False Positive on Office dll?

Anna_C · November 16, 2017, 12:11am

@nct is correct. Current version of C1 is 3.16.0 (production).

DaveZChi · November 17, 2017, 7:13pm

Yep, this is what I did too – but it trashed a number of computers and required manual office repairs. Another set of work delegated to me by Comodo.

curatrix_pl · November 22, 2017, 3:33pm

had another one of these this morning. in this case, the file was removed from quarantine before realising that it was in there and we had to do a full repair of office to resolve.

TrojWare.Win32.Monder.GEN@88653584

C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
</td> <td>Moved to quarantine</td> <td>Success</td> <td>

00000000-0000-0000-0000-000000000000

2017/11/22 07:30:58 AM

		</td>
	</tr>

This happened on boot up, and not upon opening any files.

Rick_C · November 22, 2017, 4:38pm

Hi @curatrix_pl
Did you happen to set a scheduled scan at that time of the day on the affected device’s assigned Profile? Also, is the CCS installed on the affected device already updated to the latest version (10.0.3.6439)?

nct · November 22, 2017, 5:59pm

Surely the Comodo signatures are tested on Windows OSes before they are released to detect issues like this?

DaveZChi · November 22, 2017, 7:29pm

For most of my customers Office 2016 is updating on an almost continuous basis from Microsoft however I still see it as Comodo’s responsibility to test out these pattern files better

Riley_C · November 23, 2017, 1:35am

Hello @DaveZChi @nct,

We understand your concerns regarding signature testing prior to release and the false positives for legitimate Office applications. We constantly update our signature and malware database to ensure that the these issues are prevented.

There are certain cases wherein these issues fall through the cracks no matter how thorough the team is on providing protection.

We appreciate your thoughts on this. Rest assured we are taking these feedback seriously and we always aim to improve our overall service to all our valued partners.

Thank you.

curatrix_pl · November 27, 2017, 4:02pm

In most cases, yes, they are around that version (10.0.3.x).

For me, the biggest issue is the number of false positives that appear to be getting picked up. It also seems to be a fruitless effort to submit them to Valkyrie, as i have not yet found a way to check the result of the Valkyrie scan and by the time we have submitted it for checking, in most cases, the file has been deleted.

nct · November 27, 2017, 6:50pm

@curatrix_pl I’d suggest you discuss with L2 support via the phone and post an update here, rather than using the forum.

Rick_C · December 7, 2017, 7:36pm

As a post-sitrep, one of the reported incidents was flagged by CCS (through heuristic analysis) due to a likely ‘suspicious network activity/traffic’ when a file created through (Office 365) Word Online was accessed/opened by a local copy of MS Word. It only happened once and the next similar actions on the file did not cause any false positive detection anymore.