I've downloaded a few installation files this evening, and ran into an unexpected issue.

When attempting to install Unepic from setup_unepic_2.2.0.7.exe (just downloaded - file size 200,881,752 bytes, size on disk 200,884,224 bytes, Certification signing date ‎Friday, ‎November ‎15, ‎2013 7:39:30 AM) Comodo Antivirus reports

TrojWare.Win32.Injector.sbp@281376821 for file C:\Users\[..]\setup_unepic_2.2.0.7.tmp

The AV is part of "Comodo Internet Security Premium"

Product version 6.3.302093.2976
Database version 17872

I checked other files downloaded during the same session:

setup_dungeon_keeper_gold_2.0.0.4.exe (file size 258,148,408 bytes)
setup_dungeon_keeper2_2.0.0.32.exe (file size 441,410,424 bytes)
setup_darklands_2.0.0.6.exe (file size 85,795,904 bytes)
setup_master_of_magic_2.0.0.20.exe (file size 25,454,840 bytes)
setup_patrician3_2.0.0.5.exe (file size 463,984,520 bytes)
setup_syndicate_plus_2.0.0.12.exe (file size 28,243,368 bytes)
setup_thief_gold_2.0.0.46.exe (file size 752,199,848 bytes)
patch_thief_gold_2.0.3.49.exe (file size 1,740,208 bytes)
setup_thief2_2.0.0.18.exe (file size 801,836,368 bytes)
patch_thief2_2.0.1.19.exe (file size 2,357,352 bytes)

All of them report the same trojan injection attempt when the installation .tmp file is created.

I checked older GOG installation files, none of them results in this message, indicating that this is not a system infection issue.

I downloaded Dwarf Fortress as a sample from another source - no infection. So it's not the connection on my end being hacked, either.

What's going on?

I have the files archived in case you want to analyze them.

It is a false positive. My guess is that Comodo is flagging some part of the newer GOG installers.

Edit: Dungeon Keeper Gold didn't end up flagged under MSE. Don't have the others to test.

Possibly. I'm not entirely comfortable with allowing a file resulting in such a warning to execute, though.

Edit: Try what DeMignon suggested first, then:


You can report the false positive to Comodo and they should be able to take a sample file and run tests to exclude the file as a source of any problem.

I checked the Master of Magic installer on www.virustotal.com and got 0 detection.
Even the Comodo engine detected no virus in the installer. Of course that could change the moment the installer becomes active, but so far so good. It's pretty likely that it's a false-positive from Comodo, but check your Master of Magic installer as well on virustotal.com. Maybe your installers became infected after you downloaded them from GOG.
The SHA256 hash key of your Master of Magic installer should be exactly the same as mine:

SHA256: 6e885dae7130a1e8772e46a466da7c58390ba88ee2c406d9e5738a804a0a8e28
File name: setup_master_of_magic_2.0.0.20.exe
Detection ratio: 0 / 50
Analysis date: 2014-03-03 04:30:02 UTC

Someone at virus database HQ probably copypasted a spreadsheet with bunch of variables. More than likely a false positive and/or over-sensitive antivirus software - you got nothing to worry about. I would advise you to add em on exceptions list so they don't bother you. Why would gog infect it's user base with trojans anyway? ;P

Question - did you guys check the .exe file, or the .tmp file that is created when you run the installer (.exe)

Because I get the warnings from the .tmp file. The .exe files are clean as far as Comodo is concerned.

Which is why I included file sizes for installers, because if it's a sophisticated injection attempt there's a chance they would differ from the"clean" GOG versions.

If it's a really sophisticated attack... well, short of full-blown investigation by qualified professionals I'm SOL as far as making a determination.

Zaine, could you please do me a favor and check the files size of setup_dungeon_keeper_gold_2.0.0.4.tmp?

Mine's at: Size: 1,242,944 bytes; Size on Disk: 1,245,184 bytes

It's from the first "Properties" tab when you right-click on the .tmp file.

Thanks in advance!

Edit: Got the same SHA256 sequence as DeMignon so I guess it's either really, really advanced local infection or indeed a false positive.

Nadenitza, in the hypothetical case were it a real trojan injection, it would likely not be GOG at all (unless some hypothetical employee got paid off to do it). There's a lot of string of unknowns between GOG server and my computer ;)

Comodo itself is a virus.

I got that beat. Norton saw Norton as a virus and deleted itself from my dad's PC.

wow, another one of those threads.

So the file is definitely the unaltered GOG version of the installer. I think an injection during creating the tmp file is very unlikely, whereas false-positives happen regularly. An injection during the installation process would also imply that your system is already compromised. Get Kaspersky's Rescue Disk, it'S free. Burn it and boot your PC from this CD to run a deep scan while your system is dormant. (If you have no CD drive, it's also possible to boot and run it from a thumbdrive).

I don't use your Security application, but the best way to deal with potential false positives is to submit the files that are marked as infected to the security application developers, so that they can look into them and modify their database accordingly.

Does Comodo Internet Security Premium offer you such an option? If it does, I'd use it. If they're serious about their app, then most likely you won't get such warnings when the database updates.

The only thing virus laded at GOG are the forum members. :P

I have a business degree and it makes sense to sell virus-laden files.

It should be one of your key selling points

DRM-Free, 30 days money back and virus-laden files