nProtect Game Guard "Rootkit"

Discussion in 'Prevx Releases' started by STV0726, May 30, 2012.

Thread Status:
Not open for further replies.
  1. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    This is not really malware, I know. It is one of the "legitimate" rootkits and it is installed (according to Wikipedia) by many MMORPGs. In my case, it has been on my computer for almost a year since I installed Alliance of Valiant Arms, a free MMORPG that Steam was offering. I have long since uninstalled the game, but apparently this file remained.

    Webroot has not detected it. Probably understandable.

    HitmanPro has also not detected it, until now. I don't know if this is due to just a database change/update or if this is because they started using BitDefender (which is a very good thing btw)!

    I no longer use this game and I probably won't ever because I didn't like it and it was buggy; nevertheless, it was legit.

    I'm wondering now if I should activate my HMP license and have it clear this "rootkit" or manually tell Webroot to remove this file, OR do nothing since it is really there for anti-cheat purposes and it may get installed again if I ever install another MMORPG that uses it.

    Just some quick details courtesy of HMP's description:

    File/detection name is GameMon.des
    It installs in C:/Windows/SysWOW64
    It's 3.8 MB
    Entropy is 7.9
    Product is nProtect Game Monitor
    Vendor is INCA Internet Co., Ltd.
    Service name is npggsvc

    Sorry to beat around the bush HitManPro, but if my paid solution has a good manual cleanup feature (which Webroot does), I'm apt to use that instead of buying your license. :p

    Joe, if I were to use manual cleanup for this, I assume I can simply point it to that file.
     
  2. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    If you're able to provide the MD5 hash for that file, it would help the team at Webroot to look it up much quicker.
     
  3. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    Honestly, I wouldn't touch it. Removing legitimate kernel drivers can have detrimental effects on the system. Especially since the .des file is a support data file and not the PE itself. WSA will not flag valid versions of nProtect. It can see them just fine, but it knows they are safe. I'd call it an FP by HMP.
     
  4. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    I just honestly wasn't sure if it was more of a false positive or one of those "things paranoid people want off their computer" because it is technically a "rootkit" just a non-mal one.o_O
     
  5. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    It's the DIYD^2 dilemma of security software.

    HMP "has to" detect everything that can be called a rootkit otherwise it's "not doing its job". This is despite the fact that some of these "rootkits" are actually a good thing or not-malicious. Consider, for example, that if you had a game that relied on nProtect, the game would not run or, in the event of call-in, actually blacklist your account if HMP removed nP. But if HMP doesn't detect it, people will scream that it missed it.
     
  6. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    Right...

    ...but what does the DIYD^2 mean? :eek:
     
  7. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
  8. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
  9. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    ACTUALLY...

    This really should NOT be one of those DIYD^2 situations because HMP cleverly has an "Early Warning Scoring" scan mode for advanced/expert users who want this sort of detection.

    The problem, however, is that it was detecting it WITHOUT that mode on.
     
Thread Status:
Not open for further replies.