Mysterious Files Sandboxed By Comodo

[Drum]

Thank you very much indeed MAM and Mystery for your Posts: I actually managed to properly put the filenames on the VT Website using your Link, Mystery, and a VT dude named Julio wrote a very nice email as follows:

(QUOTE): "Th(ose) filenames are associated with WMI stuff on Windows

http://msdn.microsoft.com/en-us/library/aa389286(v=vs.85).aspx

The problem is that a filename is not a trustful information, as

the exes may not be the real ones from MS. I guess you should check

if the paths and hashes of the files are the legit ones"

After receiving this email from Julio, had a look at Comodo to see if there was a way to get Comodo to "say" more about these files, and Comodo revealed this:

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

Am gonna have to investigate further on the Web, but in the meantime have instructed Comodo to "Block" these files (instead of letting Comodo "Partially Limit" them as the Firewall until now has been doing every Bootup).

Thanks again MAM and Mystery.

[Drum]

Sent those "extended files" that Comodo revealed to Julio at VT, and Julio very kindly wrote back again with this message (Quote):

"Well, paths seems to be legit, but one can't discard that the files are infected. One possible way to see if that files are infected is checking that files 'hashes'. Hashes are 'identifiers' of the file content, some kind of 'dna' so to say. If you scan that files with virustotal, one of the things you'll see in the report are different types of hashes. MD5 is the most common. Probably, with that MD5 calculated, you can see if it is coherent with the MD5 of the files that Microsoft includes in the operating system Anyway, did you tried asking in the Comodo forums about it? If it is a 'glitch' with the firewall, it is quite probable that somebody else also spoke about it. In fact, given that are quite important files (WMI is a service that permits 'monitoring' certain things of the operative system), it is very probable that others had problems with it."

[Drum]

Hi.

were the files sent to comodo for analysis.?

Usually sandboxed files are kept in the sandbox until comodo determines if there safe or not..

Just a note embam1972: did not know how to send files to Comodo Analyses using the Firewall, but was messing around in the Firewall today trying to find out precisely what now was the Firewall doing with those files, and right-clicking on them revealed the option down in the Context Menu to submit files to Comodo. Did this, and the answer "SAFE" was quickly returned for each file. They are not listed anywhere in the Firewall as being Sandboxed, or "Blocked" but two entries for them do have "Partially Limited" [these now seem to have been removed: am writing this as an inserted Edit several hours later] written in the description-line. Other entries for them have got "Trusted File" in their description-line. Cheers embam1972, many thanks for your Posts.