Avast WEBforum
Other => Viruses and worms => Topic started by: MostlyHarmless on October 14, 2010, 03:55:15 AM
-
I'm not sure what's going on. Out of the blue, a boot-time scan tells me I've caught an INF:AutoRun-W [Wrm] infection from a Gizmo/WindowsSecrets.com newsletter email. This I find very odd, because a) I trust this source, and b) wouldn't avast! and/or Spy Sweeper have flagged it when I originally opened the mail?
Straight after that, my custom scan tells me that a Process [cmdagent.exe], memory block, is infected with Win32:FakeVimes-B [Trj]. Ditto my next 4 custom scans (see attached image).
I've had this Comodo firewall 'cmdagent.exe process' problem before, so I know (through this forum) that I shouldn't worry too much about this:
"In general, any security application can load some signatures (fragments of malicious code used to detect the real threats) into memory - they are located in data segments (instead of executable code)." "...scan results are not the files, but the virus is detected in memory allocated to cmdagent.exe process..."
After a few days avast! updates the engine and/or relevant virus definitions and the problem disappears.
...It's been four days now. I can't be the *only* user who has noticed this?
P.S. My custom scan has EVERYTHING turned on and scan sensitivity set to 11.
EDIT:
Coincidence? I've just discovered from http://www.avast.com/virus-update-history that:
Win32:FakeVimes-B [Trj] was part of the 8.10.2010 - 101008-0 virus definition updates and
INF:AutoRun-W [Wrm] was introduced in the 8.10.2010 - 101008-1 virus definition updates.
My avast! started flaging these on the first scans I did *after* this date.
-
You appear to have the comodo AV also installed and not just the firewall as I can't see why the firewall needs to download virus signatures and load them into memory (?)
That is where the signatures being detected in in memory are coming from. So it isn't about there is nothing to worry about, but why they are there in the first place.
Having two resident scanners installed is one too many and not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable.
-
You appear to have the comodo AV also installed and not just the firewall as I can't see why the firewall needs to download virus signatures and load them into memory (?)
Nope.
I have the same Comodo Firewall Pro and avast! anti-virus setup that I've had for years - both are the free versions.
I run the same avast! whistles-and-bells custom scan which I've run since v5.0 was released.
What I do have is the *exact* same problem that crops up every 9 months or so, where I suddenly start getting warnings about Comodo's cmdagent.exe (see my post from Feb this year: Avast5 Free Edition detect comodo and window defender process as virus/threat? (http://forum.avast.com/index.php?topic=53888.msg465806#msg465806))
I carried out a boot-time and custom scan on the 6th with no problems found.
On the 8th avast! added Win32:FakeVimes-B [Trj] and INF:AutoRun-W [Wrm] to the virus definition list.
On the 10th I carried out a boot-time scan and INF:AutoRun-W [Wrm] was found in a newsletter email from a site I trust, and during my subsequent custom scan, I get a warning that Process [cmdagent.exe], memory block, is infected with Win32:FakeVimes-B [Trj], with the same results in the 5 custom scans I've completed since then.
-
Well why is comodo firewall cmdagent.exe loading virus signatures into memory if it doesn't have an AV installed, it doesn't have any use for them.
That question I guess you would have to ask at the comodo forum as we are unlikely to know why.
A boot-time wouldn't find anything windows and comodo aren't running at that point so cmdagent.exe wouldn't have loaded the signatures into memory.
-
Well why is comodo firewall cmdagent.exe loading virus signatures into memory if it doesn't have an AV installed, it doesn't have any use for them.
oh...Now you say it out loud, that's a blooming good question.
But like I said, this only happens once in a while. Usually after a few virus definition updates, and without any intervention from me, my avast! custom scans stop flagging cmdagent.exe as a threat.
-
It isn't flagging cmdagent.exe as a threat, it is telling you what process loaded the unencrypted signature/s into memory which are being detected. So it entirely depends on why and when cmdagent.exe loads them and if after that you happen to do a memory scan.
So you have to get the why and when cmdagent.exe loads these unencrypted signatures into memory from the source as we can't answer that.
-
***
Hi MostlyHarmless -
Do you have or did you have Comodo Internet Security on your computer?
See the links below.
cmdagent.exe - Comodo Personal Firewall executable. The firewall has been incorporated into COMODO Internet Security.
http://www.pcpitstop.com/libraries/process/i/cmdagent.exe.html
Cmdagent.exe with description COMODO Internet Security is a process file from company COMODO belonging to product COMODO Internet Security.
http://www.runscanner.net/lib/cmdagent.exe.html
***
-
I've asked for help on Comodo forum
https://forums.comodo.com/firewall-help-cis/firewall-loading-virus-signatures-into-memory-and-detected-by-avast-t63746.0.html;new#new
-
I checked your post, no response as yet, though I wouldn't have offered the 'is this an avast FP' as it is a get out of jail card.
What we want to know is what is cmdagent.exe loading into memory ?
If as is suspected these are unencrypted signatures, why if this is a stand alone comodo firewall installation, anything else is irrelevant ?
-
I wouldn't have offered the 'is this an avast FP' as it is a get out of jail card.
I don't understand what do you mean...
-
If they say yes it is an avast FP they don't have to answer the main question, what is being loaded into memory by cmdagent.exe and why.
So they don't have to answer the real issue/question, they have effectively been let off the hook, got out of jail.
-
If they say yes it is an avast FP they don't have to answer the main question
Let they say that... Let's see what we get there technically.
I'm not sure the detection is due to cmdagent being loading things on memory. It could be a false positive of avast detecting "other things" in that memory block.
MostlyHarmless, does the detection disappear after avast being updated?
-
Question:is comodo a good firewall?i am thinkin to install it
-
<snip>
I'm not sure the detection is due to cmdagent being loading things on memory. It could be a false positive of avast detecting "other things" in that memory block.
<snip>
The only thing in that memory block is what was loaded by cmdagent, that is how memory blocks are allocated, they aren't shared.
If something tries to use a memory block already allocated, I would guess that would cause some sort of access violation or clash or memory error.
-
I have received no alerts or detections from Avast 5.0.677 regarding cmdagent.exe with CIS 5.0.x.1135 (FW and HIPS). I notice that the OP is using CIS 5.0.x.1142, an upgraded version from CIS 4.x. Possibly, that's a clue.
-
Do you have or did you have Comodo Internet Security on your computer?
No. Version 2.4(?) had an on-demand virus scanning option, but since CFP v3.0, I have only ever installed the firewall component.
I have received no alerts or detections from Avast 5.0.677 regarding cmdagent.exe with CIS 5.0.x.1135 (FW and HIPS). I notice that the OP is using CIS 5.0.x.1142, an upgraded version from CIS 4.x. Possibly, that's a clue.
Until a few days ago I had CFP v4.1.x installed. I started getting the cmdagent.exe alert on the 10th. I updated to CFP v5.0.1 on the 14th, but was still been alerted to process [cmdagent.exe]. On the 15th I uninstalled CFP and downloaded a fresh copy of v5.0.163652.1142 from personalfirewall.comodo.com. (Though oddly, the profile of this installer thinks it is v5.0.32580.1142... )
Installed, but still getting the warning
File name: Process 11xx [cmdagent.exe], memory block 0x00000000023C0000, block size 4xxxxx
Severity: High
Status: Threat: Win32:FakeVimes-B [Trj]
I've asked for help on Comodo forum
https://forums.comodo.com/firewall-help-cis/firewall-loading-virus-signatures-into-memory-and-detected-by-avast-t63746.0.html;new#new
Thanks for that, Tech. I was just about to do that very thing.
I have to reiterate: This is NOT the first time that avast! has had problems with cmdagent.exe on my PC. Usually after a few virus definition updates or an engine revision, avast! stops flagging process, cmdagent.exe
-
Thanks for that, Tech. I was just about to do that very thing.
It will be better if you post there yourself, giving details of the problem.
-
Thanks for that, Tech. I was just about to do that very thing.
It will be better if you post there yourself, giving details of the problem.
Done ;D
-
It's the Defense+ cloud and behavior shield.
Now, Comodo must encrypt the signatures loaded into memory or we will see this over and over again.
-
It's the Defense+ cloud and behavior shield.
Now, Comodo must encrypt the signatures loaded into memory or we will see this over and over again.
ok... But why is avast! only warning me about:
Process 11xx [cmdagent.exe], memory block 0x00000000023C0000, block size 4xxxxx > Threat: Win32:FakeVimes-B [Trj] ?
Nothing else, just this one signature.
Win32:FakeVimes-B [Trj] was added to the avast! virus blacklist on 8-Oct-2010 (101008-0), and the very next scan I do after that date flags it as a memory process. Doesn't anyone think this is a little bit of a coincidence?
When this problem arose, I was using CFP v4.1. I've had this since I last reinstalled XP on my PC back in June.
CFP rarely changes; avast! changes daily through virus updates; something in the 8-Oct-2010 (101008-0) update has triggered this cmdagent.exe alert.
Because of my surfing habits, if I catch one actual virus in a year, it's odd. (Honestly, one a year, tops).
However, I get a cmdagent.exe process flagged about once every nine months.
I can't be the only person who has reported this, can I? ???
-
Because it is stopping at the first detection in the memory block, not continuing to scan it. What is the point in reporting each and every signature it finds in that memory block loaded by the same process.
For the umpteenth time is isn't an alert on cmdagent.exe, but the signatures it loads into memory. You are now aware that is what it is doing so you have two choices, don't do a memory scan or b) ignore results for the memory block detections loaded by cmdagent.exe.
You are probably one of very few doing a custom scan (with memory), which is almost a paranoid scan as it scans everything, most of which is either dormant or inert and can safely be left to the resident on-access scanners. All of which I'm sure you already know from reporting it before and the topics you have read, I just can't see why you need to run a custom scan including memory and probably archives as well.
The Quick and Full System scans are designed to a) only scan files that are at risk of infection or b) if infected present an immediate risk, e.g. executables, etc.
-
Because it is stopping at the first detection in the memory block, not continuing to scan it. What is the point in reporting each and every signature it finds in that memory block loaded by the same process.
See the attached picture in the opening post of this query from February, 2010:
Scan Results: Select the required action for each result and click "Apply"
(http://forum.avast.com/index.php?topic=55354.0)For the umpteenth time is isn't an alert on cmdagent.exe, but the signatures it loads into memory.
I know.
cmdagent.exe is carrying out a process which loads virus signatures/fragments into memory. These signatures/fragments are then detected by avast!, which in turn throws up an alert over the apparent viruses it think cmdagent.exe has planted.
You are now aware that is what it is doing so you have two choices, don't do a memory scan or b) ignore results for the memory block detections loaded by cmdagent.exe.
a) Turn off a legitimate threat-detection tool.
b) Just don't question scan results in future.
You are probably one of very few doing a custom scan (with memory), which is almost a paranoid scan as it scans everything, most of which is either dormant or inert and can safely be left to the resident on-access scanners. All of which I'm sure you already know from reporting it before and the topics you have read, I just can't see why you need to run a custom scan including memory and probably archives as well.
"+130 million registrations and growing" (http://www.avast.com/en-gb/free-antivirus-download) ...I always run a memory (and archive) scan as part of my 'custom scan' configuration. Why would I want to limit ways of detecting malicious code?
The Quick and Full System scans are designed to a) only scan files that are at risk of infection or b) if infected present an immediate risk, e.g. executables, etc.
You and I once had an argument over the virus targeting option. I'd still use it if it were available.
Look, I know that cmdagent.exe hasn't loaded full-blown viruses into my memory. I just wish that avast! wouldn't randomly start telling me I have infected files. This is the third (or fourth?) time this issue has occurred with me. It's every nine months or so, and it usually lasts until avast! issues a: "This VPS update contains only fixes to existing definitions or removal of false alarms."
-
I give up do what you like.
-
Look, I know that cmdagent.exe hasn't loaded full-blown viruses into my memory. I just wish that avast! wouldn't randomly start telling me I have infected files. This is the third (or fourth?) time this issue has occurred with me. It's every nine months or so, and it usually lasts until avast! issues a: "This VPS update contains only fixes to existing definitions or removal of false alarms."
This is a comodo problem and not Avast's if comodo uses unencrypted virus data then they will get caught. Avast can do nothing about this - it is a Comodo problem. If Comodo encrypted the data then Avast would not see it, Avast cannot differentiate between the virus signatures that Comodo is loading and the real thing
-
Look, I know that cmdagent.exe hasn't loaded full-blown viruses into my memory. I just wish that avast! wouldn't randomly start telling me I have infected files. This is the third (or fourth?) time this issue has occurred with me. It's every nine months or so, and it usually lasts until avast! issues a: "This VPS update contains only fixes to existing definitions or removal of false alarms."
This is a comodo problem and not Avast's if comodo uses unencrypted virus data then they will get caught. Avast can do nothing about this - it is a Comodo problem. If Comodo encrypted the data then Avast would not see it, Avast cannot differentiate between the virus signatures that Comodo is loading and the real thing
I'm not sure how it's a Comodo problem. I don't know why cmdagent.exe puts virus signatures into memory, but it does, and (apparently) always has. My firewall hasn't changed since I installed it in June, and avast! was quite happily ignoring those cmdagent.exe processes until the virus definition updates of 8-Oct-2010 - (101008-0). Then avast! started reporting Process 11xx [cmdagent.exe], memory block 0x00000000023C0000, block size 4xxxxx > Threat: Win32:FakeVimes-B [Trj]. This is a problem which avast! has created by reporting things which it had previously ignored.
-
This is a comodo problem and not Avast's if comodo uses unencrypted virus data then they will get caught. Avast can do nothing about this - it is a Comodo problem. If Comodo encrypted the data then Avast would not see it, Avast cannot differentiate between the virus signatures that Comodo is loading and the real thing
+1
I don't know why cmdagent.exe puts virus signatures into memory, but it does, and (apparently) always has.
Defense+ and Cloud features of it loads them into memory.
-
I don't know why cmdagent.exe puts virus signatures into memory, but it does, and (apparently) always has.
Defense+ and Cloud features of it loads them into memory.
So why isn't avast! ignoring them, like it usually does?
-
So why isn't avast! ignoring them, like it usually does?
Maybe something changed in Defense+... For sure, avast does not change the detection of memory unencrypted signatures.
-
So why isn't avast! ignoring them, like it usually does?
Maybe something changed in Defense+... For sure, avast does not change the detection of memory unencrypted signatures.
---------------------------------------
9-20-11
no need for me to start a new topic, i have avast 6.0 the newest version and i did a definitions update before i did a full scan of everything and it detected my cmdagent.exe(comodo firewall), as infected with Win32:FakeVimes-B [Trj]. and ya i told comodo forums about it .
i just did a virus total scan too and it said it was clean, i even did a scan of just that file with avast and it said it was clean, lol, but when i scan whole computer, then it said it was infected .
hope you fix this in the next definitions update.
-
Read the topic it isn't detecting the file but the signatures the process loaded into memory, so a VT scan on the file will show nothing.
This is because you are doing a custom scan and electing to scan memory.
-
Kissbaby, I still receive the process [cmdagent.exe], memory block, Win32:FakeVimes-B [Trj], 'high severity' threat notification whenever I complete any scan which includes a high-sensitivity memory check.
I'm satisfied that Win32:FakeVimes-B [Trj] is merely a fragment of the actual virus which Comodo loads into memory as part of a legitimate process. It's irritating to see it flagged with every Avast! scan, but I can live with it.
-
It's irritating to see it flagged with every Avast! scan, but I can live with it.
so why dont you remove the "scan memory" from your custom scan setting ?
or use the default quick / full scan with default setting....
-
It's irritating to see it flagged with every Avast! scan, but I can live with it.
so why dont you remove the "scan memory" from your custom scan setting ?
or use the default quick / full scan with default setting....
Why would I want to lessen the chance of detecting other possible threats?
-
Why would I want to lessen the chance of detecting other possible threats?
you wont.....the avast guys have been playing with malware since 1988....they know how this works
So trust the default settings
-
Kissbaby, I still receive the process [cmdagent.exe], memory block, Win32:FakeVimes-B [Trj], 'high severity' threat notification whenever I complete any scan which includes a high-sensitivity memory check.
I'm satisfied that Win32:FakeVimes-B [Trj] is merely a fragment of the actual virus which Comodo loads into memory as part of a legitimate process. It's irritating to see it flagged with every Avast! scan, but I can live with it.
I have same thing here... Time to time... Strange...
-
Kissbaby, I still receive the process [cmdagent.exe], memory block, Win32:FakeVimes-B [Trj], 'high severity' threat notification whenever I complete any scan which includes a high-sensitivity memory check.
I'm satisfied that Win32:FakeVimes-B [Trj] is merely a fragment of the actual virus which Comodo loads into memory as part of a legitimate process. It's irritating to see it flagged with every Avast! scan, but I can live with it.
I have same thing here... Time to time... Strange...
Best to do as Pondus has suggested and remove the scan memory from your custom scan or use the default quick and full scan's.
-
u are having outdated comodo...
update comodo...the latest version is 5.9 see my signature.
that should fix that 8)
-
Kissbaby, I still receive the process [cmdagent.exe], memory block, Win32:FakeVimes-B [Trj], 'high severity' threat notification whenever I complete any scan which includes a high-sensitivity memory check.
I'm satisfied that Win32:FakeVimes-B [Trj] is merely a fragment of the actual virus which Comodo loads into memory as part of a legitimate process. It's irritating to see it flagged with every Avast! scan, but I can live with it.
I have same thing here... Time to time... Strange...
Please don't post in multiple topics about the same thing, it just duplicates the efforts of those trying to help. I have replied in your other topic also.
-
Simply add an exclusion
You can set the exclusion (e.g. for the particular scan you created) as follows:
*PROCESS\*\cmdagent.exe
- then the Comodo process won't be scanned at all.
-
Hey that's a good idea Giogio, set exclusions to to memory scans from always detecting things that are harmless but that it regular flags.
I just 'caught' one of those Win32:FakeVimes-B [Trj] heavy alerts in AVG, I figured it was harmless but since it's been a while since I discovered anything I could delete I did so and later checked that AVG is OK, which I keep for backup manual AV scanning, mkay.
-
Hey that's a good idea Giogio, set exclusions to to memory scans from always detecting things that are harmless but that it regular flags.
would it not be smarter to not use the memory scan...but default scan settings
which I keep for backup manual AV scanning, mkay.
running multiple AV can/will create all kind of windows errors and false positive detections
Read reply from quietman7
http://www.bleepingcomputer.com/forums/topic186533.html