Author Topic: Avast5 Free Edition detect comodo and window defender process as virus/threat?  (Read 5194 times)

Offline rafale2000

  • Newbie
  • *
  • Posts: 8
    • Personal Message (Offline)
Just installed the Avast5 free edition, did a scan and it detect virus/threat in my running process, the 2 process is cmdagent.exe(belong to Comodo CIS) and msmpeng.exe(belong to Window Defender). cmcagent.exe have 2 threat  and msmpeng.exe have 13 threat. Below are the virus name for the process

The 2 threat list for cmdagent.exe
Win32:Adloader-AC
Win32:Delf-DNW

tHE 13 threat list for msmpeng.exe
Win32:Adloader-AC
Win32:Fraudload-P
Win32:Agent-SG
Win32:PC Client-OD
Win32:Baidubar-B
Win32:Small-HZH
Win32:Banker-CDW
Win32:Agent-CWD
Win32:Small-HUF
Win32:Small-gen2
Win32:Zbot-AVH
BV:Autorun-E
JS:Agent-AU

Is my system really infected or is it just false positive? Help needed urgently, Thanks

Offline sp@rky13

  • Jr. Member
  • **
  • Posts: 38
    • Personal Message (Offline)
I would install this program and see what it brings up. The program is clamwin and is the portable edition so you can easily uninstall by just deleting the folder

Online Vladimyr

  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1514
  • Gender: Male
  • Super(massive black hole) Poster
    • Personal Message (Online)
I have neither Comodo or Windows Defender on PCs with avast! 5 so I can't compare with your result.

With respect to both sp@rky13 and ClamWin, I think Dr Web might do a better job. http://www.freedrweb.com/cureit/
There is a way that seems right to a man,
       but in the end it leads to death
.” - Proverbs 16:25

Online DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69236
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Online)
@ rafale2000.
Well you do know that CIS comes with and anti-virus and having two resident AVs is a big no, no.

So this could well be avast detecting comodo signatures if they aren't encrypted, unfortunately I don't know if that is correct, but you should ensure that you uninstall the antivirus element in CIS.

The same may be true of windows defender as I believe it also stores its signatures in memory.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline Mikos

  • Jr. Member
  • **
  • Posts: 61
  • Gender: Male
    • Personal Message (Offline)
I have Comodo Firewall with D+ installed ONLY with Avast. But I never have that error with Avast 5. In fact, just to make sure the PC is clean, I usually run a scan with on demand scanners, then with Avast. Either your PC is really infected, or the problem is stemming from what DavidR pointed out.
Windows 7 Ultimate 64 bit, Avast Free Antivirus 5.0.377, Comodo Internet Security (Firewall Only with D+ set to Optimum)
On demand scanners: Malwarebystes Anti Malware, ESET Online Scan

PC Specs: Intel Core 2 Duo E7300 2.66Ghz, Intel DG31PR, 4Gb RAM, 160Gb HDD, Nvidia GeForce 7300 LE

Offline Cahya

  • Sr. Member
  • ****
  • Posts: 351
  • Gender: Male
  • Trust in avast!
    • My Homepage
    • Personal Message (Offline)
I don't use Comodo, but I use Windows Defender (as default setting), found no problem with avast v5.
Just avast! free - is already enough. Using avast on Windows, Linux and Android.

Offline rafale2000

  • Newbie
  • *
  • Posts: 8
    • Personal Message (Offline)
Sorry for not providing more info for my setup. I'm using Window XP sp3, Comodo CIS(Only using the Firewall & Defense+), i had done a avast5 scan on the Comodo folder and window defender folder where the mentioned exe file are located, no threat are reported, but whenever i use full system scan or custom scan with features to scan memory process & rootkit, i will get threat warning. I am also using mbam and had done a scan, which if i'm not wrong also scan for memory process, nothing were detected.i'm really confused, maybe i will try to scan with another antivirus software and see the result. By the way, i just realized that this is not the correct place to post for virus problem, i think i will post my problem in the virus.worm section Thanks for ur help.
« Last Edit: January 21, 2010, 07:38:34 AM by rafale2000 »

Offline carlcc

  • Jr. Member
  • **
  • Posts: 28
  • Gender: Male
    • Personal Message (Offline)
Just installed the Avast5 free edition, did a scan and it detect virus/threat in my running process, the 2 process is cmdagent.exe(belong to Comodo CIS) and msmpeng.exe(belong to Window Defender). cmcagent.exe have 2 threat  and msmpeng.exe have 13 threat. Below are the virus name for the process

The 2 threat list for cmdagent.exe
Win32:Adloader-AC
Win32:Delf-DNW

tHE 13 threat list for msmpeng.exe
Win32:Adloader-AC
Win32:Fraudload-P
Win32:Agent-SG
Win32:PC Client-OD
Win32:Baidubar-B
Win32:Small-HZH
Win32:Banker-CDW
Win32:Agent-CWD
Win32:Small-HUF
Win32:Small-gen2
Win32:Zbot-AVH
BV:Autorun-E
JS:Agent-AU

Is my system really infected or is it just false positive? Help needed urgently, Thanks

Really?
My roommate uses both Comodo and avast, but he hasn't encountered such situation.
However, he told me that Comodo often block out some non-virus softwares.
I have a dream that hasn't been come true.
I want to be a Ph.D. or Ed.D. someday.

Offline rafale2000

  • Newbie
  • *
  • Posts: 8
    • Personal Message (Offline)
Sorry made a mistake earlier, only when using custom scan with memory scan,auto-start program scan & rootkit scan i will get the threat warning, and it can't be deleted or move to chest, it will show error ''access is denied(5), when using the default bootime scan and the default full system scan it show no infection. i'm getting more and more confused. ???

Offline janeygee

  • Newbie
  • *
  • Posts: 3
    • Personal Message (Offline)
Rafale 2000,

do not use more than 1 antivirus/security  prog at a time !!!
Comodo and Windows Defender will autostart no doubt. Turn them off, disable them.
If you are having no problem with your setup............not slow, no popups, redirected web pages etc ........then what you are seeing are false positives.

Each security program has definitions of virus/worm/trojan etc. within its own system to check each scan against.
If you have those programs running when you scan with Avast, then Avast is 'Detecting' the reference files.

The .exe files that you are detecting are legitimate files associated with their correct programs.

The main point is:        One Firewall, one antivirus prog running in real time.
No problem in keeping others as standalone scanner like AntiMalware, Spybot, Adaware etc.

Offline Giraffe

  • Sr. Member
  • ****
  • Posts: 203
  • Gender: Male
  • I'm not a Lama!
    • Personal Message (Offline)
Also running Avast 5 with CIS Firewall and Defence+, AV Disabled, with no FPs shown, so they do work together.
XP Pro SP3
AMD Athlon 64 X2 3600+; 1GB RAM
Avast!: latest; PrivateFirewall

Offline rafale2000

  • Newbie
  • *
  • Posts: 8
    • Personal Message (Offline)
For my setup, only Comodo CIS(Without AV), Avast5 and Window Defender are realtime, the rest(Spybot, spywareblaster, mbam & Superantispyware) are all on-demand, they are not auto-start with window. my system seem to be functioning properly, no slowdown, redirected webpage or popup, in short i did not notice any abnormal behavior from my system. I had been using avast4 b4 this and it had never detected the threat that avst5 did.

I had just installed Avast5(B4 this is using Avast4) on my brother's pc which is also running comodo cis(no av) and window defender, when using custom scan it also show the exact same infection threat. Below is the Log taken from the custom scan log


Process 1120 [cmdagent.exe], memory block 0x0000000000F80000, block size 90112 [L] Win32:Agent-KXV [Drp] (0)
Process 1120 [cmdagent.exe], memory block 0x0000000008C10000, block size 843776 [L] Win32:Delf-DNW [Trj] (0)

Process 1176 [msmpeng.exe], memory block 0x0000000003D80000, block size 262144 [L] Win32:Adloader-AC [Trj] (0)
Process 1176 [msmpeng.exe], memory block 0x0000000003ED0000, block size 262144 [L] Win32:FraudLoad-P [Trj] (0)
Process 1176 [msmpeng.exe], memory block 0x0000000004050000, block size 262144 [L] Win32:Agent-SG [Trj] (0)
Process 1176 [msmpeng.exe], memory block 0x00000000040A0000, block size 262144 [L] Win32:PcClient-OD [Trj] (0)
Process 1176 [msmpeng.exe], memory block 0x0000000004130000, block size 262144 [L] Win32:Baidubar-B [Trj] (0)
Process 1176 [msmpeng.exe], memory block 0x00000000041E0000, block size 262144 [L] Win32:Small-HZH [Trj] (0)
Process 1176 [msmpeng.exe], memory block 0x00000000042C0000, block size 262144 [L] Win32:Banker-CDW [Trj] (0)
Process 1176 [msmpeng.exe], memory block 0x0000000004320000, block size 262144 [L] Win32:Agent-CWD [Trj] (0)
Process 1176 [msmpeng.exe], memory block 0x0000000004390000, block size 262144 [L] BV:AutoRun-E [Wrm] (0)
Process 1176 [msmpeng.exe], memory block 0x0000000004490000, block size 262144 [L] JS:Agent-AU [Expl] (0)
Process 1176 [msmpeng.exe], memory block 0x0000000004560000, block size 397312 [L] Win32:Small-HUF [Trj] (0)
Process 1176 [msmpeng.exe], memory block 0x00000000045E0000, block size 262144 [L] Win32:Small-gen2 [Trj] (0)
Process 1176 [msmpeng.exe], memory block 0x00000000046A0000, block size 262144 [L] Win32:Zbot-AVH [Trj] (0)
« Last Edit: January 21, 2010, 01:30:14 PM by rafale2000 »

Offline Robert_M

  • Newbie
  • *
  • Posts: 10
  • Gender: Male
  • I'm a llama!
    • Personal Message (Offline)
Programs: avast + Comodo firewall (with D+)

When i scan memory all is OK.
Now i turn on SETTINGS->SENSITIVITY->IGNORE VIRUS TARGETING

Result:

Process 1384 [cmdagent.exe], memory block 0x0000000000F70000, block size 90112 [L] Win32:Agent-KXV [Drp] (0)
Process 1384 [cmdagent.exe], memory block 0x0000000008C00000, block size 843776 [L] Win32:Delf-DNW [Trj] (0)


Offline rafale2000

  • Newbie
  • *
  • Posts: 8
    • Personal Message (Offline)
Programs: avast + Comodo firewall (with D+)

When i scan memory all is OK.
Now i turn on SETTINGS->SENSITIVITY->IGNORE VIRUS TARGETING

Result:

Process 1384 [cmdagent.exe], memory block 0x0000000000F70000, block size 90112 [L] Win32:Agent-KXV [Drp] (0)
Process 1384 [cmdagent.exe], memory block 0x0000000008C00000, block size 843776 [L] Win32:Delf-DNW [Trj] (0)



Thanks for ur info, when i turned Ignore Virus Targeting off, cmdagent no longer listed as infected threat, msmpeng initially was 15 threat, now reduced to 5 threat. The remaining 5 Threat, think will wait for a few more definition update than will test again, hopefully its false positive, instead of a real infection.

Online DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69236
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Online)
Well as you know the msmpeng.exe is windows defender related, so it looks like it is unpacking its signatures into memory (to speed scanning) but doesn't encrypt them, hence being detected (if you have the 'ignore virus targeting' option enabled.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now