XMPlay ERROR! This file has been tampered with and MAY BE INFECTED BY A VIRUS!

Thanks Jay! I’ve submitted the file as a false positive. Hopefully this will be taken care of soon as this is one of my most used programs!

Same here. Just installed CIS 4.0.135239.742 on Win7 x64 Pro.

XMPlay version

This file has been tampered with and may be infected by a virus!

Wtf? AV was not installed with CIS (using Avast!), sandbox is disabled.

In further work with this problem, I’ve found the only way to solve the problem at the moment is to disable the Defense+ feature of CIS 4. Hopefully this will be resolved in a future version of CIS.

is it xmplay.dll file???

did it just come out with a new version???

AV was not installed with CIS (using Avast!)
Are you saying Avast, is detecting this???? Avast virus[at]avast.com <---this is the email to send it to (Send the sample in .zip or .rar file and password protect it (called "infected") Tell them it's a false positive ==========================================

If it’s comodo detecting it then read below

Some people like “mntech” are having that problem. <----He’s right about the only solution is to disable “defence +”

*****( I just came up with this idea) The idea is to put “defence +” in training mode. Reinstall the program, and run the program leaving “Defence +” in training mode for a day or two, then take it out of training mode. Maybe that should solve it

Other that that, the best I can recommend is this
You can upload the file in question here (False Positive)

they will get back to you by email and let you know if they’re malicious or not.


{since you have version 4}----do this
you can click on the comodo icon

  1. click on the anti-virus icon
  2. click on “submit file to comodo”
  3. A new screen pops=up
  4. find the file in question
  5. send (it’ll ask “suspicious” or “false positive”) <----choose one
  6. your done Smiley it will take some time to Analise it depend how busy they are

Nope! Avast doesn’t find any problem with xmplay files. Comodo AV is not installed.
I don’t know, which part of CIS is alerting me. Why mess with D+? Is the virus inside xmplay? I hope there is not. I’m using XMPlay for a three years and CIS is the first program, which find something “suspicious” in it.

Can you post a screenshot of the alert? Sometimes a picture tells more than a 1000 words.

How to post a screenshot?

To copy a screenshot of the active window push alt+print screen to copy the active window to the clipboard (pushing print screen will copy the complete window to the clipboard not just the active window). The window is now copied to the clipboard. Paste the image in any image editing program, Paint, Paint.net, the Gimp etc. Use the “crop” function to resize the canvas to size of the image. Now save the file as 32 bits png image.

At the forum push the reply button. Or when using the Quick reply type some text and push the preview button.

Underneath the text box click on Additional options. Push the Choose button and navigate to the file and select it. When you want to post more images click on the more attachments link.

When done typing push the Post or Preview button.

Okay, here is the screenshot. Is my english so bad? :-[

[attachment deleted by admin]

Only now i think about… This is not an a Comodo alert! It’s a XMPlay alert.
And seems this alert means that the XMPlay doesn’t like his changed status.
I’m not sure…

Further discussion of this problem is on the XMPlay forum HERE.

The message comes from the packed xmplay.exe executable when it tries to unpack in the Defense+ environment. The executable is packed using the “petite” packer, another product of the XMPlay developers.

After an upgrade to Comodo version 4.0.138377.779, XMPlay is now running on my system with Defense+ active and in safe mode. Yay!

Hmm. No luck here. Clean install of 4.0.138377.779.
Even with disabled D+, latest XMPlay won’t start with the same error 8( WTF!?

Is XMPlay getting auto-sandboxed? That might have an effect.

Sandbox is disabled too.

From the mentioned topic at Un4seen forums:

Ive Got a solution :slight_smile: maybe not the best, but it works :slight_smile:

if you dont can fight your enemy, just fight with him

Disable the sandbox, and then press the “Run Program in Sandbox” button ann run Xmplay.exe as unrestricted… :slight_smile: then itll work

That doesn’t work.

Any other solutions?

Is Comodo working on this aggravating problem?

I’m running CIS 4.0.141842.828 as Firewall ONLY without AV and Defense+ enabled and have the same problem with XMPlay 3.5.1 on a Windows 7 32 Bit Enterprise system.

For me the solution was to set the compatibility mode for XMPlay.exe to “Windows Vista SP2”. The alert is gone now.

For testing purposes I renamed C:\Windows\System32\guard32.dll (A file that comes with CIS and is used to implement various hooks in usermode on certain API calls) to _guard32.dll - the alert was gone, too…

I’d really like to know what CIS does here in the background even though I disabled all HIPS/Sandbox functionality.

Btw, the alert message box comes from the very old executable compressor “Petite” that has been used to compress the xmplay.exe file. See: Petite - Win32 Executable Compressor

Btw, the alert message box comes from the very old executable compressor "Petite" that has been used to compress the xmplay.exe file. See: http://www.un4seen.com/petite/
It's not being flagged by comodo anti-virus, so I'm going to assume your refering to "Defence +"
Is Comodo working on this aggravating problem?
Have you asked in the XMPlay forum ?. I thought there was a solution ??? or you could just disable "defence +"
It's not being flagged by comodo anti-virus, so I'm going to assume your refering to "Defence +"
Why shoud the .exe be flagged just because it has been compressed by its author? Compressing an .exe file does not turn it into something evil. I'm refering to nothing, I just explained what actually displays the error dialog. If you're talking about guard32.dll - yes, this is used by Defense+.
Have you asked in the XMPlay forum ?. I thought there was a solution ??? or you could just disable "defence +"
No need to ask in their forum. When you read my posting you can see that I [b]1)[/b] have Defense+ disabled and that I [b]2)[/b] already have a "solution" (set compatibility mode to "Vista SP2"). However this is not more than just a workaround. The problem/issue(s) with guard32.dll is already known by the CIS developers and they're currently working on a solution.

Please check this: https://forums.comodo.com/bug-report-cis/cis4-causes-errors-with-xmplay-and-winlicense-guard32dll-issue-t56418.0.html;msg396631#msg396631

Thanks so much for the workaround Frankenstein! It came down to a choice between XMPlay and CIS 4 beta, and XMPlay edged it out. Now I can have both. :slight_smile:

Petite is not the only UPX compression causing annoyances. A large percentage of the false positive I get are due to innocent UPX’d EXE’s. It’s a legitimate tool to keep file sizes down and protect files, and Comodo needs to recognize their legitimacy.

Thanks again!