Procguard identified as trojan by Avast

Anyone else having this problem?

Switched on both comuters this morning and Avast flagged up ProcGuard.exe as "Win32Hupigon" trojan. Look at the Avast forum and they seem to think it is a false positive.

Any opinions please.

 

Yes it is a false positive as told by Avast virus expert Igor.

You can find more in this thread started by me, but i am almost sure you have already.
http://forum.avast.com/index.php?topic=23215.0

It is very upsetting and it is only a GUI, so makes me wonder if really some bad stuff in PG?
Igor of course had to say those words he said, but why did a graphic user interface from a reputable company I think got flagged as a trojan? What is there in the user interface?

 

The current version might have a few bugs but it doesn't deserve that ....

These things happen because the anti-virus companies need to use something as a signature and sometimes other legitimate programs just happen to have that sequence of bytes in the same (or similar enough place). Sometimes a "weak" signature is used and that can lead to quite a few programs being unintentionally flagged

Some companies offer an MD5 hash (or better) on the page where you download the software and that allows you to at least verify that the installation program you have is the same as the authors supplied to you. Although in this case you would have wanted hashes of each of the installed binaries and that is not particularly common practice

In some ways a false positive is good for you every now and again because it makes you review your security and backup policy in those few moments whilst you start thinking about the possible damage that might have happened

 

This has left me with a problem on my other computer where Avast dealt with the file and deleted it. PG of course is still running, but because on that one I have set it to auto block new programs it will not allow me to re-install it or remove it either. So I am stuck - help please.

Just had an afterthougth. Maybe I can copy Procguard from one computer to the other?

 

I believe you can do it in safe mode.

 

You should set your AV to ask first before it does ANYTHING. Never have it set to automatically delete unless you like problems like this one. If it did automatically delete the PG file it should have made a copy of it and put that in backup/quarantine folder. Boot in Safe Mode and go fetch the missing file there.

 

PG GUI is simply a program. We have every right to pack such a program with a compressor to hide the code from thieves who would disassemble it and copy it. Copyright !

AV programs analyse the entrypoint and decrypt runtime packers etc to try to find malware. Its not actually that hard for an analyst to screw up and still be in the packer code when looking at a signature. Or a tool could be taking the signature and thinking it has emulated past all unpack code when it hasn't

In some cases, packer specific types and packer PATCHES are alarming. This is something I wanted to use a long time ago, in the modern malware era it is mandatory. "Packed.Tibs" for example is not a malware, its a new malware packed with a specific packer known to be used only by malware attackers.

Actually it isn't even a packer. Its more like a package, its code wrapped around a UPX file. Detect that packer or characteristics and you can really stop malware and cause them to make new versions of their file modification tool. This has happened with TIBS in fact. The new code looks "doubled" over itself and much different, would take longer to emulate. Its still the same thing, and very easy to trace through and stop after the UPX unpack.

You either unpack it, detect the packer itself or you MISS it.

The point is, as attackers keep trying to hide malware in ways like this, false positives are probably even more likely than ever. Legitimate companies often protect their product with file packers.

 

A more related malware to site is the picture04.pif etc files showing up, many are simply detecting them as "PECOMPACT"

PECOMPACT a virus ? since when ?

(Its an IRCBOT)

 

Thanks Gavin. I could not understand even a half what you told, but I have my trust in PG back.
These things happen, hope djg05, you are more carefull next time to not delete the false positive, what ever it is then.
I can sure understand your troubles, this is not some smartass posting like that negeltu in avast forum.

 

Thanks

That was the simple way back. Just re installed it and all seems fine.