Jump to content

Mysterious Files Sandboxed By Comodo


Drum
 Share

Recommended Posts

Howdy! Magnificent Comodo Firewall wanted to "Sandbox" these files:

unsecappe.ex

wmprvse.exe

Was what could be described as "being good" (Ha Ha Ha) and doing what the MBAM Techs like Samuel said to do for XP3, and let the Update thing happen (have done another OS reinstall and this time have let it update, except for I.E 7 whose "Privacy Statement" was in French!!!! Go and suck yer nose William Gates!!!). So what are the abovementioned files that that Awesome Comodo slammed into "Jail". Even more worrying is that in the Download folder is a big Icon whose "Properties" say: wmprvse.exe

I do not know what the hell it is, and never downloaded it, so what on earth is it???

As stated in a previous post (and to paraphrase Mark Twain): Reports of my my Tediousness are only all too accurate.

Link to post
Share on other sites

Hmmm, sounds fishy to me.

The spelling of the file names is indeed exactly "unsecappe.exe" and "wmprvse.exe"? Sounds to me like malware names that imitate the names of legit files with a tiny difference of 1 letter...

And they are both in your Download folder? How did they get there? Did you download such files? The automatic updates feature of Windows doesn't place updates into your Download folder.

Link to post
Share on other sites

Hello Drum:

Was it COMODO's Firewall component or its Defense+ component that sandboxed the files in question?

Have you considered sending the two files in question to Virus Total for evaluation?

Thank you. :)

Link to post
Share on other sites

Hi Mystery and 1PW, thank you for your replies. Have been trying to find out about these files on the Web and this website says that WMIPrvSe.exe (that is how they write it, but it is not how the file that is on my system it written)is safe and not a bug:

http://searchtasks.answersthatwork.com/tasklist.php?File=WMIPrvSe

Yes, Mystery, the file on my system is exactly written: C:\WINDOWS\system32\wbem\wmiprvse.exe

And the other file: C:\WINDOWS\system32\wbem\unsecapp.exe

Have checked and re-checked them, the above details are exactly correct. Have not been able to find out anything about C:\WINDOWS\system32\wbem\unsecapp.exe

Both of these files are Sandboxed by Comodo following this path: Defense(Interface) > Defense + Events.

1PW, am gonna google that "Virus Total" that you speak of.

Thanks you guys, it is very nice of you to help, and you have made very useful observations. Cheers!

Link to post
Share on other sites

Hmmm, sounds fishy to me.

The spelling of the file names is indeed exactly "unsecappe.exe" and "wmprvse.exe"? Sounds to me like malware names that imitate the names of legit files with a tiny difference of 1 letter...

And they are both in your Download folder? How did they get there? Did you download such files? The automatic updates feature of Windows doesn't place updates into your Download folder.

Mystery, these files appeared right at the end of several days of Updating XP3 (that I had just reinstalled)- they just turned up all by themselves!!! Thank you for your comments and advice, Mystery.

Link to post
Share on other sites

There are a lot of website debates about: http://www.neuber.com/taskmanager/process/unsecapp.exe.html, and nobody seems to all that sure about whether it is a bug or else something that is okay. This kind of indecision and vagueness drives beginners to I.T. up the proverbial wall!!! Who the heck wants to spend hours (on Dial-Up) having to wade through screeds of writing on websites just to try and find out about a couple of files!!! Am still as completely in the dark as ever!!!

Link to post
Share on other sites

Hello Drum:

Send suspicious files to VT. If others have sent the same files, and they come back with zero reports, then the probability is high that the file(s) are benign.

Remember that sandboxing is not a bad thing.

Remember too, if you're running MBAM PRO, COMODO's Defense+ is quite redundant and IMHO inferior.

This is my opinion and I don't speak for Malwarebytes.

HTH :)

Link to post
Share on other sites

Thank you for your answers 1PW and embam1972: Comodo has not offered these files for analyses, but just "grabbed" and Sandboxed them!!! They have been made "Partially Limited" by Comodo (I emphatically trust Comodo, and never question the decisions of this awesome Firewall)(every time I have disobeyed Comodo, it has always been the wrong decision and has led to bad consequences. 1PW, have been to that VT Website, but it is very Geeky and crammed with so much information of an arcanely technical kind that to an I.T. beginner a lot of the stuff on that Website might as well be written in Klingon!!! Ended up downloading from them a program called:

VTUploder2.0Setup

From what I can gather, it seems to be a program that enables people to upload to the VT Website suspicious files (???).

This VT Website also offers to scan your computer (many websites make this offer, and in fact can be quite aggressive about wanting to scan you!!!) and that kind of thing gets my alarm-bells ringing. 1PW, do you really trust websites like this, and what makes you believe they are safe? Many thanks again you guys for your help.

Link to post
Share on other sites

From what I can gather, it seems to be a program that enables people to upload to the VT Website suspicious files (???).

Simply describing VT as a program is like describing the Mona Lisa as a drawing of some woman. However, the VT service currently harnesses the collective intelligence of 43 scanning engines (with recent databases) and renders an industry recognized, value added, evaluation.

This VT Website also offers to scan your computer (many websites make this offer, and in fact can be quite aggressive about wanting to scan you!!!) and that kind of thing gets my alarm-bells ringing. 1PW, do you really trust websites like this, and what makes you believe they are safe? Many thanks again you guys for your help.

This is a gross mis-characterization of VT's service that would sadden/anger many and is quite simply untrue. I most strongly urge you to re-evaluate your findings.

When serious malware hunters submit toxic files to the Malwarebytes malware threat sub-forum, they are compelled to include a Virus Total evaluation link (or MD5 hash) with their malware sample(s).

Link to post
Share on other sites

Hi 1PW. I was'nt knocking VT, and the program that was being talked about was a thing that they have available on their website which is:

VTUploder2.0Setup

I just call it a program? It is apparantly to be used to upload suspicious files to VT, but it is not digitally signed, and all I wanted to know is why is'nt it digitally signed???

Cheers.

Link to post
Share on other sites

Drum,

If you go to the Virus Total website: http://www.virustotal.com/ you should see the following screen (see below). Then click the "Browse" button, navigate to the files in question (only one at a time), then click the "Submit" button.

There is no need to download any program.

If you see another screen, or are asked to download something, there might be some kind of browser redirection and you don't "land" on the website you're supposed to go to. (I'm confused by your post :blink:)

post-23974-0-58919900-1310127221.jpg

Link to post
Share on other sites

  • 2 weeks later...

Hi Mystery. Have not been to the MalwareBytes Website for a while (been making home-brew and getting pretty trashed on it: am gonna do everything possible to make a whole lot more!!! There is no better hobby, although unfortunately it does not seem to mix very well with high-tech scenario's such as computers and the Web. More suited to bashed-up rusty pickup trucks with disease-ridden mongrels tied onto the tray!!!) You are a nice dude Mystery, so am writing this to say thank you for all your very kind and thoughtful replies to what must seem like to you guys with massive IQ's, and equally massive I.T. Knowhow, often unutterably imbecilic questions. Mystery, will tell you the truth about myself, and really am like those "Pickup Truck" dudes in your country. Look like them, live like them. But only one difference: somehow when young was able to learn to read early (was a maniacal fanatic of the book "Little Toot" and Pommie comic-books) and have ever since been (until a computer was able to be obtained and connection to the Web) a fanatical non-fiction reader of "physical/paper/books". Although have to say, Mystery, that "1984" by George Orwell is the greatest literary creation of all time, and it is classified as being so-called "Fiction!!!".

Link to post
Share on other sites

Simply describing VT as a program is like describing the Mona Lisa as a drawing of some woman. However, the VT service currently harnesses the collective intelligence of 43 scanning engines (with recent databases) and renders an industry recognized, value added, evaluation.

This is a gross mis-characterization of VT's service that would sadden/anger many and is quite simply untrue. I most strongly urge you to re-evaluate your findings.

When serious malware hunters submit toxic files to the Malwarebytes malware threat sub-forum, they are compelled to include a Virus Total evaluation link (or MD5 hash) with their malware sample(s).

Am what in your country would be called a "Hillbilly" and have all of their traditional characteristics except for only one thing: Am literate.

Link to post
Share on other sites

Howdy embam1972, apologies for taking so long to respond to your very kind and generously provided suggestions. There are Good Dudes everywhere on this absolutely fabulous Website (Thank You MBam Geeks!!!) and it is very good to see you in the Posts.

Link to post
Share on other sites

Drum, sorry i must ask here. What is now the result´s from VT, from this "fishy" File ???

MAM

Hi MAM: was unable to answer your question as have never had any response from VT by posting questions on their website (there never is an answer)or by using what appears to be an "UpLoading" program they (appear) to have here:

http://www.virustotal.com/advanced.html#uploader

Also, have tried to post a message to them here:

http://www.virustotal.com/support/contact.html

In this message were included the filenames:

wmiprvse.exe

unsecapp.exe

MAM, those are the names of the files that my (properly configured, and configured "Hard") Comodo Firewall has "Sandboxed".

As well as this, have tried to research the names of these files on the Web pretty extensively but there is only debate about whether "wmiprvse.exe" is "good" or "bad" (some claim it is a legitimate Windows file, but others say it is not. Why has Comodo instantly been suspicious of it, if it is legitimate?)and as for unsecapp.exe, this one is definitely very bad!!! Nobody on the Web appears to have the faintest idea of what the heck it is!

But, one thing is for sure: no other Geeks (and am presuming you are a Geek)on the Web seem to know what these files are.

Am writing this to provide a response to your very generous Post before too much time has gone by, but unfortunately have not been able find any more information.

Thank you very much for your Post.

Link to post
Share on other sites

Hmmm, sounds fishy to me.

The spelling of the file names is indeed exactly "unsecappe.exe" and "wmprvse.exe"? Sounds to me like malware names that imitate the names of legit files with a tiny difference of 1 letter...

And they are both in your Download folder? How did they get there? Did you download such files? The automatic updates feature of Windows doesn't place updates into your Download folder.

Mystery, yes there is one mis-spelling: here are again the exactly correct names of these files:

wmiprvse.exe

unsecapp.exe

No one on the Web seems to know what these things are!

Thank you for your reply Mystery.

Link to post
Share on other sites

Hi Drum,

As I said before, you don't need to download that Uploader to which you have posted the link.

You can just go to http://www.virustotal.com/ and there you have an interface to upload the files one by one. Click Browse, navigate to the first file in question, then click Submit. The results of scans with multiple antivirus programs will be displayed if you wait patiently. Then do the same with the second file :)

The results would really be helpful to decide whether the two files are legit or not.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.