Windows Software Distribution FP - realtime only & odd

Hi guys, got another weird false-positive from CAV.

The file is:

C:\WINDOWS\SoftwareDistribution\Download(long hex string)\SP2QFE\t2embed.dll

Description: “Microsoft T2Embed Font Embedding”
File Version: “5.1.2600.3634”
Modified: Thursday, October 15, 2009, 11:56:31 AM
Created: Yesterday, January 12, 2010, 5:27:19 PM
File size: 117 KB (119,808 bytes)

This file is -not- digitally signed by Microsoft.

It appears ONLY the on-access part of CAV detects it as FP. It was detected when I happened to access the file as part of something that touches all files on the entire drive (running a scheduled Windows Defender complete scan).

When I right-click the file and select “Comodo Antivirus” for an on-demand scan, it finds nothing wrong with the file. Scheduled and manual whole-computer scans find nothing wrong, either. Curiously, though, realtime CAV doesn’t complain when I right-click and do “properties” on the file… but it did when Windows Defender scanned it as part of a scheduled scan. In other words, the realtime detection happened once (during the Defender scan), but future accesses do not cause it to happen again.

Also odd is how the detection looked. I didn’t get the usual CAV alert (bottom-right of screen, the usual look). This was on the bottom-right as usual, but it was a minimalistic appearance that resembled one of CIS’s “balloon messages”. No buttons were offered to tell it what to do, and it disappeared after a few seconds. This time I was able to do a screen print, and I’ll try to include it in another post below this one (if I can). This weird-looking alert WAS logged in “Antivirus Events”, but the file was NOT quarantined even though I have “automatically quarantine” set ON (the files were left in-place, and my quarantine is empty).

According to CAV Events log, “Malware Name” is: “UnclassifiedMalware[at]91904046”

This looks like a false positive. Can you fix it, guys? Thanks. Also, can you explain what these weird, unconventional, minimalistic-looking, no-choices-given alerts are, and why we don’t get the standard alert, and why auto-quarantining doesn’t happen? And why can’t I cause the realtime alert to happen again by, say, pulling up the properties on the file? It only happened once, and I can’t recreate it. And why does CAV detect things realtime (and only once), but not in other scan modes like on-demand and scheduled? Shouldn’t ALL forms of CAV scanning detect the same things?

More info:

CIS 3.13.126709.581
Virus DB: 3572
Windows XP Media Center Edition SP3
The FP occurred while using an administrator account

Image of the weird-looking alert is attached to this message, below.

Hope that helps. Thanks.

[attachment deleted by admin]

I am not able to install

“Security Update for Windows XP (KB972270)”

without seeing a Comodo Antivirus Alert pop-up window citing

“Name: UnclassifiedMalware@91904046 … Location: C:\WINDOWS\SoftwareDistribution
Downl…\t2embed.dll”

–I always quarantine it rather than ignore it so checking the items in quarantine, and I see the full path matches the one above.

I only first saw notice for the windows update today but quarantine records show there were prior appearances of this CIS notice all on Jan 10th, between midday and 4pm PST. More info:

Windows XP Home SP3
CIS v 3.13.126709.581 / virus sig 3573
Also running Spybot S&D, Spyware Doctor (not a peep about this from either, having last run them after the 10th)

Please advise as to how to proceed for updating the OS as well (“Some updates were not installed:” …).

-thanks.

I was able to install Windows update KB972270 just fine, yesterday. I didn’t get the CAV FP until a Windows Defender scan today caused that file to be accessed.

Perhaps a CAV definitions change between yesterday and today caused this FP.

Perhaps it has to do with av 3572-3573 rev differences as you say. I guess I will cfg CIS to ignore the warning and install the update. Known bad things are possible if I don’t and as I don’t see many others concered about it, it seems indeed only to be an FP. I’ll watch this space for any further developments on the issue.

-thanks

This last time I tried the update, I didn’t get the CIS window. Checking my AV, it is now rev 3574.

Hi puddingpants,

This FP has been fixed.Please check in virus signature database 3574.

Thanks and Regards,
hailong.■■■■