Virus? Behaveslike:trojan.hangup

Hello Marcia,

Please find this file:

C:\Program Files\PositScience\2_0\Neuroscience\LaunchPad.exe

After you find it (using Explorer or whatever file manager that you use), disable the BD Realtime Protection, put that file in a password-protected archive (the password should be the word infected) and re-enable the BD Realtime Protection. After that, attach the archive to your next post.

If, indeed, it's a false positive, BitDefender Virus Analysts will remove detection ASAP.

Take a look at this topic for details about how to create a password-protected archive: http://forum.bitdefender.com/index.php?showtopic=84

Notice: Please be careful not to open the file while BD is disabled because, in the event that it really is a virus, you won't be protected.

Cris.

If you don't want to reinstall it (thou you should, because I suppose you paid money for that software and you want to use it... so you want to know if it's infected or not), then you could attach the hole installation kit.

How large is it? If it is not very large, you can try to ZIP it and, if the total ZIP size is below 2 MB (which is the upload limit on this forum), then attach it. Other wise, I cannot see other alternative.

From the reported virus name, BehavesLike, I assume that the detection was made by heuristics, not by signature. Heuristic detection can cause False Positives, because it's made by analyzing what a file does (and the detection engine can be fooled to think that a file is dangerous, when in reality it's not).

One last alternative that comes to my mind is that you attach a link to download the installation kit (either from the official site, either you can upload an archived installation kit somewhere and post the link). Details here: http://forum.bitdefender.com/index.php?s=&...post&p=1223

Notice: Please don't directly post the link to any suspicious files. Instead, write the link in a TXT file and attach the TXT to your post

Cris.

I've been in touch with the PositScience people, and they suggest that I mail you the CD of their software. They say that there isn't a way to attach a link to the installation kit. They also say that the installation size is huge and would be well over your 2 mg limit when zipped.

This might be a problem. You can use an online file-sharing website (like RapidShare; other examples you can find in the link that I previously posted), but also those sites have upload limits (RapidShare has 100MB/file) and downloads limits (I'm not sure which are these limits, but they are pretty restrictive for free accounts).

The easiest solution would be to send us only that particular file. Couldn't PositScience send it to you, in a password-protected archive (so it won't be blocked by BitDefender)? I know this is a kinda big thing to ask, but we cannot do anything without that file.

The PositScience people also told me that a couple of their customer service personnel have BitDefender on their PCs and have not been able to install their own software, even when they turn BitDefender off.

I find this hard to believe. When BitDefender is disabled, it really is disabled and it won't block anything. (trust me, I even worked with real viruses and BD didn't react at all while it was disabled).

They are asking me to see the file that was marked as having a virus, and, as I already mentioned to you, I can't find it. They asked if it was quarantined, and I don't think it was. My BitDefender History says that it was "blocked" which doesn't sound like a quarantine. Was it? Do you have any idea where that file might be?

I assume that the file wasn't even written on your HDD, because BitDefender blocked it.

If the file would have been moved to quarantine, BD would have said that. "Blocked" means only that the access to that file was denied.

I very much want to install the PositScience software, and I don't see how that will be possible unless I can send you the CD and have you check it for viruses.

If the archived installation kit has a size below 100MB, you can try to upload it on a file-sharing web-site and send me the PM in a link. Otherwise... you have a few alternatives:

1. Ask PositScience to send you the requested file (LaunchPad.exe). Be sure to tell them to put it in a password-archive (infected should be the password, but any password is good as long as you can tell it to us), or otherwise BitDefender from your computer will block the e-mail.
2. You can try to disable BD Realtime Protection before installing the software, install it, and send us the file. Since you used this application before and you trust it, I am more than sure this is nothing more then a false positive.
3. If still you don't want to assume any risks, you can do another thing: in BitDefender, add the installation folder as an excluded from scan path. This way, BitDefender can remain enabled and protect your system, but the folder of that application will be ignored, therefore the application can install correctly. (you can do this from BitDefender -> Antivirus -> Exceptions).

Hello Mr. Connely,

There are no files attached to your post. This means that either you forgot to actually attach them (or there was an error sending the files), or you tried to attach the files as they are (EXE files) which is not possible (because these types of files are not allowed).

It's enough to attach the files here. To do this, please put the file(s) in a ZIP archive, with the password infected. They will be downloaded and checked by a BitDefender Virus Analyst and detection will be removed. The password-encryption is needed so that the file won't be rejected by any antiviruses/firewalls along the way, since these files appear to be detected as threats.

One small thing I'd like to mention: you mentioned something about a certain Activate.exe. If my assumption is correct and this file is used to activate your software, then I'd like to assure you that it won't be used by anyone to illegally use this software. On this board (Malware Talk), only Virus Analysts and Moderators have access to attachments, and the attached files are only used for research.

Thank you for your support.

Cris.

Does your response mean that there is no virus in the PositScience software?

Yes, that's what Marius' response is: the file is clean and detection was removed. The file won't be detected from now on, so you can install the software without getting any alerts.

As I said, it was detected based on heuristics. Heuristics is a method to detect new viruses, which don't yet have signatures in the Virus Database. It detects the threats by analyzing what a file does (what instructions it uses) and, based on some rules, BitDefender decides if it is a possible threat or not.

This method is very good for protection against new, unknown viruses. But also can produce False Positives, such as this one. In my opinion, a few False Positives is a good price to pay for protection against something that's unknown

If you have other problems/questions, don't hesitate to post.

Cris.

Thank you, Cris.

What about activate.exe? Is it also removed from detection? Activate.exe only needs to touch our server once but it needs to do so to unlock the program on the customer's side.

Launchpad touches our server each time a session of the program has been completed.

Any informatin would be appreciated.

Thank you.