C-ICAP Web Proxy Detection While Downloading CCS Updates to Recognizers

Products Endpoint Protection
1

The Recognizers are not downloading. Checking my IDS/IPS I found the C-ICAP virus scanner tripping on the .7z file as a crypto virus. Is this a false positive?

Sun Oct 20 13:09:38 2019, 83131/211920384, VIRUS DETECTED: Win.Ransomware.Generic-6545091-0 , http client ip: -, http user: -, http url: http://cdn.download.comodo.com/cis/download/updates/release/ces/inis_6485cesesm/recognizers/proto_v10/x64/recognizer/recognizerCryptolocker.dll
Sun Oct 20 13:09:36 2019, 83131/211920384, VIRUS DETECTED: Win.Ransomware.Generic-6545091-0 , http client ip: -, http user: -, http url: http://cdn.download.comodo.com/cis/download/updates/release/ces/inis_6485cesesm/recognizers/proto_v10/x64/recognizer/recognizerCryptolocker.dll.7z
Sun Oct 20 13:07:08 2019, 83131/211912704, VIRUS DETECTED: Win.Ransomware.Generic-6545091-0 , http client ip: -, http user: -, http url: http://cdn.download.comodo.com/cis/download/updates/release/ces/inis_6485cesesm/recognizers/proto_v10/x64/recognizer/recognizerCryptolocker.dll
Sun Oct 20 13:07:07 2019, 83131/211912704, VIRUS DETECTED: Win.Ransomware.Generic-6545091-0 , http client ip: -, http user: -, http url: http://cdn.download.comodo.com/cis/download/updates/release/ces/inis_6485cesesm/recognizers/proto_v10/x64/recognizer/recognizerCryptolocker.dll.7z
Sun Oct 20 12:48:51 2019, 83131/211915264, VIRUS DETECTED: Win.Ransomware.Generic-6545091-0 , http client ip: -, http user: -, http url: http://cdn.download.comodo.com/cis/download/updates/release/ces/inis_6475cesesm/recognizers/proto_v10/x64/recognizer/recognizerCryptolocker.dll
Sun Oct 20 12:48:50 2019, 83131/211915264, VIRUS DETECTED: Win.Ransomware.Generic-6545091-0 , http client ip: -, http user: -, http url: http://cdn.download.comodo.com/cis/download/updates/release/ces/inis_6475cesesm/recognizers/proto_v10/x64/recognizer/recognizerCryptolocker.dll.7z
Sun Oct 20 12:44:07 2019, 83131/211915264, VIRUS DETECTED: Win.Ransomware.Generic-6545091-0 , http client ip: -, http user: -, http url: http://cdn.download.comodo.com/cis/download/updates/release/ces/inis_6475cesesm/recognizers/proto_v10/x64/recognizer/recognizerCryptolocker.dll
Sun Oct 20 12:44:06 2019, 83131/211915264, VIRUS DETECTED: Win.Ransomware.Generic-6545091-0 , http client ip: -, http user: -, http url: http://cdn.download.comodo.com/cis/download/updates/release/ces/inis_6475cesesm/recognizers/proto_v10/x64/recognizer/recognizerCryptolocker.dll.7z
Sun Oct 20 12:41:31 2019, 83131/211915264, VIRUS DETECTED: Win.Ransomware.Generic-6545091-0 , http client ip: -, http user: -, http url: http://cdn.download.comodo.com/cis/download/updates/release/ces/inis_6475cesesm/recognizers/proto_v10/x64/recognizer/recognizerCryptolocker.dll
Sun Oct 20 12:41:30 2019, 83131/211915264, VIRUS DETECTED: Win.Ransomware.Generic-6545091-0 , http client ip: -, http user: -, http url: http://cdn.download.comodo.com/cis/download/updates/release/ces/inis_6475cesesm/recognizers/proto_v10/x64/recognizer/recognizerCryptolocker.dll.7z
Sun Oct 20 12:30:36 2019, 83131/211915264, VIRUS DETECTED: Win.Ransomware.Generic-6545091-0 , http client ip: -, http user: -, http url: http://cdn.download.comodo.com/cis/download/updates/release/ces/inis_6485cesesm/recognizers/proto_v10/x64/recognizer/recognizerCryptolocker.dll
Sun Oct 20 12:30:34 2019, 83131/211915264, VIRUS DETECTED: Win.Ransomware.Generic-6545091-0 , http client ip: -, http user: -, http url: http://cdn.download.comodo.com/cis/download/updates/release/ces/inis_6485cesesm/recognizers/proto_v10/x64/recognizer/recognizerCryptolocker.dll.7z

1.PNG
1.PNG721×655 36.5 KB

2

@MCS ,

Our AV Lab Team confirms these false positives. Please redo the update and inform us if the update still fails.

3

This was being detected on my OPNSense IDS/IPS proxy AV. I switched the Comodo download server settings to use HTTPS so the traffic was not scanned. The only drawback is the updates are not cached on the squid proxy and will have to download for each system from the internet rather than the proxy cache which is only about 10 systems.