Hi guys, I downloaded Nexus Dock from CNET recently. Only been using this app a few times til I got a Comodo Firewall Alert. Couldnt find anything on the web about it. Not sure what to think, but this has me worried. Can anyone enlighten me here? Here's the link for the flags bolded: http://cima.security.comodo.com/report/ ... 983604.htm

and the details:
• File Info
Name Value
Size 13599872
MD5 49cda2500790d2e8ac3edfa1b24e79b6
SHA1 4a093bca51f211595dae3ee71e6c527c19983604
SHA256 66bf99229f4072f78beb0864e7585838a2186651c3afa612de60c4d380383448
Process Exited
• Keys Created
Name Last Write Time
CU\Software\Microsoft\Visual Basic 2010.08.24 19:23:29.781
CU\Software\Microsoft\Visual Basic\5.0 2010.08.24 19:23:29.781
• Keys Changed
• Keys Deleted
• Values Created
Name Type Size Value
CU\Software\Microsoft\Windows\CurrentVersion\Run\NeXuS REG_SZ 58 "C:\TEST\sample.exe autostart"
• Values Changed
• Values Deleted
• Directories Created
Name Last Write Time Creation Time Last Access Time Attr
C:\Documents and Settings\All Users\Documents\WinStep 2010.08.24 19:23:28.406 2010.08.24 19:23:28.406 2010.08.24 19:23:28.406 0x10
C:\Documents and Settings\All Users\Documents\WinStep\AutoInstall 2010.08.24 19:23:28.406 2010.08.24 19:23:28.406 2010.08.24 19:23:28.406 0x10
C:\Documents and Settings\All Users\Documents\WinStep\Backup 2010.08.24 19:23:28.406 2010.08.24 19:23:28.406 2010.08.24 19:23:28.406 0x10
C:\Documents and Settings\All Users\Documents\WinStep\Export 2010.08.24 19:23:28.406 2010.08.24 19:23:28.406 2010.08.24 19:23:28.406 0x10
C:\Documents and Settings\All Users\Documents\WinStep\NeXus 2010.08.24 19:23:28.421 2010.08.24 19:23:28.406 2010.08.24 19:23:28.421 0x10
C:\Documents and Settings\All Users\Documents\WinStep\NeXus\Backgrounds 2010.08.24 19:23:28.421 2010.08.24 19:23:28.421 2010.08.24 19:23:28.421 0x10
C:\Documents and Settings\All Users\Documents\WinStep\NeXus\Tiles 2010.08.24 19:23:28.421 2010.08.24 19:23:28.421 2010.08.24 19:23:28.421 0x10
C:\Documents and Settings\All Users\Documents\WinStep\Themes 2010.08.24 19:23:28.406 2010.08.24 19:23:28.406 2010.08.24 19:23:28.406 0x10
C:\Documents and Settings\All Users\Documents\WinStep\Versions 2010.08.24 19:23:28.406 2010.08.24 19:23:28.406 2010.08.24 19:23:28.406 0x10
• Directories Changed
• Directories Deleted
• Files Created
• Files Changed
Name Size Last Write Time Creation Time Last Access Time Attr
C:\Documents and Settings\User\NTUSER.DAT 786432/786432 2010.08.24 19:17:48.625/2010.08.24 19:23:29.578 2008.08.01 09:32:39.687/2008.08.01 09:32:39.687 2010.08.24 19:17:48.625/2010.08.24 19:17:48.625 0x22/0x22
• Files Deleted
• Directories Hidden
• Files Hidden
• Drivers Loaded
• Drivers Unloaded
• Processes Created
• Processes Terminated
• Threads Created
PId Process Name TId Start Start Mem Win32 Start Win32 Start Mem
0x3d8 svchost.exe 0x380 0x7c810856 MEM_IMAGE 0x77e76bf0 MEM_IMAGE
• Modules Loaded
• Windows Api Calls
• DNS Queries
• HTTP Queries
• Verdict
Auto Analysis Verdict
Suspicious+
• Description
Suspicious Actions Detected
Creates autorun records
• Mutexes Created or Opened
PId Image Name Address Mutex Name
0x338 C:\TEST\sample.exe 0x5ed0c5 WinstepInitMutex
0x338 C:\TEST\sample.exe 0x7c81a838 ShimCacheMutex
0x338 C:\TEST\sample.exe 0x891018 WorkshelfMutex
0x338 C:\TEST\sample.exe 0x891052 WinstepMutex
• Events Created or Opened
PId Image Name Address Event Name
0x338 C:\TEST\sample.exe 0x77de5f48 Global\SvcctrlStartEvent_A3752DX

I have *just* wrote a very strong letter to Comodo white list department regarding this.

Are you the one who wrote THIS post at the Comodo forums?

If you look at the report you linked to, the reason given for flagging Nexus as suspicious is that it adds itself to the list of software to be run when Windows starts!

Now, since this is something the user wants, and given that thousands of different legit applications that also need to run when Windows starts do exactly the same, it's a very strange reason to flag an application as suspicious, don't you think?

Unfortunately Winstep has had had nothing but trouble with Comodo software, and this despite numerous complaints and uploading *every single new release* to their white list servers, as requested by them (something *no other* AV solution provider requires, and a total pain in the bottom, pardon my French).

This is ridiculous and probably won't stop until AV solution providers start being legally held accountable for false positives and lost sales resulting from those!

Sincerely at this point my advice to you would be to dump Comodo and use something else, like the ESET Smart Security suite.

Whenever someone has a problem with a particular application, my suggestion is for them to upload the file to VirusTotal.

Virustotal scans a file using 40+ different AV engines - if you only get one or two of them reporting a file as 'suspicious', you can be pretty much confident that what you have is a false positive.

And *after* writing the above (I didn't pay close attention to the actual file because you said you had downloaded Nexus from Cnet) I noticed that the RUN entry says:

"C:\TEST\sample.exe autostart"

Two things regarding that:

1. Did you install Nexus into 'C:\TEST\' instead of the normal folder at 'C:\Program Files (x86)\Winstep\' (assuming a 64 bit system, otherwise 'C:\Program Files\Winstep\')?

2. Did you rename 'Nexus.exe' to 'sample.exe'?

That entry should say

"C:\Program Files (x86)\Winstep\nexus.exe autostart" or "C:\Program Files\Winstep\nexus.exe autostart"

NOT

"C:\TEST\sample.exe autostart"

Hi there, thank you for the quick response! No, I didn't post on Comodo about this or any other matter. I don't usually have a lot of false positives, but yes it does seem strange based on the flags given?

In regards to your questions it is odd because:

1. Nexus is installed at: C:\Program Files (x86)\Winstep\
2. I didn't rename anything.

I searched long and hard for a good firewall and Comodo is it for me despite this. I will go ahead and whitelist your app. Thanks again for reply, any further insight would be greatly appreciated.

Why does the report mention a C:\TEST folder and a sample.exe file then? Neither has anything to do with Nexus.

Have you checked your hard drive for the existence of such a folder and file? I would look into that - and please let me know.

I have no idea why it shows those folders?
I don't have them showing in my c: drive *see attached.

Any ideas?

Err... You already know my opinion regarding Comodo... now I know it even reports problems with non-existing files.

Seriously now, I really don't know. Perhaps it's a bug with Comodo, perhaps that folder and file are temporarily created on purpose when making that report... You will have to ask them, sorry.

Actually I just got a reply from their White listing manager, so I asked them myself. I'll let you know if they answer this question.

Well, they didn't say anything regarding the TEMP folder, but they said the following regarding the flag being flagged as suspicious in the CIMA scanner:

"Cima scanner will always make detections only as per heuristic
behavior . It is not our whole antivirus solution as the one the user
has, it is just a heuristic scanner which triggers alerts only based on
rules related file's behavior. The CIS product itself includes
heuristic scanner but this is also contains Virus database , cloud
database, firewall, virus scanner,defense+ sandbox, whitelisting, CIS
settings etc. All these linked modules are part of a product in which
Comodo has defined priorities and levels between them."

Comodo is crapware

yeah do yourself a favor and replace comodo with either eset, kaspersky, or zonealarm security.

I'll have to back that up too. In fact, I was ready to post right after the original post. Comodo is shite.
Personally, with most people being behind an A/VDSL or cable router's hardware firewall and NAT, I really don't see any reason to have a software firewall on every PC at home too. I just got a decent router and don't bother with firewalls anymore. Just a good AV, which is NOD32 for me...

skagon i have zonealarm set to notify me of items that want to access the net on the items first first attempt to connect. most router fallwalls will not do that. there are way too many items that are allowed by both hardware and software firewalls if you do not manually block them. in my opinion it is best to have both hardware and software firewalls. basically a softy net.

Mate... I was like that in the past. Wanting control over anything. Like, hey, why does this programme want access? Hey, why does that want access? Block block block, rules rules rules... Then, it just hit me. Who cares? I'm spending more time *configuring* programmes, than actually *using* them. Not to mention that there were more programmes *not* working properly by being blocked by default than not, and then I had to spend even more time, trying to find what port and what protocol to unblock. So, what if they want access? Let them have it. They want statistics from my usage of their programme? Sure. Take it.
If I ever need to run anything "suspicious", I do it on a virtual machine set to read-only anyway, because if there's a virus or trojan in there, and you wanting to run it, press "allow", it will wreck your system no matter how many firewalls or antivirii you have.
And again... I use mainstream well-known software anyway. Why block, say, Visual Studio or PaintShop Pro or LibreOffice or... I don't know... from accessing the internet? If they want to, sure, go ahead. I can't be arsed. Contact the mothership all you want.


I'm too old for this shit...

actually it's never taken long for me to grant or not grant access. install windows, do the drivers, install the security software, do the windows updates, install a program run it once and either allow or not allow it. then on to the next program. adds maybe an extra 1/2 hour to the entire setup process.