Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: hrthrtht on August 10, 2011, 10:25:36 AM

Title: why avast detects the process of comodo firewall as virus?
Post by: hrthrtht on August 10, 2011, 10:25:36 AM
i found that avast has detected (cmdagent.exe)the process of comodo firewall as virus(win32:fakevimes-b[trj]) for a few months?what's wroung with avast?why this false positive still hasn't been fixed?anybody has a reply for that?
Title: Re: why avast detects the process of comodo firewall as virus?
Post by: igor on August 10, 2011, 10:36:10 AM
Because avast! is detecting uncrypted virus signatures in Comodo's memory. So it's not really a false positive, but more a conflict of two antiviruses.
Title: Re: why avast detects the process of comodo firewall as virus?
Post by: hrthrtht on August 10, 2011, 10:51:25 AM
but how should we solve this problem????
Title: Re: why avast detects the process of comodo firewall as virus?
Post by: igor on August 10, 2011, 10:56:16 AM
I'd say either ignore the results from the mentioned process, or don't use the memory scan... that's about it, I'm afraid.
Title: Re: why avast detects the process of comodo firewall as virus?
Post by: Hellion on August 10, 2011, 11:01:20 AM

Hi,

I use avast free in conjunction with Comodo firewall (without Antivirus)and it picks up cmdagent.exe

Why would it install signatures if they will never be updated because the corresponding component is not installed?

Just I thought (sorry for busting in the conversation)

I too have been baffled by this for quite some time.

Regards,
Hellion
Title: Re: why avast detects the process of comodo firewall as virus?
Post by: CraigB on August 10, 2011, 11:23:24 AM
You will have to ask comodo that question, as igor said you can untick the scan memory box from your custom scans or simply use the default full and quick scans.
Title: Re: why avast detects the process of comodo firewall as virus?
Post by: Hellion on August 10, 2011, 11:34:29 AM
Hi CraigB,

I have opened a thread in "Bug reports" over at Comodo,

Here is the link:

https://forums.comodo.com/bug-reports-cis/avast-comodo-and-cmdagentexe-t75271.0.html


Thanks for the help,
Hellion
Title: Re: why avast detects the process of comodo firewall as virus?
Post by: CraigB on August 10, 2011, 11:40:34 AM
Your welcome, i didnt say anything different really from what igor said just in different words  :)
Title: Re: why avast detects the process of comodo firewall as virus?
Post by: igor on August 10, 2011, 11:43:44 AM
Well, I have to admit that I didn't check the particular signature or process (not having Comodo installed), so I'm not 100% sure about it - but I find it quite likely; if the memory scan detects something in another AV's memory, it's usually the case.
Title: Re: why avast detects the process of comodo firewall as virus?
Post by: Hellion on August 10, 2011, 11:50:50 AM
Hi Igor,

I understand.

I will wait and see Comodo's response

Regards,
Hellion
Title: Re: why avast detects the process of comodo firewall as virus?
Post by: igor on August 10, 2011, 11:53:58 AM
Btw, I don't think the memory scan is very useful; the existing signatures are mostly aimed at files, not memory - so I believe you won't really lose anything by replacing the memory scan by something else (such as auto-start programs).
Title: Re: why avast detects the process of comodo firewall as virus?
Post by: Hellion on August 10, 2011, 12:04:22 PM
Hi Igor,

I have 4 Terra-bytes of data so doing a full scan takes about a day for me so what I do is I create a custom scan with Memory + Auto Start + Rootkit (full) and let that run on a schedule.

It doesn't really bother me that bad, but I know it shouldn't be happening.

Regards,
Hellion
Title: Re: why avast detects the process of comodo firewall as virus?
Post by: igor on August 10, 2011, 12:15:37 PM
I'm not saying you should make a full scan - just that for a quick scan, Auto-Start should be quite enough.
The memory scan, even if the necessary signatures were in the virus database, is unreliable by default - virus signatures may be found in memory of a browser if it downloaded some, possibly even blocked, malware in the past, file managers may have some signatures in their memory if you moved some strange files in the past, etc.
Title: Re: why avast detects the process of comodo firewall as virus?
Post by: coiotus on August 10, 2011, 11:01:03 PM
I've had them installed, but did not detect virus in Comodo ...
Title: Re: why avast detects the process of comodo firewall as virus?
Post by: Corsair on August 11, 2011, 04:00:33 AM
Have you made sure to exclude Comodo in Avast in both the program Settings and in the File System Shield settings?
Title: Re: why avast detects the process of comodo firewall as virus?
Post by: Hellion on August 11, 2011, 07:30:50 AM
Hi Corsair,

It's not really a problem as this is only an issue encountered with memory scans and even after detection there is nothing you can do. (there is no option of deleting/Quarantining the detection)

I did try your suggestion now, I added the exclusions for both manual/auto scans and File system Shield, But this had no effect.

Regards,
Hellion
Title: Re: why avast detects the process of comodo firewall as virus?
Post by: Corsair on August 11, 2011, 07:51:04 AM
Just a query:

Do your avast! settings and file system shield exclusions look like the attachments below?
Title: Re: why avast detects the process of comodo firewall as virus?
Post by: Hellion on August 11, 2011, 12:47:45 PM
Hi Corsair,

Yes, they look EXACTLY like that.

It's very hard to screw something like that up :)


Regards,
Hellion
Title: Re: why avast detects the process of comodo firewall as virus?
Post by: DavidR on August 11, 2011, 02:10:24 PM
Excluding comodo in avast won't make a difference in this case as:
a) this isn't an alert on any comodo file
b) is in memory, not a file or comodo location
c) whilst you can exclude a file from being scanned, you can't exclude its actions, e.g. in this case the insertion of unencrypted signatures into memory.
Title: Re: why avast detects the process of comodo firewall as virus?
Post by: igor on August 11, 2011, 02:28:18 PM
Well, I believe you probably could exclude the memory detection, but you'd need an advanced magic for that ;)
Let me know what exactly the detection says in the first column, I'll try to make the exclusion mask.
Title: Re: why avast detects the process of comodo firewall as virus?
Post by: DavidR on August 11, 2011, 02:37:23 PM
I think the simpler option would be not to do the memory scan as you have on numerous occasions, if it gets into memory it is a bit late ;D
Title: Re: why avast detects the process of comodo firewall as virus?
Post by: Corsair on August 11, 2011, 05:56:35 PM
Ah. I see now.  :P

Just an FYI - it sounds similar to this: http://forum.avast.com/index.php?topic=78142.0
Title: Re: why avast detects the process of comodo firewall as virus?
Post by: Hellion on August 12, 2011, 07:51:06 AM
Hi Igor,

This detection only occurs when you do  memory scan with "test whole files" option.

The detection reads...

File Name:
Process 884 [cmdagent.exe], memory block 0x0000000004b00000, block size 2097152

Severity:
High

Status threat: win32:fakevimes-b trojan

Hi Corsair,

Yes that thread has pretty much the same discussion going.


Regards,
Hellion
Title: Re: why avast detects the process of comodo firewall as virus?
Post by: igor on August 12, 2011, 02:19:36 PM
You can set the exclusion (e.g. for the particular scan you created) as follows:
*PROCESS\*\cmdagent.exe
- then the Comodo process won't be scanned at all.
Title: Re: why avast detects the process of comodo firewall as virus?
Post by: Hellion on August 13, 2011, 09:07:37 AM
Hi Igor,

What about people that are not computer savvy? I think this it what the OP was getting at.

This never bothered me since I know that the Comodo process is not a threat, but some other people might be confused by it.

BTW, Thanks for everyone's input,

Regards,
Hellion
Title: Re: why avast detects the process of comodo firewall as virus?
Post by: DonZ63 on August 13, 2011, 06:10:28 PM
A thousand kudos to Igor!

The *PROCESS tip works like a champ. I have added cmdagent.exe and mbamservice.exe to any scan that uses the memory scan option. No more signature alerts from Comodo and MBAM Pro.

Plese post this tip as a FAQ at the top of this forum for others.