Win32/AdInstaller

I’ve been using comodo since V2 on my old XP machine and I was using V3 on my newer Vista machine, The version I was using was 3.0.13.xxx and every couple of days I run the ‘check for updates’ function and for a few motnhs its seemed like there were no updates. I decided to visit the site and check for newer versions and have found now that its at version 3.0.25.378 which I decided to download.

I went to run the installer and of course was greeted by a message saying that Comodo firewall pro was already on my system, and did I want to uninstall it first. I uninstalled and resarted my machine and then ran the installer for the new version and was immediately Alerted by NOD32 that the firewall installer had attempted to install a variant of win32/adinstaller.

Here’s the actual report from NOD32…

"Time Module Object Name Threat Action User Information
19/07/2008 16:24:09 AMON file C:\Users\DRUIDS~1\AppData\Local\Temp\s1.tmp a variant of Win32/AdInstaller application quarantined - deleted DruidsSleep-PC\Druids Sleep Event occurred on a new file created by the application: C:\Users\Druids Sleep\Desktop\CFP_Setup_3.0.25.378_XP_Vista_x32.exe. The file was moved to quarantine. You may close this window. "

I deleted the installer and tried downloading it again, this time using the 'DownThemAll" extension in Firefox which has the ability to check the MD5/SHA1 checksums and the file I was downloading is totally genuine but still NOD32 throws up this warning each time I try installing the newer version of the firewall.

I ran full AV and Anti-spyware scans on my machine (with NOD32 and Spyware Doctor) and my machine is clean.

Is this why Comodo is free?? the software attempts to install adware without a user’s knowledge or consent??

As I said the checksums match so the file hasn’t been compromised, so what’s going on?? I’m now forced to use windows firewall for the moment until I can find a decent, malware free, firewall for Vista

Its a false positive about the new toolbar included in Comodo. Ignore it.

Problem is I can’t ignore it, NOD32 will NOT let me run the installer, it terminates the process as soon as the ‘false’ positive is thrown up.

Does comodo have an archive of older versions? I’d like the version I just removed back if possible, one without a toolbar.

thanks anyway

Disable NOD when installing Comodo ;D And when installing make sure you won’t install the toolbar :slight_smile: Otherwise NOD will cry again ;D

Disable NOD? (:SAD) not a chance!!

While installing ! Untick the install toolbar in Comodo and then NOD32 will be happy. Turn it on again after the installation :wink:

Right-click the NOD32 in system tray, choose Advanced Setup → Real-time file system protection → click the Setup button next to ThreatSense engine parameter setup → go to Options → uncheck Potentially unwanted applications → OK → OK.

Please read Comodo Forum policy before continuing further.

As for CFP installation read Analysis of COMODO toolbar by BOClean standards

I would like to suggest to change your forum display name as well.

As for Nod32 results like Vettetech said it can be considered a false positive.

Anyway please scan other toolbar installers (google, yahoo, ms live search, alexa) and please report back Nod32 results.

You are only disabling so you can install Comodo. Nothing is going to happen. As in matter of fact when you install things such as games they tell you to shut off any virus scanner. You do not have to install the toolbar. I also use NOD32.

Odd thing is I have NOD32 3.0.669.0 and it doesn’t find Comodo toolbar to be an infecting unless you have Threat Sense set to find Potentially unsafe applications which can also lead to false positives. Uncheck that option if you have it checked off.

And I say leave the Potentially Unsafe apps ticked. I can save your ■■■■. Just disable NOD while installing Comodo and do not choose to install Comodo Toolbar. After the install - turn NOD back on. :slight_smile:

You can get previous versions HERE if you wish.

Can you check if this happens with other toolbars as well, if this does not happen I guess eset will have to fix this.

It actually detects the Ask.com toolbar and will wipe it… Already been discussed months ago. You can only re-enable it once you’ve uninstaled the toolbar via Add/Remove programs after you are finished w/ CPF install, so that only actually useful components will be left…

You’ll get the same “trouble” with ZA Free, Spy Sweeper or whatever else that bundles this thing (even Nero 8.0) - and no, it’s not a false positive, the Ask.com thing IS a potentially unwanted app.

Lessons learnt:

  • Ask.com has been a horrible choice of an engine
  • make a separate checkbox for the toolbar if you really insist on having it there, instead of pretending the functionality can’t exist without it.

Not true cause its unticked by default. With it ticked it leads to more false positives. You still have plenty of great protection with it unticked. I have come across many false positives with it checked off. Thats why its unchecked by default. I should know cause I have NIOD32 on 2 pc’s. Others arent using it. I know first hand.

Too bad you are not an AV developer. If you were I was going to ask you a thoughtful description about the facts behind that classification in a separate topic.
But I guess that your post contains no more than your viewpoint.

So what you saying is this is spyware and wrong. Email the company. Its right here.

http://sp.ask.com/docs/about/site_features.shtml#searchtoolbar

WinPatrol developer thoughts on this toolbar…

Nowhere did I say it’s spyware. It’s a potentially unwanted application detected by multiple antivirus/antimalware vendors. Why’s it so? Well, because of the history behind Ask Jeeves/Ask.com stuff bundled and installed without users’ notification/consent, often aided by false/misleading advertising. These years of history is something that simply can’t be erased and better consideration on Comodo’s side would be nice in future. Essentially boils down to the same issue of trust I’ve mentioned on the MBAM thread today. :wink:

I already knew of that. I read it again though just to not overlook anything. Bill Pytlovany is against any additional software installed with a product expecially when the user is not asked about that. This is not the case with CFP

In other words FUD.

As previously reported by Vettetech Nod32 default settings doesn’t report about it. As those search toolbars are widely available ESET could have just added its signature to NOD.
I wonder why this didn’t happen.

A more unbiased approach would have been to scan other toolbars with NOD with the additional “Potentially unsafe applications” setting tured on in order to gather additional facts.
It may be that NOD heuristic is just too sensible to toolbar installations. Even in the case NOD doesn’t warn about google,yahoo,MS live,alexa toolbars I guess some nod user should get in touch with esed developers to get an official reply about this false positive.

You are stating your personal opinions as facts. I wonder if your viewpoint should be trusted more than sophos’ ask toolbar analisys

What’s FUD? The tons of cruft installing Ask toolbars without user knowledge? No, that’s not FUD, that’s a statement of fact, documented on multiple places.

What kind of signature you want to add? The signature is already there, and since this widely bundled cruft with nasty history is something the user might not want installed, it gets detected as appropriate when the setting is enabled by the user - live with it. If you can’t, pick a different engine with a nicer history. And frankly said, everyone’s plain tired of all those useless toolbars that clutter browser Windows without providing any useful functionality, think about it again a bit.