(False positive) virus detection on megaglest.exe, AVG

[nig]

Some extraordinary intelligent virus-scanner might detect megaglest as virus.

This happened to me with http://www.avg.com/de-de/homepage .
The application detects (sometimes!) a danger of password-spying in megaglest by a modul called "identity protection". Megaglest seem to be dangerous because it looks for keyboard-events and send them over the internet.

I missed the warning-messages somehow especially running headless servers - and thats dangerous because some day AVG will decide, that this is a serious problem and will hide megaglest and some related objects like batchfiles and lnks without further notice. Its doing this unpredictable an well hidden on next reboot.

So, if you get strange issues of dissapearing megaglest.exe than have a look at your virus-protection.

Picture of the day:


Greets

[tomreyn]

Thanks for th eheads up. Please provide information on the build which triggered this warning.

Also, this is not a bug so I'll move this to the main forum.

[nig]

It seems that AVG is accumulating information of the behaviour of programs.

History of Detection:

Code: [Select]

"Erkennungsname";"Ergebnis";"Erkennungszeit";"Objekttyp";"Prozess"
"Unbekannt, D:\372.dev\megaglest.exe";"Gesichert";"20.01.2013, 10:02:53";"Datei oder Verzeichnis";""
"Unbekannt, D:\372.dev\megaglest.exe";"Gesichert";"22.01.2013, 11:55:28";"Datei oder Verzeichnis";""
"Unbekannt, D:\372dev\megaglest.exe";"Gesichert";"22.01.2013, 13:22:07";"Datei oder Verzeichnis";""
"Unbekannt, D:\372dev\megaglest.exe";"Gesichert";"23.01.2013, 00:02:15";"Datei oder Verzeichnis";""
"Unbekannt, D:\372dev\megaglest.exe";"Gesichert";"01.02.2013, 10:15:49";"Datei oder Verzeichnis";""
since even the releasecandidates of megaglest do not provide any information about its version in filename or comments in the code showed in windows so called "properties" its hard for me to decide which of the daily changing dev-releases I did run. Espacially as I missed the actual detection as a virus for weeks and was wondering how sometimes some file seem to dissappear. But I was not wondering tooo much because I am runng about 8 instances of megaglest in the house and think its possible to get confused managing the daily update of  the last new nightly build on different machines.

At last it was the relasecandidate 3.7.1.
megaglest v3.7.1 Compiled using: VC++: 1600 on: Nov 23 2012 00:38:33 platform: Windows endianness
: little
SVN: [Rev: 3948] - using STREFLOP [SSE] - [no-denormals]

which was busted. Mostly it were the dev-versions which were detected, propably because they were called by batch on my system.
The AVG is wide configurable to ignore positiv falses by the user. AVG is not telling too much about the methods of detections of course.

They suggest, the user shall report false positives to them so they will analyze the application and manage their next update.
I think its not worth the time to bother them with development versions.

But anyway, may be its a good idea to put an version info more easy accessable to the file somehow.

Greets

[tomreyn]

I just installed AVG AntiVirus Free 2013, v. 2013.0.2897, and updated its virus signature database to version 2639/6075 (Friday 01, 2013, 07:40 PM).

Then I ensures that "heuristics", "thorough scannnig" and "in the cloud verification" are active.

I scanned
C:\Program Files (x86)\MegaGlest\;C:\Users\user1\megaglest-svn\;
- which contains, amongst other, the 3.7.1 release and the latest snapshot build for Windows - and AVG did not detect anything suspicious.

Same for the VirusTotal scan of this latest snapshots' megaglest.exe

I have the following AVG modules activated:
* Computer
* Identity

The following modules are disabled:
* Web browsing
* E-Mails
* Firewall

The scanner reports no findings.

Can you verify that you run the latest/same version and your virus signature database is up to date (Help -> About AVG -> Product)?

Thanks!

[nig]

as I said - its not recognized by scanning, but by identity protection.
as I said, its acting unpredictable.
read this, to get an idea:

http://www.avg.com/de-de/faq.pnuid-faq_v3_avg_identity_protection

you have to play MG regular to be detected, not to scan for a virus. Yesterday AVG was rather busy:



May be there must be more things happen to be detected, as it is by alphatesting, as i did:

port80 or 443 connection open in browser simultaniously
replace an exe witn another version
call MG.exe by another programm
execute  MG.exe in an unusual location (D:)
and you have to do this often.

as you can see in the picture (click to enlarge) AVG detected cmd.exe as infected. and of course you can scan cmd.exe and there is no positiv! Its just the one who called the suspicious burglar, which is banned then.

it dissapeared right after playing and sometimes on next boot.

Greets

[tomreyn]

Wow, based on the screenshot you posted, this software is pretty harmful. An AV which outright deletes (or kills?) two legitimate copies of cmd.exe (at least I would hope they are) can surely be categorized this way. So I recommend against using AVG, or at least against using it's "ID theft protection" feature (whatever this feature has to do with ID theft is not clear to me).

Thanks for providing more information, though, I guess I didn't catch all the details when you told me yesterday in the game chat (and there are no logs there, so I couldn't review it later).