Jump to content

Recommended Posts

After running an MBAM scan, my Comodo Firewall Pro was routinely listing over 100 new files- (all non-valid)- that were generated by the scan, in its Pending Files module. Since these files no longer existed, I was able to purge them from the list. This is no longer true. MBAM is once again generating numerous 0 byte files, which do exist, and which I must remove one-by-one manually. If I don't, a subsequent scan by MBAM flags them as "infections". When I delete/quarantine these FP's, the number of files listed in CFP's Pending Files sky-rockets.

I don't know if this represents a conflict between MBAM and CFP, or which is responsible. Until it is resolved, I'm going to have to shut down MBAM. These 0 byte files are driving me crazy!

Malwarebytes' Anti-Malware 1.03

Database version: 345

Scan type: Quick Scan

Objects scanned: 23131

Time elapsed: 3 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 14

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\SYSTEM32\agl23.exe (Worm.Rbot) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\_svchost.exe (Reserved.Word.Exploit) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\SERVICEMGR.EXE (Worm.Passma) -> Quarantined and deleted successfully.

C:\lich.exe (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\DEBUG.DLL (Rootkit.Haxdor) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\C3.SYS (Rootkit.Haxdor) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\kdmqk.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\DRIVERS\ctl_w32.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\DRIVERS\fak32.sys (Trojan.Rootkit) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\DRIVERS\DefLib.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\DRIVERS\Lor46.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\DRIVERS\cdralw.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Application Data\cftmon.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\LocalService\Local Settings\Temp\dnlsvc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Link to post
Share on other sites

As I see it, Comodo was detecting those files MBAM had created (and deleted) and was listing them in its "Pending Files", even though they no longer existed.

The "Purge" function in Pending Files would recognize these files no longer existed, and would remove them all from the list - until recently. Now, after running MBAM, Purging does not remove them all. Those that are left actually do exist, and I have to hunt them down and delete them manually.

I don't know if this is Comodo's fault. All I know is these 0 byte files have re-appeared.

Edit: I have also reported this in Comodo's forum (see Reply #9) with screenshots:

http://forums.comodo.com/help_for_v3/scann...33855#msg133855

Link to post
Share on other sites

hello

thank you joe53 for posting at comodo also first thay changed my post topic

i guess thay did not like me calling it a bug then thay moved it from bug reports

to help for v3 now it's back in bug reports boy i'm getting dizzy and have

you tryed in comodo train with safe mode i did that yesterday and it seems to

help

thanks again :)

Link to post
Share on other sites

Lurking, I think that is a possible workaround.

I switched CFP's Defense+ (HIPS) settings from Clean PC Mode to Train with Safe Mode, and ran 3 successive MBAM scans (Quick>Full>Quick); Comodo's Pending Files listed no new entries (no invalid files, and no 0 byte files) after any scan. And no false positive detections by MBAM.

In Clean PC Mode, "New executable files introduced to the PC are not assumed safe". It would seem that D+ in this mode lists all these temporary files in Pending Files, and somehow prevents MBAM from deleting at least some of them.

Thanks!

Link to post
Share on other sites

hello

i doin't understand this but gibran a moderator at comodo is asking this to gaslad (joe53)

After I read Marcin Kleczynski explanation it's possible to say that pending list work as designed.

Anyway in order to address CFP side I have four tests for gaslad.

If MBAM is run in cleanpc mode as long it is trused (meaning it is not listed in pendig files) it should have no issue to delete those files.

File deletion falls under MBAM file protections privileges.

So if those files cannot be deleted by MBAM it should mean that actually those MBAM enties are not false positives.

In order to confirm that there is no cfp glitch or alike I guess it would be useful to know:

1.if those 0-byte files are still on the hd

2.if those files can be deleted manually using explorer

3.if MBAM consistently create those two filenames on each scan

4.if changing all executables in MBAM folder to trusted yeld different results

Once this info is gathered it would be possible to move this topic in the help board or keep it here

thanks :)

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.