Author Topic: Process [cmdagent.exe], memory block, is infected with Win32:FakeVimes-B [Trj].  (Read 31375 times)

0 Members and 1 Guest are viewing this topic.

MostlyHarmless

  • Guest
I'm not sure what's going on. Out of the blue, a boot-time scan tells me I've caught an INF:AutoRun-W [Wrm] infection from a Gizmo/WindowsSecrets.com newsletter email. This I find very odd, because a) I trust this source, and b) wouldn't avast! and/or Spy Sweeper have flagged it when I originally opened the mail?

Straight after that, my custom scan tells me that a Process [cmdagent.exe], memory block, is infected with Win32:FakeVimes-B [Trj]. Ditto my next 4 custom scans (see attached image).
I've had this Comodo firewall 'cmdagent.exe process' problem before, so I know (through this forum) that I shouldn't worry too much about this:
"In general, any security application can load some signatures (fragments of malicious code used to detect the real threats) into memory - they are located in data segments (instead of executable code)." "...scan results are not the files, but the virus is detected in memory allocated to cmdagent.exe process..."
After a few days avast! updates the engine and/or relevant virus definitions and the problem disappears.
...It's been four days now. I can't be the *only* user who has noticed this?

P.S. My custom scan has EVERYTHING turned on and scan sensitivity set to 11.

EDIT:
Coincidence? I've just discovered from http://www.avast.com/virus-update-history that:
Win32:FakeVimes-B [Trj] was part of the 8.10.2010 - 101008-0 virus definition updates and
INF:AutoRun-W [Wrm] was introduced in the 8.10.2010 - 101008-1 virus definition updates.
My avast! started flaging these on the first scans I did *after* this date.
« Last Edit: October 14, 2010, 04:16:37 AM by MostlyHarmless »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
You appear to have the comodo AV also installed and not just the firewall as I can't see why the firewall needs to download virus signatures and load them into memory (?)

That is where the signatures being detected in in memory are coming from. So it isn't about there is nothing to worry about, but why they are there in the first place.

Having two resident scanners installed is one too many and not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

MostlyHarmless

  • Guest
You appear to have the comodo AV also installed and not just the firewall as I can't see why the firewall needs to download virus signatures and load them into memory (?)
Nope.

I have the same Comodo Firewall Pro and avast! anti-virus setup that I've had for years - both are the free versions.
I run the same avast! whistles-and-bells custom scan which I've run since v5.0 was released.
What I do have is the *exact* same problem that crops up every 9 months or so, where I suddenly start getting warnings about Comodo's cmdagent.exe (see my post from Feb this year: Avast5 Free Edition detect comodo and window defender process as virus/threat?)

I carried out a boot-time and custom scan on the 6th with no problems found.
On the 8th avast! added Win32:FakeVimes-B [Trj] and INF:AutoRun-W [Wrm] to the virus definition list.
On the 10th I carried out a boot-time scan and INF:AutoRun-W [Wrm] was found in a newsletter email from a site I trust, and  during my subsequent custom scan, I get a warning that Process [cmdagent.exe], memory block, is infected with Win32:FakeVimes-B [Trj], with the same results in the 5 custom scans I've completed since then.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Well why is comodo firewall cmdagent.exe loading virus signatures into memory if it doesn't have an AV installed, it doesn't have any use for them.

That question I guess you would have to ask at the comodo forum as we are unlikely to know why.

A boot-time wouldn't find anything windows and comodo aren't running at that point so cmdagent.exe wouldn't have loaded the signatures into memory.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

MostlyHarmless

  • Guest
Well why is comodo firewall cmdagent.exe loading virus signatures into memory if it doesn't have an AV installed, it doesn't have any use for them.
oh...Now you say it out loud, that's a blooming good question.

But like I said, this only happens once in a while. Usually after a few virus definition updates, and without any intervention from me, my avast! custom scans stop flagging cmdagent.exe as a threat.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
It isn't flagging cmdagent.exe as a threat, it is telling you what process loaded the unencrypted signature/s into memory which are being detected. So it entirely depends on why and when cmdagent.exe loads them and if after that you happen to do a memory scan.

So you have to get the why and when cmdagent.exe loads these unencrypted signatures into memory from the source as we can't answer that.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

CharleyO

  • Guest
***

Hi MostlyHarmless -

Do you have or did you have Comodo Internet Security on your computer?
See the links below.

Quote
cmdagent.exe - Comodo Personal Firewall executable. The firewall has been incorporated into COMODO Internet Security.
http://www.pcpitstop.com/libraries/process/i/cmdagent.exe.html

Quote
Cmdagent.exe with description COMODO Internet Security is a process file from company COMODO belonging to product COMODO Internet Security.
http://www.runscanner.net/lib/cmdagent.exe.html


***

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
I checked your post, no response as yet, though I wouldn't have offered the 'is this an avast FP' as it is a get out of jail card.

What we want to know is what is cmdagent.exe loading into memory ?
If as is suspected these are unencrypted signatures, why if this is a stand alone comodo firewall installation, anything else is irrelevant ?

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
I wouldn't have offered the 'is this an avast FP' as it is a get out of jail card.
I don't understand what do you mean...
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
If they say yes it is an avast FP they don't have to answer the main question, what is being loaded into memory by cmdagent.exe and why.

So they don't have to answer the real issue/question, they have effectively been let off the hook, got out of jail.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
If they say yes it is an avast FP they don't have to answer the main question
Let they say that... Let's see what we get there technically.
I'm not sure the detection is due to cmdagent being loading things on memory. It could be a false positive of avast detecting "other things" in that memory block.

MostlyHarmless, does the detection disappear after avast being updated?
The best things in life are free.

Offline Left123

  • There Is No Patch For Human Stupidity.
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1048
  • Proud Community Member&Helper.
Question:is comodo a good firewall?i am thinkin to install it
AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
<snip>
I'm not sure the detection is due to cmdagent being loading things on memory. It could be a false positive of avast detecting "other things" in that memory block.
<snip>

The only thing in that memory block is what was loaded by cmdagent, that is how memory blocks are allocated, they aren't shared.

If something tries to use a memory block already allocated, I would guess that would cause some sort of access violation or clash or memory error.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Jahn

  • Guest
I have received no alerts or detections from Avast 5.0.677 regarding cmdagent.exe with CIS 5.0.x.1135 (FW and HIPS). I notice that the OP is using CIS 5.0.x.1142, an upgraded version from CIS 4.x. Possibly, that's a clue.