Why does Comodo keep asking to restart when it cleans something like a virus?

I downloaded malware in a zipped file, I unzipped it and it was detected after I did a right-click scan, then Comodo asked me to restart the computer, it hasn’t done that before.

Was anything run inside the container? Have you tried “Reset Container” under Tasks>>Containment? Is it in Quarantine? Have you tried manually deleting the .zip file if it hasn’t been removed by CIS? I’d try resetting the container and deleting the file from Quarantine to see if that works.

Nothing was in the container I downloaded the zip file, unzipped it, ran a right click scan, took a bit longer than usual, AV is set to quarantine for that and then when it finished it asked for a restart.

Assuming the file has a specific signature the removal instructions that come with the signature may require the reboot. If the virus would be allowed to run and it would install a kernel mode driver, to facilitate some form of cloaking, then a reboot is needed to remove that driver as with all kernel mode drivers.

I never run them, I just scan.

We can’t assume when a virus gets seen either by a scan or upon execution it may already be running before CIS got installed with a rootkit component blocking CIS from seeing it; we cannot assume the system is clean. You may know it to be clean but the program cannot assume.

The reboot indicates the malware may be self protecting and/or having a driver running. The former may need a reboot the latter requires a reboot.

Some cleaning routines require reboot while others don’t and it more than likely has to do with what was detected, so certain signature detection have reboot action as part of its cleaning routine.

Seems to be a good feature in the long run, but I wonder if whoever added the signature left some instructions out of what memory processes to check for, or if including those instructions isn’t practice, and CIS just always ‘plays it safe’.

I guess CIS always plays it safe. It is better to err on the side of cautious than to run the risk of leaving a trace behind. Some malware are capable of resuscitating its self when a running executable gets left behind.