Current Malware-Help

Products ITarian Endpoint Manager
1

Hi all,

Quick question:

Got an email about malware being detected on endpoint. Follow link, that actually takes to me to the wrong login page. Trying to login I get:

“To Login to Portal with Comodo ONE credentials, please Login from Comodo ONE Portal.” It is, what looks like, an attempt to login to my MSP portal,
(https://MYTMSP-msp.cmdm.comodo.com/user/site/login) WHY???

Should it not point to this one:?? https://one.comodo.com/app/ YES???

So this emailed LINK needs to be fixed. How is this accomplished??

Finally logged into ITSM, go to Sec Sub Sys, AV, and Current Malware List.

Comodo has found “tightvnc 1.3.10 setup.exe”, which is NOT malware. I use it all over my networks.

How can I turn this into a TRUSTED Application that is neither Malware or a Virus…in a few mouse click or less?

Also…on a Win7 endpoint, I HAVE to turn OFF Firewall or I cannot do my job. Trying to find out what is being blocked I have enable firewall to Allow popup warning of any blocked app etc…and to do so for 180 sec, set Alert level to Very HI…Create Rules for safe applications…on and on…

Nothing happens …I try to connect to network rescourse…nada…it never connects. Just times out…zero information…zero.

Turn off Firewall, I can connect without issue. Re-enable FW. Locked out. No warnings…no alerts, no message, no popup, no email. NOTHING…NADA.

Please oh please…there has to be a SUPERT FAST way to tell and then allow this stuff through all in 30sec or less. Otherwise I cannot roll this out to Customers for fear of them being blocked from LOB programs.

This is counter productive at this point and not intuitive at all.

TIA

Howie

2

Hi @howie take a look at this article to help you with TightVNC https://wiki.comodo.com/frontend/web/topic/how-to-restore-quarantined-files-as-trusted-quickly Once restored you should submit the false positive to Comodo’s labs https://www.comodo.com/home/internet-security/submit.php and you may also want to consider updating to the latest release of TightVNC via the Windows Application Store, please see https://wiki.comodo.com/frontend/web/topic/how-to-push-applications-from-windows-application-store-available-in-the-comodo-one-portal

Also, are you using the firewall module on your LAN machines or laptops used on public networks? For machines on the LAN, I don’t use the firewall module.

3

Hello @howie
There is an upcoming update to the Comodo Client Security (CCS) this May 10. More information about it can be found in the following forum post: Comodo Client Security Release (10/05/2018)

With that said, we suggest that you wait for its release and test it afterwards. We also suggest that you re-check the CCS-related settings in the associated profile of your test endpoint(s). Make sure the profile is not one of the premade ones so that you can edit it. A properly set up Profile goes a long way in managing endpoints in the ITSM. Feel free to review the ITSM Profile help guide.

If you want to learn more, we strongly suggest signing up for a personalized demo of the Comodo ONE (C1) platform.

As a valued MSP partner, we will provide you your own dedicated Product Engineer who will give you a personalized demo of the C1 platform so that you can become familiar with all of its capabilities and get started quickly. Our mission is to make you a Comodo One Guru and educate you on all of its functionalities.

Please request your free demo via the link below and you will be contacted by your dedicated Product Engineer within 24 hours. Thank you and looking forward to hearing from you.

https://one.comodo.com/webinar/?af=7913

4

“To Login to Portal with Comodo ONE credentials, please Login from Comodo ONE Portal.” It is, what looks like, an attempt to login to my MSP portal,
(https://MYTMSP-msp.cmdm.comodo.com/user/site/login) WHY???

Should it not point to this one:?? https://one.comodo.com/app/ YES???

you received an ADMIN password when you signed up, it is this password you need not your @domain user and password you access one.comodo.com with.

Dear xxxx:
Congratulations, creating your ITSM account was completed. Please see below the link and credential to your ITSM portal:
URL: https://xxxxx.cmdm.comodo.com Login: admin Password: xxxxxxxxxxxxxxxx
5

Well…updated to newest version. Sadly, at this point…I am having second thoughts

EDIT: I am using a Custom Profile which can be edited.

Firewall
cannot run firewall because it does not let me do my job, popups DO NOT tell me what is blocked when trying to access internal network resources.
I have tried this is Training Mode, Safe Mode, no perceived difference.

Even a simple RDP to servers dosen’t work…seriously?? Cannot get to HPE iLO either…on HTTPS…Once I turn off FW…I can now get to internal sites and RDP works again.

It is mentioned that in a LAN the FW should be off?? What is the point of that?? So now my users will have to keep looking at Comodo “AT RISK” error messages…that seems counter productive.

If the FW is to be turned off in a LAN Enviro…then any FW message MUST be suppressed from the Console and any Endpoint… How is this accomplished?

Of the pop ups I do get…one is driving me nuts: svchost. can’t tell you how many times this has popped up. Yes…each popup showing it uses a different UDP port, but come on…I cannot sit here all day and try and catch each and every pop up?? Nor can my enduser. How can these be suppressed and just allowed?? Just create another port range UDP 50000-70000

The mention about TIGHTVNC with a link to “allow” it. Nope…not quite. As I mention it is NOT in Quarantine. Comodo marked it MALWARE.
In ITSM, I highlight all files…but UNABLE to DELETE MALWARE or QUARANTINE MALWARE, so it remains sitting in this Malware state. IGNORE MALWARE, is NOT available as a choice (greyed out)
Comodo has now found two more files and decided to mark them as Malware too…: blat.exe and blat.dll. I don’t really care at this point what Comodo thinks…I use this software…so how do I score it correctly in under 30seconds??
Along with this…are the constant emails that I am Infected when I am NOT. Getting an email every 1 1/2 hours. Ready to pull my hair out.

I realize I may have to work through some specific enviro quirks, but I need a way to quickly identify and allow or stop something instantly…not in two hours, not in two days…30 seconds or less.

At this point…I am unable to sell this product.

Also…on Sign up. I went though every single email, I never got any email about my account being completed along with user: admin and a password.

When I try and recover password, it tells me to do this in my portal.

Screenshot 2018-05-10 13.03.10.png
Screenshot 2018-05-10 13.03.10.png710×394 40.2 KB

6

What profile did you clone ? I haven’t had the FW problems. I have had to allow things in but never out ?? I also dont agree with turning the FW off on the LAN. I have it running on all my endpoints and it’s never interfered with day to day activities.

CCS is VERY restrictive. This is a good thing. Sure it can be frustrating to get things setup but stick with it. Yiu need to add tightVNC in to the white lists then add this into all parts of the profile. AV, CONTSINMENT,FW ETC.

James.

7

We really do suggest that you sign up for a webinar demo, @howie, so that these questions you have can be addressed by the Product Engineer with an appropriate solution within the same session.

8

if you are trying to “wing it” then you are going to struggle. get a full demo with a product engineer, also look at the Comodo academy.
https://www.comodoacademy.com/#/login