False Positive on Office dll?


An users office stopped to work, Comodo detected “TrojWare.Win32.Monder.GEN@88653584” in the following file C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso20win32client.dll and the hash is, DEEC4FF4031E1E972305ACB06EE76817697C2303

I have uploaded it to virustotal.com and did a reanalyze and all come back clean, even Comodo.



We thank you for bringing this issue to our attention. Is it just one endpoint that exhibits this behavior? Can you please submit a copy of the file @ https://www.comodo.com/home/internet-security/submit.php . We would like on analyze it for you. The moment that we’re able to process it then Comodo can recognize that the file is indeed safe.

@Noiden I think you are not alone. There are a few reports of these type of files getting blocked. Haven’t see a comodo reply as it seems to be a case by case basis.

I am also having this issue.

Is it possible to get the file from the ITSM somehow? I can see it in the quarantine in ITSM, but can’t download the file for upload it to your submit page.

Hello @Noiden,

Getting the file from the ITSM is not possible. As a workaround, you may access the device remotely and then upload the file on the website. Thank you

I rated them as rusted, restored them, then they quarantined them again??


We are going to dig deeper on this issue. We do not have a conclusion yet as to why MSOffice files had been flagged with false positives. We will have our product developers analyze and resolve this concern. We will notify you via support ticket for the outcome.

I had the same thing as @BOSS I rated trusted but it got not trusted, seemed like Valkyre was down yesterday… As a workaround for the moment I created a new Profile where I excluded the folder where the file was located, and added the affected computers to that profile.

I have now uploaded the file to the link you gave me and also in the Valkyre.


Thank you for sharing this insight. Our product development team is already engaged in discussion with this report.

Just to clarify the case: the file is already signed by Microsoft, and certificate is valid. So, it should have been trusted from the first place by the endpoint agent. There is no need to query over or upload to Valkyrie.

And Valkyrie was up yesterday.

I also excluded the folder, but on the main profile. Thanks for the feedback.

Hi @Noiden, @dittoit, @BOSS, and @fatih,

We have been advised that the issue with Mso20win32client.dll being tagged as a malware has been resolved with the October 21st release.
Please ensure that you have the latest version of Comodo (v3.16.0).

@Raymond_Co It’s specifically the version of Comodo Client Security that needs to be running the latest release of You’ve referred to the C1 console version, which is actually 3.17.0 not as you have stated above.

@nct, it is specifically the Comodo Client Security that needs to be running on its latest version. I appreciate the correction.

I have had a similar issue this morning where a user has opened a document that has been shared on OneDrive for Business.

Upon opening the link to the file, and logging into Office 365 when prompted, Comodo has jumped up and said WinWord is a network trojan and quarantined it. I have then restored the WinWord.exe from quarantine and scanned the EXE manually for it to return clean. I have also downloaded and scanned the word document manually too, which has also returned clean.

Hi @curatrix_pl ,

Thank you for reporting this case. Can you check if you have the latest version of Comodo (v3.17.0)?


Yes, version 3.16.0, and given that we are using Comodo One, it would be very concerning if we were not using the ‘current’ version.


Hello @curatrix_pl ,

Support team will get in touch with you shortly via email to further investigate the root cause
of your issue.


@Jordan_C @Jay 3.17.0 is the beta (demo) version of C1, whereas the current release (production) version is 3.16.0 I believe the version number was being incorrectly displayed on C1 when I posted the comment in October and then reverted to 3.16.0