Process [cmdagent.exe], memory block, is infected with Win32:FakeVimes-B [Trj].

[MostlyHarmless]

Do you have or did you have Comodo Internet Security on your computer?

No. Version 2.4(?) had an on-demand virus scanning option, but since CFP v3.0, I have only ever installed the firewall component.

I have received no alerts or detections from Avast 5.0.677 regarding cmdagent.exe with CIS 5.0.x.1135 (FW and HIPS). I notice that the OP is using CIS 5.0.x.1142, an upgraded version from CIS 4.x. Possibly, that's a clue.

Until a few days ago I had CFP v4.1.x installed. I started getting the cmdagent.exe alert on the 10th. I updated to CFP v5.0.1 on the 14th, but was still been alerted to process [cmdagent.exe]. On the 15th I uninstalled CFP and downloaded a fresh copy of v5.0.163652.1142 from personalfirewall.comodo.com. (Though oddly, the profile of this installer thinks it is v5.0.32580.1142... )
Installed, but still getting the warning
File name: Process 11xx [cmdagent.exe], memory block 0x00000000023C0000, block size 4xxxxx
Severity: High
Status: Threat: Win32:FakeVimes-B [Trj]

I've asked for help on Comodo forum
https://forums.comodo.com/firewall-help-cis/firewall-loading-virus-signatures-into-memory-and-detected-by-avast-t63746.0.html;new#new

Thanks for that, Tech. I was just about to do that very thing.


I have to reiterate: This is NOT the first time that avast! has had problems with cmdagent.exe on my PC. Usually after a few virus definition updates or an engine revision, avast! stops flagging process, cmdagent.exe

[Lisandro]

Thanks for that, Tech. I was just about to do that very thing.

It will be better if you post there yourself, giving details of the problem.

[MostlyHarmless]

Thanks for that, Tech. I was just about to do that very thing.

It will be better if you post there yourself, giving details of the problem.

Done 

[Lisandro]

It's the Defense+ cloud and behavior shield.
Now, Comodo must encrypt the signatures loaded into memory or we will see this over and over again.

[MostlyHarmless]

It's the Defense+ cloud and behavior shield.
Now, Comodo must encrypt the signatures loaded into memory or we will see this over and over again.

ok... But why is avast! only warning me about:
Process 11xx [cmdagent.exe], memory block 0x00000000023C0000, block size 4xxxxx  > Threat: Win32:FakeVimes-B [Trj] ?
Nothing else, just this one signature.

Win32:FakeVimes-B [Trj] was added to the avast! virus blacklist on  8-Oct-2010 (101008-0), and the very next scan I do after that date flags it as a memory process. Doesn't anyone think this is a little bit of a coincidence?

When this problem arose, I was using CFP v4.1. I've had this since I last reinstalled XP on my PC back in June.
CFP rarely changes; avast! changes daily through virus updates; something in the 8-Oct-2010 (101008-0) update has triggered this cmdagent.exe alert.

Because of my surfing habits, if I catch one actual virus in a year, it's odd. (Honestly, one a year, tops).
However, I get a cmdagent.exe process flagged about once every nine months.




I can't be the only person who has reported this, can I? 

[DavidR]

Because it is stopping at the first detection in the memory block, not continuing to scan it. What is the point in reporting each and every signature it finds in that memory block loaded by the same process.

For the umpteenth time is isn't an alert on cmdagent.exe, but the signatures it loads into memory. You are now aware that is what it is doing so you have two choices, don't do a memory scan or b) ignore results for the memory block detections loaded by cmdagent.exe.

You are probably one of very few doing a custom scan (with memory), which is almost a paranoid scan as it scans everything, most of which is either dormant or inert and can safely be left to the resident on-access scanners. All of which I'm sure you already know from reporting it before and the topics you have read, I just can't see why you need to run a custom scan including memory and probably archives as well.

The Quick and Full System scans are designed to a) only scan files that are at risk of infection or b) if infected present an immediate risk, e.g. executables, etc.

[MostlyHarmless]

Because it is stopping at the first detection in the memory block, not continuing to scan it. What is the point in reporting each and every signature it finds in that memory block loaded by the same process.

See the attached picture in the opening post of this query from February, 2010:
Scan Results: Select the required action for each result and click "Apply"

For the umpteenth time is isn't an alert on cmdagent.exe, but the signatures it loads into memory.

I know.
cmdagent.exe is carrying out a process which loads virus signatures/fragments into memory. These signatures/fragments are then detected by avast!, which in turn throws up an alert over the apparent viruses it think cmdagent.exe has planted.

You are now aware that is what it is doing so you have two choices, don't do a memory scan or b) ignore results for the memory block detections loaded by cmdagent.exe.

a) Turn off a legitimate threat-detection tool.
b) Just don't question scan results in future.

You are probably one of very few doing a custom scan (with memory), which is almost a paranoid scan as it scans everything, most of which is either dormant or inert and can safely be left to the resident on-access scanners. All of which I'm sure you already know from reporting it before and the topics you have read, I just can't see why you need to run a custom scan including memory and probably archives as well.

"+130 million registrations and growing" ...I always run a memory (and archive) scan as part of my 'custom scan' configuration. Why would I want to limit ways of detecting malicious code?

The Quick and Full System scans are designed to a) only scan files that are at risk of infection or b) if infected present an immediate risk, e.g. executables, etc.

You and I once had an argument over the virus targeting option. I'd still use it if it were available.




Look, I know that cmdagent.exe hasn't loaded full-blown viruses into my memory. I just wish that avast! wouldn't randomly start telling me I have infected files. This is the third (or fourth?) time this issue has occurred with me. It's every nine months or so, and it usually lasts until avast! issues a: "This VPS update contains only fixes to existing definitions or removal of false alarms."

[DavidR]

I give up do what you like.

[essexboy]

Look, I know that cmdagent.exe hasn't loaded full-blown viruses into my memory. I just wish that avast! wouldn't randomly start telling me I have infected files. This is the third (or fourth?) time this issue has occurred with me. It's every nine months or so, and it usually lasts until avast! issues a: "This VPS update contains only fixes to existing definitions or removal of false alarms."

This is a comodo problem and not Avast's if comodo uses unencrypted virus data then they will get caught.  Avast can do nothing about this - it is a Comodo problem.  If Comodo encrypted the data then Avast would not see it, Avast cannot differentiate between the virus signatures that Comodo is loading and the real thing

[MostlyHarmless]

Look, I know that cmdagent.exe hasn't loaded full-blown viruses into my memory. I just wish that avast! wouldn't randomly start telling me I have infected files. This is the third (or fourth?) time this issue has occurred with me. It's every nine months or so, and it usually lasts until avast! issues a: "This VPS update contains only fixes to existing definitions or removal of false alarms."

This is a comodo problem and not Avast's if comodo uses unencrypted virus data then they will get caught.  Avast can do nothing about this - it is a Comodo problem.  If Comodo encrypted the data then Avast would not see it, Avast cannot differentiate between the virus signatures that Comodo is loading and the real thing

I'm not sure how it's a Comodo problem. I don't know why cmdagent.exe puts virus signatures into memory, but it does, and (apparently) always has. My firewall hasn't changed since I installed it in June, and avast! was quite happily ignoring those cmdagent.exe processes until the virus definition updates of  8-Oct-2010 - (101008-0). Then avast! started reporting Process 11xx [cmdagent.exe], memory block 0x00000000023C0000, block size 4xxxxx  > Threat: Win32:FakeVimes-B [Trj]. This is a problem which avast! has created by reporting things which it had previously ignored.

[Lisandro]

This is a comodo problem and not Avast's if comodo uses unencrypted virus data then they will get caught.  Avast can do nothing about this - it is a Comodo problem.  If Comodo encrypted the data then Avast would not see it, Avast cannot differentiate between the virus signatures that Comodo is loading and the real thing

+1

I don't know why cmdagent.exe puts virus signatures into memory, but it does, and (apparently) always has.

Defense+ and Cloud features of it loads them into memory.

[MostlyHarmless]

I don't know why cmdagent.exe puts virus signatures into memory, but it does, and (apparently) always has.

Defense+ and Cloud features of it loads them into memory.

So why isn't avast! ignoring them, like it usually does?

[Lisandro]

So why isn't avast! ignoring them, like it usually does?

Maybe something changed in Defense+... For sure, avast does not change the detection of memory unencrypted signatures.

[kissbaby]

So why isn't avast! ignoring them, like it usually does?

Maybe something changed in Defense+... For sure, avast does not change the detection of memory unencrypted signatures.

---------------------------------------
9-20-11

no need for me to start a new topic, i have avast 6.0 the newest version and i did a definitions update before i did a full scan of everything and it detected my cmdagent.exe(comodo firewall), as  infected with Win32:FakeVimes-B [Trj]. and ya i told comodo forums  about it .

i just did a virus total scan too and it said it was clean, i even did a scan of just that file with avast and it said it was clean, lol, but when i scan whole computer, then it said it was infected .

hope you fix this in the next definitions update.

[DavidR]

Read the topic it isn't detecting the file but the signatures the process loaded into memory, so a VT scan on the file will show nothing.

This is because you are doing a custom scan and electing to scan memory.