Procguard identified as trojan by Avast

Discussion in 'ProcessGuard' started by djg05, Aug 31, 2006.

Thread Status:
Not open for further replies.
  1. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504
    Anyone else having this problem?

    Switched on both comuters this morning and Avast flagged up ProcGuard.exe as "Win32Hupigon" trojan. Look at the Avast forum and they seem to think it is a false positive.

    Any opinions please.
     
  2. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    Yes it is a false positive as told by Avast virus expert Igor.

    You can find more in this thread started by me, but i am almost sure you have already.
    http://forum.avast.com/index.php?topic=23215.0

    It is very upsetting and it is only a GUI, so makes me wonder if really some bad stuff in PG?
    Igor of course had to say those words he said, but why did a graphic user interface from a reputable company I think got flagged as a trojan? What is there in the user interface?
     
    Last edited: Aug 31, 2006
  3. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    The current version might have a few bugs but it doesn't deserve that ....

    These things happen because the anti-virus companies need to use something as a signature and sometimes other legitimate programs just happen to have that sequence of bytes in the same (or similar enough place). Sometimes a "weak" signature is used and that can lead to quite a few programs being unintentionally flagged

    Some companies offer an MD5 hash (or better) on the page where you download the software and that allows you to at least verify that the installation program you have is the same as the authors supplied to you. Although in this case you would have wanted hashes of each of the installed binaries and that is not particularly common practice

    In some ways a false positive is good for you every now and again because it makes you review your security and backup policy in those few moments whilst you start thinking about the possible damage that might have happened
     
  4. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504
    This has left me with a problem on my other computer where Avast dealt with the file and deleted it. PG of course is still running, but because on that one I have set it to auto block new programs it will not allow me to re-install it or remove it either. So I am stuck - help please.

    Just had an afterthougth. Maybe I can copy Procguard from one computer to the other?
     
  5. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    I believe you can do it in safe mode.
     
  6. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    You should set your AV to ask first before it does ANYTHING. Never have it set to automatically delete unless you like problems like this one. If it did automatically delete the PG file it should have made a copy of it and put that in backup/quarantine folder. Boot in Safe Mode and go fetch the missing file there.
     
  7. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    PG GUI is simply a program. We have every right to pack such a program with a compressor to hide the code from thieves who would disassemble it and copy it. Copyright !

    AV programs analyse the entrypoint and decrypt runtime packers etc to try to find malware. Its not actually that hard for an analyst to screw up and still be in the packer code when looking at a signature. Or a tool could be taking the signature and thinking it has emulated past all unpack code when it hasn't

    In some cases, packer specific types and packer PATCHES are alarming. This is something I wanted to use a long time ago, in the modern malware era it is mandatory. "Packed.Tibs" for example is not a malware, its a new malware packed with a specific packer known to be used only by malware attackers.

    Actually it isn't even a packer. Its more like a package, its code wrapped around a UPX file. Detect that packer or characteristics and you can really stop malware and cause them to make new versions of their file modification tool. This has happened with TIBS in fact. The new code looks "doubled" over itself and much different, would take longer to emulate. Its still the same thing, and very easy to trace through and stop after the UPX unpack.

    You either unpack it, detect the packer itself or you MISS it.

    The point is, as attackers keep trying to hide malware in ways like this, false positives are probably even more likely than ever. Legitimate companies often protect their product with file packers.
     
  8. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    A more related malware to site is the picture04.pif etc files showing up, many are simply detecting them as "PECOMPACT"

    PECOMPACT a virus ? since when ? :)

    (Its an IRCBOT)
     
  9. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    Thanks Gavin. I could not understand even a half what you told, but I have my trust in PG back.
    These things happen, hope djg05, you are more carefull next time to not delete the false positive, what ever it is then.
    I can sure understand your troubles, this is not some smartass posting like that negeltu in avast forum.
     
  10. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504
    Thanks

    That was the simple way back. Just re installed it and all seems fine.
     
Thread Status:
Not open for further replies.