Heur.Pck.MEW – Comodo False Positive!

Posted by pelokee
February 21, 2009

UPDATE: 2/26/09 – Comodo released an update today that has fixed the issue that I was experiencing. Details here!

————————————————————

UPDATE: I have heard back from Comodo tech support and they are aware of the issue and are investigating it:

Hi,

Thanks for sending us the report. Our developers are investigating this issue.soon it will get resolved. Please bear with us until the time..

We regret for the inconvenience caused.

I have resolved the issue by turning OFF the new heuristics scanning engine. For instructions on ow to do this, please scroll to the bottom of this post.

—————————————————————————————–

This morning I woke up to alarming number of Trojan alerts coming from the Comodo AV app installed on my desktop PC running Vista. The infections were mostly all coming from some Glary Utilities files, which struck me as odd.

After a panic filled morning, I am pretty sure the false positive is coming from an updated version of Comodo Internet Security (CIS). I scanned a second Vista machine and it came up clean. Then I noticed that CIS was alerting me of a program update that is now available.

Thinking back, I recall allowing CIS to update itself on my Vista desktop yesterday, so I allowed the second Vista machine to update. After updating CIS and allowing the installer to reboot the machine, I performed a scan – WHAMMO, Glary files are now flagged as infected.

The new CIS includes heuristic scanning, which is more like looking for bad behavior than comparing against actual known bad code. Think of it as alerting you that someone is using a shim to open your car door – normally this is a bad thing, but if you lock your keys in your car, using a shim is perfectly acceptable behavior.

Because I have been using Glary for as long as I have, and because the only report of malware is after I updated CIS to the new version which is 3.8.64739.471, I feel pretty confident that this is a false positive.

After figuring this out, I went to the updater within the CIS interface and it found another update. I installed that, rebooted, and the problem still exists.

I have submitted the Glary installer to Comodo for review (I can consistently get the alert to appear when I try to install the Glary update) so I will post the results when I hear back.

In conclusion, It *appears* as though this is a false positive – meaning, the antivirus software incorrectly identifies clean files as infected with malware (a virus or spyware).

Of the many posts I’ve read, here is one of the shortest threads that will help comfort you -

http://forums.comodo.com/empty-t34475.0.html

UPDATE: Still no word or any information on Comodo’s website, but the number of affected applications seems to be growing. It still seems as though the new heuristics scanning engine is the culprit. I have not installed anything new and applications that I have been using only seem to have a problem with Comodo running. It is starting to be a problem because critical application files are being quarantined, preventing the application from running and in some cases requiring a reinstall.

My solution is this:

  1. In the Comodo user interface, go to the Antivirus tab
  2. Click on the Scanner Settings menu item
  3. Turn OFF the Heuristics Scanning/Level

comodo

Again, since the heuristics engine is a new feature to Comodo, I don’t think you are causing yourself any problems at this stage, I just think there is a major problem with this new functionality and we probably don’t want to use it until it is fixed.

.

News, , , , , , , ,

Did you enjoy this post? Why not leave a comment below and continue the conversation, or subscribe to my feed and get articles like this delivered automatically to your feed reader.

Comments

Getting the same thing with TuneUp Utilities 2007. I’ve been using Avast for the past 3 years and have never had any problems with it. Then I finally decide to take the plunge with CIS and it decides that TU2007 (which is similar to Glary) is a virus and proceeds to lock up my PC.

I’m beginning to regret uninstalling Avast now :(

Comment by Dave on February 21st, 2009 @ 5:00 pm

It’s funny you mention that because I used Avast for about a year before I switched to AVG. And then I switched to Norton when I bought a few PC’s that came with it. And I even used ClamWin for a while until stumbling upon Comodo. As I was reading up on this alert earlier, I kept running into comments that were recommending switching to Avast. I think it may be wise to keep two or three vendors in mind and rotate through them routinely.

I have yet to hear back from Comodo (at this point, I’m guessing that they just update their defs if the file you send them turns out to be a FP or a real virus), so we’ll see how long it takes to resolve.

I think I’ll give Avast another spin in tandem with Comodo and see how far it has come since I last used it.

Comment by pelokee on February 21st, 2009 @ 9:12 pm

I have this too. It’s located in AuslogicsDefrag. It’s in quarantine now. So what’s the problem?

Comment by John on February 22nd, 2009 @ 1:57 am

In my opinion, the problem is the new heuristics scanner that was included in the 2/12/09 release of CIS. I’m not sure what changed in the 2/19/09 release, but we all seem to be seeing these false positives starting with the latest release.

Comment by pelokee on February 22nd, 2009 @ 9:36 am

[...] Heur.Pck.MEW – Comodo False Positive! UPDATE: I have heard back from Comodo tech support and they are aware of the issue and are investigating it: Hi, Thanks [...] [...]

Pingback by Top Posts « WordPress.com on February 22nd, 2009 @ 6:48 pm

I’ve had a few more items reported as Heur.Pck.MEW. So, as you’ve done, I’ve switched off Heuristics scanning now.

One of the reasons I dumped Avast is due to the manual scanning. Rather than complete scanning and then reporting the dodgy files it stops and waits for me to tell it what to do. When I used the screen saver scanner (which was a great idea) I knew I couldn’t leave my PC alone to scan as it would never complete!!

I disliked AVG from the moment it told me that ZoneAlarm was malware. I don’t like Norton’s dumbing down and resource hogging, plus it blocked Outlook. As for McAfee, I have tried a few iterations and have always found it would crash after half an hour or use.

I’ll stick with Comodo for now, but keep Heuristics off.

Comment by Dave on February 23rd, 2009 @ 5:18 pm

I ran into the heuristics problem, too. It’s telling me a driver in an old address label package I still use – VCL30.DPL – had the heur.pck.MEW virus, along with a few other random files, mostly drivers in the ..\system32\ folder. I disabled Heuristic Scanning/Level until they get it fixed.

Comment by Doug on February 25th, 2009 @ 6:12 am

Thank you very much for the information.
I turned it off as you showed.
I had trouble finding out anything from Comodo
and I have been using it a long time. The programs -gary, aulogics, I believe are fine.
I don’t understand why Comodo doesn’t address the problem faster, fix it or at least tell people what is going on.

Comment by sue on February 25th, 2009 @ 2:48 pm

Thanks to your blog i have stoped deleting important files, due to comodo fals report… Of course i am quiet hungry with this as i have allready deleted good programs installers….. i JUST FELT A DOUBT WHEN I SAW SO MANY Heur.Pck.MEW REPORTED AND SOME ADOBE PLUGINS AS VIRUSES :(
I used avast before, but it is too heavy, my machine gets too slow…
THANK YOU

Comment by Olymoon on March 1st, 2009 @ 4:48 am
Leave a comment

(required)

(required)