Avira AntiVir a virus itself ?

First, let me say that I am using AntiVir for a long time now and that I always have been satisfied with it, but what I have found now gives me the creeps.
I have just installed ProcessGuard 3 to monitor what actions programs execute on my computer. PG reveals now, that Avira AntiVir update.exe modifies or tries to modify a large number of programs. I have sent a direct email to Avira, asking them to explain what exactly is going on before making this public, but they do not answer.
Perhaps update.exe has been infected itself but if not, does somebody know why AntiVir has been tampering with almost every exe file on my computer ? Needless to say that I have shut off update.exe for the time being.
The attached screenshot speaks for itself, or not ?

 

Hi,

Update.exe is the application which updates the entire AntiVir product.
It doesn't touch anything else except Antivir's own files.
If the file is modified, the product will recognize this and will not even try to execute it.

However, if you manually execute the program when it is infected and the malware is unknown to Guard, you're on your own.

Could you be so kind to send me offline the following information about the update.exe file you have ?
- version information
- size
- md5
I'll check it internally.

Thanks
Sorin

 

That's strange. I take it you set PG to not allow update.exe to modify? I had it set to allow it to modify but I changed it and Avira just updated. PG did not pop up any blocking of attempts to modify any files.

 

Using common sense, do you really think that a world leading ANTI-VIRUS company would create a viral program? Would you not think that it would be a huge scandel and professionals who have tested would have found out?
Mele, i agree very much with your motto.

 

I knew Stefan was good, didnt know he was that good.

 

Nice service.. hehehe. Not unusual nowadays.

If you experience a multi-mod on nearly all processes you have it probably to do with a injector dll, could be a hook from Avira/AntiRootkit itself or from Malware/Rootkit.

Beside: Update.exe is a common target for malware (Zlob?)

 

100% bs

 

+1... agree

 

Don't avira clearly state support only trough forum?

 

According to Comodo3 update.exe accesses the memory of the process that are running. I suppose PG is alerting on the same.
I think it's collecting some information about Antivir's process, OS, etc. and does that in a way that seems be accessing all running programs.

 

Maybe it is PG that is the virus.

 

Crazy statement but not unlikely.

Gmer Autostart =>
HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@amd_dc_optC:\Programme\AMD\Dual-Core Optimizer\amd_dc_opt.exe = C:\Programme\AMD\Dual-Core Optimizer\amd_dc_opt.exe
@!1_pgaccount"C:\Programme\ProcessGuard\pgaccount.exe" ? ? ? ? ? = "C:\Programme\ProcessGuard\pgaccount.exe" ? ? ? ? ?

Procguard.exe is the only process that has this strange appearance in rkdetector2:
http://i1.tinypic.com/6luyfrr.png

This is the most interesting mystery of procguard.exe <unknown>
http://i4.tinypic.com/6oq0fbt.png

 

well we know this isnt true about Avira. Mele has disected it from head to toe.

 

Thanks for all the comments and let's summarize :

- Indeed I must say that it would surprise me if AntiVir itself would tamper with any other files but it's own, so it could be that update.exe - along with many other executables - has been infected itself on my computer. That could only be achieved by a virus that is more "clever" than AntiVir.

- Or it could be that Process Guard misinterprets what update.exe is doing. However, it has worked faultlessly for every other program, so that option is very unlikely.

- More strange : I run a very tough online scanning service - Hitman Pro - on a regular basis. It runs several virus, spyware and malware top detection programs, and none of those have reported an infection of either update.exe or all those programs it would have altered.

- Sorin (or anyone who wants to have a go at it) : I have uploaded both the screenshot and AntiVir's update.exe. Please find them here : http://m-v-p.net/av

 

I downloaded your update.exe file and compared it to mine. Version, size and MD5 are the same as mine.

I don't see any of this activity that you are describing.

 

It's actually a bug. The updater is looking for a certain process and uses wrong access rights for checking the process list (complete access including writing, only reading is needed). This does only happen when specific parts of AntiVir are updated. The bug will be fixed with the next major release (Q1).
Please note that the updater only opens the processes but does not write into them (NO injection!).

 

Hmm....I guess this happens only in PG 3.4 as I don't see any of this in PG 3.15. PG 3.4 was buggy and I long ago went back to 3.15.

 

There is one test left, and that is that one of you folks install Process Guard and see what happens when AntiVir runs.
Meanwhile I have "dared" to run avscan.exe and that one as well is producing modification attempts, as you can see below.
I am not accusing Avira or defending Process Guard in the first place, but it remains a mystery why only some AntiVir components produce those "attacks" and not any other single program that I run.
I am not a specialist or Guru on these matters, but I can only confirm the results I am getting. And sorry to say so, until proven otherwise, AntiVir stays under suspect (NO ! I'm not a lawyer Lol), although I wish to continue to use it.
I want also to inform you that some guys at Avira are looking into this matter as well. Now, if I could get DiamondsCS to do the same ….
There's something fishy going on, and I think it's in the interest of everyone involved that whatever it is gets explained and cleared.

@ Mele20 : Do you mean you have installed Process Guard and it doesn't give any alerts on your computer ? If you haven't and don't now where it comes from : http://www.diamondcs.com.au/processguard/

PS : Well I tried to attach the avscan screenshot, but it has failed to upload. You can have a look at it here :
http://m-v-p.net/av/AVscan.jpg

 

Nice to see how things can evolve so quickly.
Stefan, I had not noticed your reply before posting the item above. So it is an AntiVir bug, but nothing to be afraid off ? Perfectly safe to grant all AntiVir components full rights ? You swear by whatever you normally swear by ?

Greetings

PS : But if I return to the origin of the problem, I would quote some other verses :
"There must be some way out of here," said the joker to the thief,
"There's too much confusion, I can't get no relief."
So there was a way out of there, and I can find relief ! Even all along the watchtower....

 

I have been using ProcessGuard FULL version for years. It is more important to me than any AV program. I have NEVER seen any of the stuff you posted. BUT I am using PG version 3.15 not PG 3.4 which was the latest version when Wayne disappeared. 3.4 was buggy. I beta tested it and gave Wayne feedback and some stuff was fixed because of my feedback. I never was able to successfully use 3.4 and then Wayne disappeared and the program has not been kept up since around Sept 2006.

For your information, the current DiamondCS website is considered highly suspect. Wayne is GONE. We don't know who bought the business but PG is NOT being developed and there is no support for it. I think the website gives you 3.15 if I recall the thread about it here correctly...not 3.4. I hope you didn't buy it. The site is a scam/a buyout with no hope of further development of PG, no support, etc. as far as we here at Wilders could make out when it suddenly appeared. I hope you just downloaded the free version.

For all I know, you got some scam version of PG that is causing your problem. On the other hand, how did you configure PG? What permissions did you give to PG for update.exe?

Here's my alert page and you can see nothing is amiss.

https://www.wilderssecurity.com/showthread.php?t=185994&highlight=Processguard

 

You are aware of the history of DiamondCS and PG are you not? You do know that official forums for DiamondCS were here at Wilders? You do know to click on Archives here at the bottom of the main page of this site and you will see the Archived DiamondCS support forums? You do know to be sure and read Lowwatermark's sad announcement on Christmas eve 2006 regarding DiamondCS status here? If you are not aware of the history, please acquaint yourself. It's important that you do so.

 

@ Mele20 : I'm sorry to hear that information on Process Guard, as it seems a great program. I have the v3.150 free version, and it suits my needs. Just recently installed it, and up to now there have been no problems with its functioning. Thanks however for the advice not to buy the full version then. I hope someone keeps this program alive.

But have you read Stefan's reply above ? THERE IS an AntiVir bug, it's not a PG thing. I have PG configured in the Protection section to protect all programs initially from being modified. It is clear then that PG reacts when AntiVir seemingly wants to modify every single exe it encounters. Apparently it doesn't, but only wants to read them - how else could it detect an embedded virus. Ehh … this is coming from a simple user, so I hope what I say is right.

 

What PG reports here is the attempt of update.exe to open every process with full rights - including writing access. But the full access is not needed at all (= the bug), as update.exe does not modify other tasks.

So it's ok to remove process modify rights in the PG protection list for update.exe.

 

So.... problems using KIS. Or , you never use it ?
First : I totaly disagree with that.
Second : I didn't realize this is an (anti)advertising forum.
How about someone heaving a motto like that " Don't Install or Use Anything with Eset , Avira .....etc ". Will that be fair ?
Moderators ?

 

Ok you have used Avira for a long time so you know it's not a virus.
You just installed ProcessGuard and now you think something is wrong.
Maybe. But I would look at where Diamond CS has been and where it has gone.
I had PG in the past and was very happy with it.
Givin where the company has gone i would not download anything from their website.
I don't know who they are anymore and don't trust them myself.
Shame, cause DCS and PG looked like one of the leaders in their field at the time.