Comodo & mchlnjDrv.sys

Hi,
Couple of times I am now being alerted by SystemSafety Monitor that my Comodo Firewall is trying to load the driver "mchlnjDrv.sys". I have searched the forum and there is a question asking if it was mchlnjDrv or mchinjDrv (as mchinjDrv is OK to accept as it uses a hooking technique and as long as it is from an approved software).

But on searching Google, the file in question is being referred to a Trojan, but my TH scan does not confirm this. I refer to the post:
http://www.doctus.net/showthread.php?p=80680

Anyway my screenshot is attached. Can anyone throw some light on this.... I will also try posting this on Comodo's forum.

 

Hi all,

I got a good and timely response from the folks at Comodo. Please see below link:

http://forums.comodo.com/index.php/topic,3286.msg24466.html#msg24466


Egemen (the coder of Comodo Firewall) has said that it is a safe file and recommends that it be enabled. His quotes:

"mchlnjDrv.sys is the part of the api hooking SDK CPF uses to inject its DLL appguard.dll to other applications.

It is loaded and extracted on demand by cmdagent.exe. So it is a safe driver.

It is used by many other security software which perform user space api hooking too. So you may also see it reported with other programs."

 

It's MadCodeHook which is written by Madshi - see the MchInjDrv thread for more details. While it is used by some security software, malware writers have also used it in rootkits.

However user-mode hooking is less secure than kernel-mode since it is easier to bypass. The only benefit it offers is that it works with Win9x/ME systems while kernel mode requires Win2K/XP or later.