_2008-2009.doc.exe
[DETECTION] Contains recognition pattern of the WORM/Autorun.eqm worm
C:\Program Files\hMailServer\Data\live.email.bak\tma34\96{964A89B1-0214-4513-

974D-21CE6FCDBC55}.eml
[0] Archive type: MIME
→ IPLOGS.zip
[1] Archive type: ZIP
→ IPLOGS.exe
[DETECTION] Is the TR/FraudPack.81408 Trojan
C:\Program Files\hMailServer\Data\live.email.bak\tma34\99{99F7D64D-993F-4BF9-

9492-39E9B4FF8B69}.eml
[0] Archive type: MIME
→ IPLOGS.zip
[1] Archive type: ZIP
→ IPLOGS.exe
[DETECTION] Is the TR/FraudPack.81408 Trojan
C:\Program Files\hMailServer\Data\live.email.bak\tma34\9B{9B76836C-F150-410C-

9A29-923A8FA4B415}.eml
[0] Archive type: MIME
→ user-EA49943X-activities.zip
[1] Archive type: ZIP
→ user-EA49943X-activities.exe
[DETECTION] Is the TR/Spy.Goldun.axt Trojan
C:\Program Files\hMailServer\Data\live.email.bak\tma34\9F{9F5A010F-5167-46FE-

8EE6-D1DB52BAD2F9}.eml
[0] Archive type: MIME
[DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML

script virus
→ file0.html
[DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML

script virus
C:\Program Files\hMailServer\Data\live.email.bak\tma34\A5{A52E9326-5F0A-4886-

A13D-99A4CF3647FD}.eml
[0] Archive type: MIME
→ user-EA49943X-activities.zip
[1] Archive type: ZIP
→ user-EA49943X-activities.exe
[DETECTION] Is the TR/Spy.Goldun.axt Trojan
C:\Program Files\hMailServer\Data\live.email.bak\tma34\AC{AC36C6B0-3B52-4E97-

AC1C-55545192EA02}.eml
[0] Archive type: MIME
→ user-EA49943X-activities.zip
[1] Archive type: ZIP
→ user-EA49943X-activities.exe
[DETECTION] Is the TR/Spy.Goldun.axt Trojan
C:\Program Files\hMailServer\Data\live.email.bak\tma34\BB{BB05357D-8879-4BC5-

B760-E8C1BD099D53}.eml
[0] Archive type: MIME
→ IPLOGS.zip
[1] Archive type: ZIP
→ IPLOGS.exe
[DETECTION] Is the TR/FraudPack.81408 Trojan
C:\Program Files\hMailServer\Data\live.email.bak\tma34\BC{BCC0FD23-BD72-49D0-

91A4-B1A85B037D82}.eml
[0] Archive type: MIME
→ user-EA49943X-activities.zip
[1] Archive type: ZIP
→ user-EA49943X-activities.exe
[DETECTION] Is the TR/Spy.Goldun.axt Trojan
C:\Program Files\hMailServer\Data\live.email.bak\tma34\C1{C1B53144-8489-4B26-

89E5-6681053CD2D4}.eml
[0] Archive type: MIME
→ user-EA49943X-activities.zip
[1] Archive type: ZIP
→ user-EA49943X-activities.exe
[DETECTION] Is the TR/Spy.Goldun.axt Trojan
C:\Program Files\hMailServer\Data\live.email.bak\tma34\DD{DD60B7A8-2B07-4899-

A773-8CF8278E7EB7}.eml
[0] Archive type: MIME
→ user-EA49943X-activities.zip
[1] Archive type: ZIP
→ user-EA49943X-activities.exe
[DETECTION] Is the TR/Spy.Goldun.axt Trojan
C:\Program Files\hMailServer\Data\live.email.bak\tma34\E6{E6F840BD-769F-4C18-

858B-C5FB84F58D5F}.eml
[0] Archive type: MIME
→ user-EA49943X-activities.zip
[1] Archive type: ZIP
→ user-EA49943X-activities.exe
[DETECTION] Is the TR/Spy.Goldun.axt Trojan
C:\Program Files\hMailServer\Data\live.email.bak\tma34\F2{F22956FB-8C66-4393-

912E-B66A9A5E5327}.eml
[0] Archive type: MIME
→ user-EA49943X-activities.zip
[1] Archive type: ZIP
→ user-EA49943X-activities.exe
[DETECTION] Is the TR/Spy.Goldun.axt Trojan
C:\TEMP\autorun.exe
[DETECTION] Is the TR/Agent.AIXL.152 Trojan
Begin scan in 'D:'
Begin scan in 'F:'

Beginning disinfection:
C:\Program Files\hMailServer\Data\live.email.bak\tma34\01{0181A070-F101-48AB-

A744-75415827BBAF}.eml
[WARNING] The file was ignored!
C:\Program Files\hMailServer\Data\live.email.bak\tma34\0A{0ACCA1E5-1DD6-4DE0-

BCE6-E213A3C383C8}.eml
[WARNING] The file was ignored!
C:\Program Files\hMailServer\Data\live.email.bak\tma34\1B{1B0AAB3D-9142-40B0-

B195-816D395EBAA9}.eml
[WARNING] The file was ignored!
C:\Program Files\hMailServer\Data\live.email.bak\tma34\24{24F79B7D-96DC-4D0E-

836C-7DD5CCC2EB94}.eml
[WARNING] The file was ignored!
C:\Program Files\hMailServer\Data\live.email.bak\tma34\27{27374B15-E4E2-499F-

AE40-CE0563D3C7F7}.eml
[WARNING] The file was ignored!
C:\Program Files\hMailServer\Data\live.email.bak\tma34\34{34258933-2880-494A-

9599-7CBE1BCCE344}.eml
[WARNING] The file was ignored!
C:\Program Files\hMailServer\Data\live.email.bak\tma34\49{49E4F6E1-5B04-4076-

8A14-6E2071DE16C7}.eml
[WARNING] The file was ignored!
C:\Program Files\hMailServer\Data\live.email.bak\tma34\4C{4CA1FC32-3477-44A3-

98D1-171272A08A2D}.eml
[WARNING] The file was ignored!
C:\Program Files\hMailServer\Data\live.email.bak\tma34\53{5354F5AA-2BBF-4292-

8049-2FF8840D56F0}.eml
[WARNING] The file was ignored!
C:\Program Files\hMailServer\Data\live.email.bak\tma34\5C{5CAC09D1-2030-4482-

9C19-8626B9E848E3}.eml
[WARNING] The file was ignored!
C:\Program Files\hMailServer\Data\live.email.bak\tma34\72{722FEADC-5478-41BE-

AF24-B0554916272D}.eml
[WARNING] The file was ignored!
C:\Program Files\hMailServer\Data\live.email.bak\tma34\82{82AECFCE-67CD-49C7-

BC72-9EBB0A4612B0}.eml
[WARNING] The file was ignored!
C:\Program Files\hMailServer\Data\live.email.bak\tma34\83{839585BE-4B7C-4BAD-

B5EA-5C6B820A5080}.eml
[WARNING] The file was ignored!
C:\Program Files\hMailServer\Data\live.email.bak\tma34\83{83B21A18-8425-496C-

9387-8D7D21BA8A97}.eml
[WARNING] The file was ignored!
C:\Program Files\hMailServer\Data\live.email.bak\tma34\86{860D1DF7-327C-4496-

A598-8996919CD559}.eml
[WARNING] The file was ignored!
C:\Program Files\hMailServer\Data\live.email.bak\tma34\91{9171C4A1-C24A-440E-

AE44-D9EE55E932FD}.eml
[WARNING] The file was ignored!
C:\Program Files\hMailServer\Data\live.email.bak\tma34\96{964A89B1-0214-4513-

974D-21CE6FCDBC55}.eml
[WARNING] The file was ignored!
C:\Program Files\hMailServer\Data\live.email.bak\tma34\99{99F7D64D-993F-4BF9-

9492-39E9B4FF8B69}.eml
[WARNING] The file was ignored!
C:\Program Files\hMailServer\Data\live.email.bak\tma34\9B{9B76836C-F150-410C-

9A29-923A8FA4B415}.eml
[WARNING] The file was ignored!
C:\Program Files\hMailServer\Data\live.email.bak\tma34\9F{9F5A010F-5167-46FE-

8EE6-D1DB52BAD2F9}.eml
[DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML

script virus
[WARNING] The file was ignored!
C:\Program Files\hMailServer\Data\live.email.bak\tma34\A5{A52E9326-5F0A-4886-

A13D-99A4CF3647FD}.eml
[WARNING] The file was ignored!
C:\Program Files\hMailServer\Data\live.email.bak\tma34\AC{AC36C6B0-3B52-4E97-

AC1C-55545192EA02}.eml
[WARNING] The file was ignored!
C:\Program Files\hMailServer\Data\live.email.bak\tma34\BB{BB05357D-8879-4BC5-

B760-E8C1BD099D53}.eml
[WARNING] The file was ignored!
C:\Program Files\hMailServer\Data\live.email.bak\tma34\BC{BCC0FD23-BD72-49D0-

91A4-B1A85B037D82}.eml
[WARNING] The file was ignored!
C:\Program Files\hMailServer\Data\live.email.bak\tma34\C1{C1B53144-8489-4B26-

89E5-6681053CD2D4}.eml
[WARNING] The file was ignored!
C:\Program Files\hMailServer\Data\live.email.bak\tma34\DD{DD60B7A8-2B07-4899-

A773-8CF8278E7EB7}.eml
[WARNING] The file was ignored!
C:\Program Files\hMailServer\Data\live.email.bak\tma34\E6{E6F840BD-769F-4C18-

858B-C5FB84F58D5F}.eml
[WARNING] The file was ignored!
C:\Program Files\hMailServer\Data\live.email.bak\tma34\F2{F22956FB-8C66-4393-

912E-B66A9A5E5327}.eml
[WARNING] The file was ignored!
C:\TEMP\autorun.exe
[DETECTION] Is the TR/Agent.AIXL.152 Trojan
[WARNING] The file was ignored!

End of the scan: Wednesday, March 25, 2009 17:57
Used time: 1:03:45 Hour(s)

The scan has been done completely.

9031 Scanned directories
591387 Files were scanned
27 Viruses and/or unwanted programs were found
6 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
1 Files cannot be scanned
591353 Files not concerned
17630 Archives were scanned
30 Warnings
1 Notes
38569 Objects were scanned with rootkit scan
0 Hidden objects were found

The screenshot picture attachment showed 2 things. [1] A CAV scan that took place after the Avira scan (I did not remove the virus with Avira). [2] The manual setting that I used for CAV scan.

[attachment deleted by admin]

Some virus on system volume information cannot be deleted even if it’s detected.
(but it has right authority for the volume, can be deleted
You should exactly know about ‘system volume information’ rules. There are many rules you can give or remove)
Sometimes, you can see system volume information files but can’t modify or delete followed by authority.
(windows default setting is ‘access denied’, if it’s not? your system is not safe for hacking and virus)
Also not all virus can be detected by all kinds of antivirus. These were what I wanted tell you.
If you turn off all your System Restore for your disks, Windows deletes old system restore files by itself
not by antivirus software.
CAV is still need to be improved alot.
Test your system with NOD32 and Kaspersky.
Recommend NOD32 or Kaspersky if you want safe and maximum security against virus.

You can check latest main comparative report.
http://www.av-comparatives.org

Thank you Creasy for your kind response. Yes I am aware of the latest av-comparative reports. Avira is strong also. So in my last posting (with the Avira scan result in quotes), I had tested it on yet another WinXP SP3 notebook with System Restore turned off on all drives - in order to eliminate the possibility of security permission issue.

And the result was that CAV missed all of them (those 26 virus are found in the email attachment), which Avira picked up. I will uninstall CAV and retest with NOD32, and will post the result back here again.

I am trying my best to feedback to CAV so that Melih can produce a truly strong AV for the september release.

CIS doesn´t check incoming e mail and if I understand correctlty it doesn´t scan inside maill archives. CIS will only detect a virus when it is accessing the hard drive or memory.

For general reference you can open the system restore folder: System Volume Information Folders (System Restore) .

I really do appreciate it. Thank you!

Melih

Dear EricJH

Thank you for clarifying CIS does not check incoming email which is kinda pity. I am not trying to compare, but you might know that paid AV, such as AVG, Norton do check incoming email. Even Avast Home Edition checks incoming email too. If this can be improved, it will benefit greatly. As an end user, I can only provide feedback to Melih that most of my peers feel safer when they see that the AV scans the incoming emails.

Now on your next part, you said “if you understand correctly it doesn’t scan inside mail archives”. If this is the truth, then it makes sense that it would have missed all 26 of them because those are indeed mail archives. I have installed NOD32 version 4 trial on that pc, and did a scan. Like Avira 9, it detected all 26 infections.

I did not try kaspersky because it had some installation problem if the PC has been installed with AVG before.

Thank you Melih, also for taking time in your busy schedule, in reading this posting. I hope that this will become a truly great free AV. I will also promote this on my website.

when it comes to email scanning etc…

I have put some posts in the past explaining this (don’t have it handy to paste it here so anyone who has it pls do paste the relevant posts… thanks)…

There are 2 places where Malware can exist (in general)

1)Hard disk
2)RAM

As long as you are checking both, then there is no point in checking anything else. No matter what happens the malware code will hit RAM and (most likely) Hard disk. So checking both will cover you.

Melih

here is a relevant post by Ronny

• Jacob Kilgore
  C-O-M-O-D-O Forum Moderator

I think that comodo is doing a great job without an email scanner

"Why You Don’t Need Your Anti-Virus Program to Scan Your E-Mail
We will explain why we stand by this and why many experts stand by this as well.

First, email is a just a file. A file like any other files. Email whether you read it or not, is stored on your hard drive. Malicious files attached to an email are located on your hard drive. To an anti-virus scanner it does not matter whether the offending file arrived by email, arrived by file-sharing, or arrived by download. It is all the same to it. Any good up-to-date anti-virus will prevent you from opening a malicious worm or virus no matter how it arrived. Until and unless you click the attachment the virus or worm will not execute. And if you’re using Outlook Express, and you have kept it updated with the latest patches from http://windowsupdate.microsoft.com/ it will not execute merely by looking at your email.

Our advice is sound. Email scanning might have been useful years ago, but not anymore. We’re not sure it ever was. Six or seven years ago one could wander the Internet and open emails rather freely. Viruses were rare and the number of people using anti-virus programs was small. With the Internet Boom of 1999 came an influx of millions of new people using the Internet and millions of new potential targets for those who have nothing better to do than to ruin other people’s fun. So worms, Trojans, and viruses became numerous, but still few used good anti-virus protection.

Email Scanning by any anti-virus is not recommended because the harm and delay that scanning can cause don’t justify the minimal (if any) benefits to be derived. One of the biggest problem caused by email virus scanners is corrupted Outlook Express DBX (data) files. If these files become corrupted, whatever mail you have stored in them will be unreadable. Email virus scanning is the number one cause of corrupted DBX files; and hence the biggest cause of unrecoverable email. Other problems are minor but they’re a nuisance: Aggravating delays in sending or receiving email being among the top nuisances.

Many others do agree with us on shutting off email scanning in your anti-virus program. The following article by Tom Koch, a Microsoft MVP explains it best. Mr. Koch details not only why you should turn off your email scanner but how Outlook Express works, as well as other interesting and little known Outlook Express facts. Here is an excerpt from his excellent article by Tom Koch:

"…When encountering the symptoms of DBX corruption, many people immediately fear that their computer is infected with a virus. As surprising and ironic as it may seem though, the most common cause of DBX corruption is not a virus, but rather anti-virus programs that are configured to scan incoming or outgoing e-mail. Even the most well-known anti-virus programs have exhibited this problem from time to time. To lessen the risk of such corruption you should disable the e-mail scanning module in your anti-virus program. This is usually easy to do by looking at the user-configurable options in the anti-virus program. It is not at all necessary to scan e-mail for viruses to protect your computer.

Now before you dismiss me as mad, let me explain why e-mail scanning is unnecessary. Almost every anti-virus program for Windows installs by default a system scan that runs in the background every time Windows starts. This scan is necessary to protect your computer. If you receive a virus in an e-mail attachment, the virus cannot do anything at all until you actually open the attachment. …"

See http://www.microsoft.com/windows/IE/community/columns/filecorruption.mspx to read the rest of this article.

The most important thing, and we cannot emphasize this strongly enough, is to use a good, reputable anti-virus program (AVAST and AVG are two good free ones) and keep it updated daily! An anti-virus program which is not updated is worse than none at all. It will return false-positives and ignore real threats. So, above all, keep your anti-virus program up-to-date. And NEVER open an attachment directly from your email. ALWAYS save it to your desktop (or another easily accessible folder) and scan it with your anti-virus program before opening it. Another thing we cannot emphasize enough: Keep your Microsoft Windows current. Either turn on automatic updates or visit http://windowsupdate.microsoft.com/ at least once a week. Finally, we recommend that weekly you visit http://housecall.trendmicro.com/ weekly, just to be sure that no virus or worm has made its way around your anti-virus program. A second opinion never hurts and it’s good insurance policy that provides you with the peace of mind that comes with knowing that you’re anti-virus has indeed been doing its job."

Excellent comments Mr ronnycopeh.

Then it is kinda wierd that top antivirus today, such as NOD32, AVG, Norton do incoming mail scans. Aren’t they aware of it too? Or was it that they wanted to pacify end-user ~ you know, peace of mind.

And yah, before I use CIS, I do have both on-demand scanner (bitdefender 8) and on-access scanner (avira 8) running together. Also have a-squared & spyware terminator too, and Kerio firewall. Pretty good combination i think.

And especially for marketing reasons.

Mr. ronnycopeh

You wrote a long sentence.
But you Totally don’t undetstand why antivirus companies put e-mail scanning function on it.
Also you Totally don’t understand e-mail system.
Your thinking makes people in dangerous situation.
You think only about attachments.
Do you think antivirus companies are stupid?
Is there only harmful thing with attatchment?
Do you really think that?
It’s really…horrible…
When you send e-mail with E-mail client Outlook or other clients, you can attach file.
But hackers can inject HARMFUL code right into the plain text, RTF, HTML, Java script, PHP etc.).
you can easly generate e-mails with HTML.
If antivirus doesn’t scan those stuffs, your pc will be infected even if you are using antivirus software.
This is a different technique from infected attachment.
The code can be executed before antivirus catch it, and it can pass antivirus.
It’s related with WEB Hacking.
There is an another example.
In case of HOTMAIL when you read an e-mail not listed in your contact list,
it doesn’t show all of contents even image files(gif,jpg,png etc).
They don’t directly show them because there will be harmful code with the e-mail.

The Real world is completely different from your thinking.

Real world?
Read following article.

I’m gonna show you how NOD32 does.

Melih must put e-mail scanning function on CIS.

[attachment deleted by admin]

Dear Melih, Creasy, Ronnycopeh, razor74 & Jacob (for all those who have aided me in my posting)

So was it purely a marketing strategy or a necessity?

As I have put forth, an end-user as I am, this does gives a peace of mind.
Of course, I am also aware, for a Virus to be “activated”, it must access the RAM and Disk first.

If I remembered correctly, Avira does not show any notification box that tells the end-user it is scanning incoming mail. This notification box is available in both AVG and Norton while Avast shows a tray icon (on mouse hover, you will see that it is scanning incoming mail).

To Melih,

I am a normal home PC user, I mean no offense, and I am definitely in no position to even share this thoughts with you -
“It is good to have a truly strong & reliable AV, but if the customers does not choose it, it is still a failed product.”

Novell Suse Linux has a base in Singapore for many years, but they are so less heard of. In fact, among my church mates, only 1 out of a 100 heard of it. But a handful of them heard of Red Hat, and so naturally Red Hat is widely spreaded than any other Linux here. Please take note that I am neither comparing their product quality, nor user-friendliness, nor support here. I am just putting forth a history that ought to be avoided.

I put up the above short history to reinstate my point here - a peace of mind.
When I try to promote this to anybody, their common response are “Does this AV has this and this and that ?”, “Unless this AV offers me the same level of protection & ease of use, I wouldn’t want to switch ?”. Yes their response is disheartening, but hey it tells you the expectation too ! 88)

bestfreeav
you are right that users must choose it for it to have a good brand.
But we rely on good people spreading the word rather than marketing gimmicks.

Melih

Melih.
I understand what are you talking about.
I’ve been spreading Comodo products to everyone I know for many years.
(even comodo SSL)
But lots of people tell me about CAV problem everytime,
not Firewall.
Comodo Firewall is The Top Firewall in the world. Right, I know and accept it.
But CAV is not. (Also they know CIS works great but hard to use for new users)
I teach them how to use CIS.
I use PC a lot, so I see tons of malwares everyday. I surf all around the world
on internet even p2p. I see hackings and crackings alot too.
There are lots of malwares as you know on websites, p2p,softwares etc.
But CAV does not catch many of them.
And even slow. Please do not think about users
who are using free tools for AV softwares they do not always
use free tools. Some people pay if the AV tool is good enough
and worth to pay. This kind of tendency is getting high recently.
We are living in Year 2009 not 1999.
Actually, I just visited Comodo website only purpose for download softwares for
many years.
And I just moved around forums for only watching it
even if there were wrong informations from many users.
Experts can recognize it that informations are true or not.
But the problem is beginners.
Most of a beginners believe in any informations they don’t think it’s true or not.
That is the one of reason I started to participate in CIS translating project and
starting replies.
Also some experts who are believing in themselves as experts
their knowledges are always right.
(never hear other’s talking)
Think if someone says ‘hey my PC got a virus something.How can I do?’
Many people show how to do that but don’t explain why.
It’s repeated. Uneducated people for malwares and pc are going to visit
again if they have a virus again someday.And say again and again
‘hey please help me I got a virus again’.
It’s really repeated. What are we going to do?
We need Educations not just providing temporary answers.
‘Go to here, go to there, download something, do just follow that order,
that AV tool is good, that AV tool is not good, that AV tool is the best, that is not the best’
What is that?
Also there are too many forums here in the comodo website.
Some people are confusing if they have a questions.
It’s just like a labyrinth.
Beginners are not Bots.
Don’t you think sometimes we need an emphasis than any good words?

What do you think Melih?

Also, I apologize my offensive activity.