You are here

AV taking over

13 posts / 0 new
Last post
emesma
Offline
Last seen: 12 years 6 months ago
Joined: 2006-09-05 17:18
AV taking over

Help Wanted!!

My AV (eTrust) is detecting Win32/FakeAv.CX in many of my applications. I tried to download again WindirStat for example and the AV catches it and takes it to the quarantine folder. Some of the applications are GIMP, KEEPASS, GNUCASH, NOTEPAD++ but Firefox, 7-zip.

Does someone else have this problem too?

What can I do?

Emilio E.

Laylah
Offline
Last seen: 6 months 2 weeks ago
Joined: 2007-01-17 12:20
FakeAv.cx too

Hi Emilio,

Same antivirus, same problem, same country and creepy enough, around the same time. Deleted Firefox, BonkEnc, ClamWin and Pidgin.

Hope we have an answer soon enough.

emesma
Offline
Last seen: 12 years 6 months ago
Joined: 2006-09-05 17:18
Exe to Run Deleted

I notice that the only EXE that was deleted is the applet used to run the main application. I am running GIMP directly from its folder "GIMPPortable\App\gimp\bin".

As the files were not send to the quarantine folder I can't recover them. It says the files were cured but it in fact deleted them.

Emilio E.

Simeon
Simeon's picture
Offline
Last seen: 9 years 5 months ago
DeveloperTranslator
Joined: 2006-09-25 15:15
reinstall

You should never run the Application directly!
Because if you do, you are not using Launcher/Wrapper and without that, the Application isn't portable and will leave things behind.

Most likely, your Av program reported a false positive. To be sure its best to use an Online virus scanner and check the file.

"What about Love?" - "Overrated. Biochemically no different than eating large quantities of chocolate." - Al Pacino in The Devils Advocate

emesma
Offline
Last seen: 12 years 6 months ago
Joined: 2006-09-05 17:18
Reinstall

Thanks for making me aware of that. But I am desperate because I have work to do.

I'll have to reinstall when I have some time free.

John T. Haller
John T. Haller's picture
Online
Last seen: 7 min 25 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Contact

You'll need to contact your antivirus support to get them to fix their definitions file. This is what happens when they send bad definitions down the wire (and another reason why no antivirus should ever be set to automatically delete stuff).

Sometimes, the impossible can become possible, if you're awesome!

emesma
Offline
Last seen: 12 years 6 months ago
Joined: 2006-09-05 17:18
But not all PortableApps

Weird thing is that not all of the portable apps are being (mis)detected with virus.

For now, I have added PortableApps directory in the excluded ones.

draxxon
Offline
Last seen: 15 years 7 months ago
Joined: 2008-08-20 13:04
Same Problem, Different AV

Well, I just hit the same problem. I'm using the CA Security Suite, and it deleted the EXE for Gimp, ClamWin BonkEnc, OpenOffice, and PuTTY.

It also deleted the StartPortableApps.exe file...

Kaboom
Offline
Last seen: 15 years 7 months ago
Joined: 2008-08-20 15:28
I think it's an eTrust thing

I posted this in the portable apps thread a little while ago..

I have been running portable apps on my USB drive for some time now. This afternoon I tried to plug in the drive and my antivirus software popped up saying the followning:

The Win32/FakeAv.CX was detected in F:\...STARTPORTAB.... Machine: FM_, User:_. File Status: File was cured; system cure performed.

It removed startportableapps.exe from my USB drive. I went to the PA website and tried to download it again and once again got the following message once the installer started to download:

The Win32/FakeAv.CX was detected in C:\...PORTABLEAPPS.COM_SUITE.... Machine: FM_, User:_. File Status: Cure failed, file restored.

I'm using eTrust antivirus ver: Version: 7.0.139 with Vet engine to version 31.6.6037 updated on 08/20/2008.

Has anyone else run into this FakeAv.CX false positive before?
This is on a corporate machine so I don't know if I should be contacting CA about the issue or not.

Thanks.

Unemployed Stor...
Offline
Last seen: 11 years 7 months ago
Joined: 2007-12-18 22:35
If its a corporate machine

If its a corporate machine then you should contact your company's IT department first. If they ask for prove that its legit show them the results from a online scanner like Virus Total or Jotti It would also be helpful to ask them to contact eTrust to get the error in there definitions fixed.

Kaboom
Offline
Last seen: 15 years 7 months ago
Joined: 2008-08-20 15:28
It's not as easy as that. The

It's not as easy as that. The reason I'm running my software on a USB stick is because my personal stuff isn't authorized on the company machine. I have a hard time getting them to allow me to use the stuff I need much less anything personal. If I tell them that their anti-virus is deleting my personal software they are going to give me grief.
I will just ride it out. I see that eTrust has updated the defs again today. let me see what that brings.

emesma
Offline
Last seen: 12 years 6 months ago
Joined: 2006-09-05 17:18
Add it to the exclude paths

I am using a corporate PC too and I had to add my whole usb drive to the exclude path in order to avoid the AV to check in there. I added in fact two paths, the drive where I store all my personal stuff -here are stored the installable files- and the path where I run the applications from.

As I am working offline now because we lost the VPN connection to the corporation I am not that sure that this configuration will be stay untouched but you can try it out.

Kaboom
Offline
Last seen: 15 years 7 months ago
Joined: 2008-08-20 15:28
Appears to be fixed now

This morning's update to Vet engine version 31.6.6039 has stopped the false positives. I was able to download the whole package and reinstall the application without further issue. Everything appears to be normal again.

Thanks for everyone's input.

Log in or register to post comments