Comodo & mchlnjDrv.sys

Discussion in 'other firewalls' started by m8tobe, Oct 14, 2006.

Thread Status:
Not open for further replies.
  1. m8tobe

    m8tobe Registered Member

    Joined:
    Jul 29, 2006
    Posts:
    5
    Hi,
    Couple of times I am now being alerted by SystemSafety Monitor that my Comodo Firewall is trying to load the driver "mchlnjDrv.sys". I have searched the forum and there is a question asking if it was mchlnjDrv or mchinjDrv (as mchinjDrv is OK to accept as it uses a hooking technique and as long as it is from an approved software).

    But on searching Google, the file in question is being referred to a Trojan, but my TH scan does not confirm this. I refer to the post:
    http://www.doctus.net/showthread.php?p=80680

    Anyway my screenshot is attached. Can anyone throw some light on this.... I will also try posting this on Comodo's forum.
     

    Attached Files:

  2. m8tobe

    m8tobe Registered Member

    Joined:
    Jul 29, 2006
    Posts:
    5
    Hi all,

    I got a good and timely response from the folks at Comodo. Please see below link:

    http://forums.comodo.com/index.php/topic,3286.msg24466.html#msg24466


    Egemen (the coder of Comodo Firewall) has said that it is a safe file and recommends that it be enabled. His quotes:

    "mchlnjDrv.sys is the part of the api hooking SDK CPF uses to inject its DLL appguard.dll to other applications.

    It is loaded and extracted on demand by cmdagent.exe. So it is a safe driver.

    It is used by many other security software which perform user space api hooking too. So you may also see it reported with other programs
    ."
     
  3. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    It's MadCodeHook which is written by Madshi - see the MchInjDrv thread for more details. While it is used by some security software, malware writers have also used it in rootkits.

    However user-mode hooking is less secure than kernel-mode since it is easier to bypass. The only benefit it offers is that it works with Win9x/ME systems while kernel mode requires Win2K/XP or later.
     
Loading...
Thread Status:
Not open for further replies.