360 TS Scan Reports Files Tampering

[AtlBo]

Merry Christmas everyone! Just installed 360 Total Security and ran a quick scan. Result says for 2 files "File Tampered". The files are:

ReAgent.dll-Microsoft Windows Recovery Agent file. This has links to ReAgentC which has some frightening looking command switches attached:

REAgentC Command-Line Options

Rtm.dll-routing table manager

What should I do about this? 360 wants to repair the files.

Comodo Programs Manager uses dismhost for some reason, so could CPM or Comodo Firewall have caused this or maybe VoodooShield? Apparently, the file was changed/atered/different from what 360 expected. 360 is pretty good about these usually in that I want to get a prompt if something tries this. However, I sometimes have a hard time knowing what to do when a scan result reports this type of thing

Guess I should have installed 360 first when I reinstalled Windows, then I think I would know what caused this

 

[Wave]

There's a very simple solution in these scenarios, even if you have no idea what the repairing is for... Make sure you have a system back prior to the repair, so you can then freely let the software repair the "damages" but revert with a snapshot if it shouldn't have been touched for any repair/causes issues afterwards.

(and this usually works well 9/10 for a lot of scenarios)

As for the general questions, I would leave it alone if I were you, unless you have a real reason to suspect a malicious/suspicious modification from an untrusted program to cause Qihoo to pickup these identifications. Your guess is just as good as mine and without knowing the specific internals of components within the other software you listed you won't be sure of if Comodo/VDS triggered the detection (without dynamic testing of course in that case), however my rule is to not fix it unless it's broken.

However I am going to follow this thread say on case someone else knows the solution (without backup usage) because I am generally interested in this but do not actually know myself.

 

[AtlBo]

Hey Wave. Thanks. I guess I'll go with your rec here. I think I went too long before installing 360. Waited about 2 days to try to assess everything and just went with VoodooShield and then added Comodo Firewall yesterday.

I suppose this is likely a FP. I do think though that it's more like a HIPS type FP than anything else...as you say static detection. 360 logs are good enough where I can go back and undo the choice if I want to. I think it would repair the files if I do.

Then again I could roll back to a couple of days ago and start with 360 TS first...

I hate these decisions...

 

[Wave]

@AtlBo If you are certain you have only downloaded from trusted sources and installed trusted software then there should be no worry regarding the security of your system, it should be fine to ignore the detection's. For all you know it could just be a bug in Qihoo, however I do not know enough of the internals regarding what the detection's are about to provide you detailed information (as I usually do) which is sad... You can try contacting them by customer support to request more information on the detection's though, they will most likely respond quickly.

I don't think it's worth the trouble for you to revert back as long as you know that you only downloaded essentials/trusted software. If you recall making some shady decisions the revert back and start again.

Spoiler

Edit: changed @AltBo to @AtlBo (always make this mistake haha)
Edit 2: mixed up on the Edit as well haha
Edit 3: just found out I can link tags to other peoples profiles! E.g. @AtlBo (click that tag = it shouldn't be correct = should show you @Jack's profile!)

 

[AtlBo]

This setup I run limits my choices of software. I have to look around to find things in some cases. I keep some installers that I know I can trust in storage too.

Example. I had to find a browser that VoodooShield free wouldn't recognize so that some scripts on the system I have placed would run without pop ups from VS when the browser is open. I get around this by sandboxing the browser for now with CF. So I downloaded Vivaldi (former Opera dev) and before that RealPlayer but an older version from File Hippo (the one I'm used to v15). Don't think that's a problem. Otherwise I think it's straight.

360 usually flags sketchy actions, and I am leaning toward CF being what may have changed these files. Not that it would be sketchy for CF to do this if it did, but for something else maybe it could actually be. I mean, CF flagging itself for some things it requires doesn't seem a rare occurrence in my past experience now that I think about it.

I have the images, and this system won't change much, so I think I will ride it out and see if I can learn more about what this might be later.

 

[jamescv7]

I think better placed in exception list if you believe that the file came from trusted source; sometimes that detection is more likely link to False Positives.

So definitely it's something to do about altered configuration of your other security product.