Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: MaxReed on July 04, 2011, 09:52:21 PM
-
I performed a couple of deep scans with custom settings with Avast! and in the results it tells me the COMODO's process cmdagent.exe as a virus.This only happens on the laptop.
On the "home PC" it doesn't detect nothing unusual.
Someone can tell me something about this behavior?
-
Full details of the detection of screenshot of the scan results window would help determine what it is.
Did you do a Memory scan as a part of that custom scan ?
-
I'm sorry for the error in the previous post...the process isn't "cfp.exe", but "cmdagent.exe".
In this moment I can't post a screenshot or full details of the scan on my laptop.Now I can tell you that the deep scan that I have created is a custom scan with all possible scan areas that you can find in custom scan parameters.
On my "home pc" I have just now find the same problem.This is the results:
-Process 816[cmdagent.exe],block memory 0x00000000047C0000,block dimension 2097152- -Severity:High- -Threat:Win32:FakeVimes-B [Trj]-
I tried to translate the results because my AV is in italian ;D
-
I get the same error when I run an Avast memory scan. Avast forum people told me not to worry; the alert is from Comodo loading unencrypted signature into memory.
My theory is cmdagent.exe at boot time does tons of hook injections to minimize Defense+ alets. What is left in memory is the leftover from that process.
-
Ok Thanks!! Now I can stay quiet!!! ;D
-
Detections in Memory as this one is - come from doing a Custom scan in which you have elected to scan Memory and that all these detections are in memory. Since they aren't physical files they can't be moved to the chest, deleted, etc. so there is no action that can be taken, hence the Apply button being greyed out.
The detections in memory are frequently other security applications loading unencrypted virus signatures into memory. Having set off a scan of memory by an antivirus application looking for virus signatures, don't be too surprised if it finds some in memory.
So either don't scan memory in the custom scan or understand that you can get detections like this on other security applications loading unencrypted signatures into memory.
-
Max, Donz.
I also run Comodo, Firewall and D+, but I have never ran Comodo AV. When I do a memory scan with Avast, I do not get any unencrypted virus signatures into memory from Comodo. I get Windows Defender though because it is running. I wonder, have you ever had Comodo AV running in your machines?
Regards.
-
Defence+ also uses signatures as far as I'm aware (it was my believe it was only the AV, but I was corrected), so it would be cmdagent.exe which would load them into memory as and when used.
-
DavidR.
Defence+ also uses signatures as far as I'm aware (it was my believe it was only the AV, but I was corrected), so it would be cmdagent.exe which would load them into memory as and when used.
Thank you for the info, but still Avast is not detecting cmdagent.exe unencrypted virus signatures in my PC just Win Def sigs. ???
-
I don't know why that is as I have never used any comodo product, been very happy with my firewall for many, many years.
-
For iroc9555:
I have never installed Comodo AV on my PCs.
For DavidR and iroc9555:
So, what should be the problem? Is right what DonZ63 wrote? Or the cause is the unencrypted virus signatures into memory?
However, Can I stay quiet or I have to worry?
Thanks for the help!!!
-
For iroc9555:
I have never installed Comodo AV on my PCs.
For DavidR and iroc9555:
So, what should be the problem? Is right what DonZ63 wrote? Or the cause is the unencrypted virus signatures into memory?
However, Can I stay quiet or I have to worry?
Thanks for the help!!!
MaxReed go to Comodo forum and ask someone IF they ever come across the same problem as you, and you might get an answer I don't think is related to Avast it might be Comodo FW unless your settings is not setup correctly. If your not a member please register and join it free ;)
https://forums.comodo.com/help-cis-b127.0/ (https://forums.comodo.com/help-cis-b127.0/)
-
Ok I've asked about this problem on Comodo forum and they said that is a false-positive of Avast.I hope that Avast Team solve the problem.
Thanks to all!!!
-
Sorry, but I honestly don't see how this can be considered a false positive, you ask avast to scan in memory for virus signatures and it has done as you asked.
Avast as I have said isn't alerting on cmdagent.exe but the unencrypted signatures that it has loaded into memory.
I have no idea what question you asked in te comodo forums, but if it didn't ask 'Does cmdagent.exe (for defense+) load virus signatures into memory.' Then you won't get an accurate answer as I feel they are simply saying there is nothing wrong with cmdagent.exe, avast isn't saying it is infected, just that it is responsible for loading those signatures into memory.
As I said before:
So either don't scan memory in the custom scan or understand that you can get detections like this on other security applications loading unencrypted signatures into memory.
-
@MaxReed if I'm not mistaken if I understood correctly what DavidR saying I hope ??? virus signatures should not be loaded into memory by cmdagent.exe (for defense+), sometime this can cause problem to PC having to many virus signatures loaded into memory can slow down your PC so it shouldn't in most cases.
@MaxReed please check your Comodo FW setting for me please trust me I have been using Comodo FW for nearly 6 years from v3.0 to v5.4 I'm not using Comodo FW any more, I'm currently using Outpost. So go to Comodo FW in the defense+ settings:
1. Go to Firewall Behavior Settings and tick Create rules for safe applications
2. Go to Defense+ in general settings have you picked Create rules for safe applications
3. In Execution Control settings un-tick the following settings:- Perform cloud based behavior analysis of unrecognized files
- Automatically scan unrecognized files in the cloud
4. In Sandbox settings disable Comodo Sandbox is not required while you have Avast sandbox running ;)
5. In Sandbox settings un-tick the Automatically trust the files from the trusted installers
6. In Monitoring Settings make sure you pick everything.
And reboot your PC after that go back to Comodo FW and go to More Options section right at the end
7. Run the Comodo Diagnostics just to make sure everything is okay
8. After Diagnostics go to Manage My Configurations and backup your Comodo settings in a different name and keep it in a safe place, just in case if the new Comodo FW version might come out in most cases you could loose all your settings everything and it easy to restore them back into Comodo FW.
And do another Avast custom scan the memory and I'm pretty sure everything should be clean out by cmdagent.exe (for defense+) ;)
Please let me know.
-
But with these changes,however, is my PC protected good? :-\
-
But with these changes,however, is my PC protected good? :-\
Yes your PC is protected ;) keep in mind you don't need two sandbox running at the same time Comodo and Avast, the only sandbox you need is Avast not Comodo cause this is over killed.
Your Comodo Defense+ is still enable this is how it works without using Comodo Sandbox.
The Defense+ component of Comodo Internet Security (hereafter known simply as Defense+) is a host intrusion prevention system that constantly monitors the activities of all executable files on your PC. With Defense+ activated, the user is warned EVERY time an unknown application executable (.exe, .dll, .sys, .bat etc) attempts to run. The only executables that are allowed to run are the ones you give permission to.
Defense+ also protects against data theft, computer crashes and system damage by preventing most types of buffer overflow attacks. This type of attack occurs when a malicious program or script deliberately sends more data to its memory buffer than that the buffer can handle. It is at this point that a successful attack can create a back door to the system through which a hacker can gain access. The goal of most attacks is to install malware onto the compromised PC whereby the hacker can reformat the hard drive, steal sensitive user information, or even install programs that transform the machine into a Zombie PC.
Defense+ boasts a highly configurable security rules interface and prevents possible attacks from root-kits, inter-process memory injections, key-loggers and more. It blocks Viruses, Trojans and Spyware before they can ever get installed on your system and prevents unauthorized modification of critical operating system files and registry entries.
I forgot to tell sorry set your Firewall Security Level to Custom Policy and set your Defense+ Security Level to Paranoid Mode and finally look for Stealth Ports Wizard and pick Block all incoming connections that all ;)
-
Well this is becoming more prevalent by a number of security applications as it speeds up any scan/check as accessing this data is much quicker if the signature data is loaded in memory rather than on the hard drive.
So the rights and wrongs of it those signatures when loaded in memory should be encrypted or not, as they must know there is a possibility that the users resident anti-virus may well detect these signatures. Or is it just the case that, since comodo now only offer the suite version with an AV and feel there shouldn't be anyone who doesn't want their AV (or care).
If the signatures were encrypted in memory they wouldn't/shouldn't be detected, but then there is the overhead of having to decrypt the signatures first, losing some of the benefit of having them in memory.
So in essence it is up to the user, to do as I suggested don't run the memory scan in the custom scan or ignore the expected results if virus signatures loaded by security software are detected.
-
A bit OT, but if you just need a quite slick FW (and eventually a HIPS) use an older version of Comodo. (See my sig.!) This version doesn't load any signatures into memory and does everything you can expect from a FW (and a HIPS). ;)
-
A bit OT, but if you just need a quite slick FW (and eventually a HIPS) use an older version of Comodo. (See my sig.!) This version doesn't load any signatures into memory and does everything you can expect from a FW (and a HIPS). ;)
I noticed you mentioned HIPS, I have been using Online Armor Free which has HIPS and does not slow down my machine. I was wondering if Comodo does like wise? I am asking for my knowledge because I have never used anything from Comodo. I am constantly trying to learn. :)
I found this link so anyone could download an earlier version.
http://filehippo.com/download_comodo/
-
I noticed you mentioned HIPS, I have been using Online Armor Free which has HIPS and does not slow down my machine. I was wondering if Comodo does like wise?
You mean, if Comodo's HIPS (D+) slows your system..?
No, it doesn't.
-
You mean, if Comodo's HIPS (D+) slows your system..?
No, it doesn't.
[/quote]
That's what I wanted to know. Thanks. :)
-
That's what I wanted to know. Thanks. :)
You're welcome..!
-
I know an easy fix...............Uninstall Comodo, and use Windows FW.
-
I know an easy fix...............Uninstall Comodo, and use Windows FW.
Whom do you address..?
-
Nobody specific, just what I would do. :)
-
SpeedyPC, have any suggestions for MBAM Pro that is loading 6-7 unencrypted signatures into memory? At least that is what Avast's memory scanner is saying.
It is a bit odd that Avast's memory scanner is not only flaging Comodo's cmdagent.exe but also MBAM's mbamservice.exe.
I am also curious as to why you are recommending that all Defense+ cloud settings be turned off. Know something amiss in that area?
BTW - cmdagent.exe is loading snxhk64.dll which is an Avast .dll. I was floored when I saw that. More so since Comodo really protects the hell out of cmdagent.exe.
-
A bit OT, but if you just need a quite slick FW (and eventually a HIPS) use an older version of Comodo. (See my sig.!) This version doesn't load any signatures into memory and does everything you can expect from a FW (and a HIPS). ;)
The old Comodo FW v3.14 doesn't work on Win7 just keep this in mind ;)
-
@DonZ63 I cannot answer your question about MBAM Pro I only used the free version, I'm also aware that has extra features in the Pro version so I cannot fully answer your question along side with Comodo FW.
The Comodo FW cloud feature is a bit over kill when Avast free has so many extra feature that protecting your PC, Comodo cloud can cause to many FP if your not very careful with it. I also have other software for On-demand on my PC and I also have CCE ;) All I'm saying is with all the extra security feature in Comodo FW is over killed while Avast free is almost doing the same the job, so why add more when you over killed the PC can create a lot problems. The only way to balance this problem out you either remove Avast to have all the CIS feature, and if you want to used Avast than cut down the feature running inside Comodo FW you can't have both ways.
-
DonZ63 if you are getting memory detections about malwarebytes then you must be running a custom scan with memory scan included, as this scan tends to delve deeper into memory than the normal scans which is why your picking up MBAM signitures, there is no way round it but to either untick the memory scan section or to stick to the normal scans, or simply just ignore the detections of MBAM as there harmless anyway.
-
The old Comodo FW v3.14 doesn't work on Win7 just keep this in mind ;)
It also works on W7.
-
The old Comodo FW v3.14 doesn't work on Win7 just keep this in mind ;)
It also works on W7.
Are you 100% sure ??? I'm not trying to be a wise guy :-\
-
Are you 100% sure ??? I'm not trying to be a wise guy :-\
Yes. 100% ;)
-
DonZ63 if you are getting memory detections about malwarebytes then you must be running a custom scan with memory scan included, as this scan tends to delve deeper into memory than the normal scans which is why your picking up MBAM signitures, there is no way round it but to either untick the memory scan section or to stick to the normal scans, or simply just ignore the detections of MBAM as there harmless anyway.
We are having a debate over in the Comodo firewall forum on this issue.
Individuals with identical security setups; Comodo ver 5.x firewall and Defense+ with Avast 6.x with web shield active are getting different results when Avast memory scanner is run. Most get the FakeVimes signature found result. However, others do not. This has more than a few people concerned. Note than none of these individuals every had Comodo's AV installed including yours truly.
Comodo has admitted that Defense+ does do process hook injection to minimize Defense+ alerts. This however does not explain why Avast memory scanner is finding unencrypted signatures.
Then there is the MBAM Pro issue in the same area. As far as I know MBAM Pro does not do any process hook injection.
-
I dont know that much about comodo as i dont use it but i do know that defence + is not needed when running avast.
The issue with MBAM Pro signitures being discovered in memory by avast has been mentioned on this forum several times in the past and the only thing you can do is to not include the memory scan when running custom scans or ignore it as i have already mentioned there harmless.
-
I dont know that much about comodo as i dont use it but i do know that defence + is not needed when running avast.
Well... :-X ;)
-
You are running quite an old version of comodo Asyn so maybe different to the newer version, all i see lately is conflict between avast and the new version of comodo, like i said i dont use it but there is something going on and defence + seems to be the cause with a few people.
I still dont think D+ is needed though ??? :-\
-
I still dont think D+ is needed though ??? :-\
No problem with your opinion craig. :)