Virus? Behaveslike:trojan.hangup

Hi,


I've had BitDefender 2008 Security for only a couple of months. In installing software from a company called PositScience, which I thought was a reputable vendor, I got 2 virus messages from BitDefender (which I'll copy at the end of this email). PositScience tells me that they must be false positives.


I used PositScience's CD to install the program, but they also required that I have an internet connection so that the software could be activated after installation.


After getting these messages, I uninstalled the software and got the same virus message during the uninstall process.


I emailed BitDefender's support last Friday and received a response on Saturday with instructions that I didn't understand. I emailed back right away asking for explanation and haven't heard back. It's now 3 days later, and I thought that maybe I could get help in the forum.


I am lame when it comes to antivirus software. I don't even know where in Windows to look to find the infected files. I did find in a google search that the same virus name that I got was a false positive for software called "weather". But until someone tells me for sure that the virus messages I got were false positives, I don't want to take a chance.


Here's the message I got from BitDefender:


"Bit Defender has blocked a virus on your computer!


"Virus Name: BehavesLike:Trojan.Hangup


"Path:C:\ProgramFiles\PositScience\2_0\Neuroscience\LaunchPad.exe


"Access to file has been denied


"Your computer is protected!"



******


I am attaching a screenshot of this message.


Can someone help me identify whether this is a false positive?


Thanks!


Marcia

post-8375-1199242308_thumb.png

Comments

  • alexcrist
    alexcrist
    edited January 2008

    Hello Marcia,


    Please find this file:


    C:\Program Files\PositScience\2_0\Neuroscience\LaunchPad.exe


    After you find it (using Explorer or whatever file manager that you use), disable the BD Realtime Protection, put that file in a password-protected archive (the password should be the word infected) and re-enable the BD Realtime Protection. After that, attach the archive to your next post.


    If, indeed, it's a false positive, BitDefender Virus Analysts will remove detection ASAP.


    Take a look at this topic for details about how to create a password-protected archive: http://forum.bitdefender.com/index.php?showtopic=84


    Notice: Please be careful not to open the file while BD is disabled because, in the event that it really is a virus, you won't be protected.


    Cris.

  • mbenay
    edited January 2008

    Hi Chris,


    Thanks for the response. I did a search in Windows, but don't find the file "C:\Program Files\PositScience\2_0\Neuroscience\LaunchPad.exe[/code]" (I don't even find "PositScience" or "LaunchPad.exe" as part of the name in a search. My search included system folders and hidden files and folders. Is there anyplace else I can look? I didn't change any of the defaults in BitDefender than I can remember so if there's a default folder in which BitDefender puts files with viruses, they should be there.


    I hope I don't have to install the possibly infected software again to get the file.


    Thanks,


    Marcia


    Hello Marcia,


    Please find this file:


    C:\Program Files\PositScience\2_0\Neuroscience\LaunchPad.exe


    After you find it (using Explorer or whatever file manager that you use), disable the BD Realtime Protection, put that file in a password-protected archive (the password should be the word infected) and re-enable the BD Realtime Protection. After that, attach the archive to your next post.

  • alexcrist
    alexcrist
    edited January 2008

    If you don't want to reinstall it (thou you should, because I suppose you paid money for that software and you want to use it... so you want to know if it's infected or not), then you could attach the hole installation kit.


    How large is it? If it is not very large, you can try to ZIP it and, if the total ZIP size is below 2 MB (which is the upload limit on this forum), then attach it. Other wise, I cannot see other alternative.


    From the reported virus name, BehavesLike, I assume that the detection was made by heuristics, not by signature. Heuristic detection can cause False Positives, because it's made by analyzing what a file does (and the detection engine can be fooled to think that a file is dangerous, when in reality it's not).


    One last alternative that comes to my mind is that you attach a link to download the installation kit (either from the official site, either you can upload an archived installation kit somewhere and post the link). Details here: http://forum.bitdefender.com/index.php?s=&...post&p=1223


    Notice: Please don't directly post the link to any suspicious files. Instead, write the link in a TXT file and attach the TXT to your post


    Cris.

  • Hi Cris,


    I've been in touch with the PositScience people, and they suggest that I mail you the CD of their software. They say that there isn't a way to attach a link to the installation kit. They also say that the installation size is huge and would be well over your 2 mg limit when zipped.


    The PositScience people also told me that a couple of their customer service personnel have BitDefender on their PCs and have not been able to install their own software, even when they turn BitDefender off.


    They are asking me to see the file that was marked as having a virus, and, as I already mentioned to you, I can't find it. They asked if it was quarantined, and I don't think it was. My BitDefender History says that it was "blocked" which doesn't sound like a quarantine. Was it? Do you have any idea where that file might be?


    I very much want to install the PositScience software, and I don't see how that will be possible unless I can send you the CD and have you check it for viruses.


    Please let me know what to do next.


    Thanks,


    Marcia

  • I've been in touch with the PositScience people, and they suggest that I mail you the CD of their software. They say that there isn't a way to attach a link to the installation kit. They also say that the installation size is huge and would be well over your 2 mg limit when zipped.


    This might be a problem. You can use an online file-sharing website (like RapidShare; other examples you can find in the link that I previously posted), but also those sites have upload limits (RapidShare has 100MB/file) and downloads limits (I'm not sure which are these limits, but they are pretty restrictive for free accounts).


    The easiest solution would be to send us only that particular file. Couldn't PositScience send it to you, in a password-protected archive (so it won't be blocked by BitDefender)? I know this is a kinda big thing to ask, but we cannot do anything without that file. :(


    The PositScience people also told me that a couple of their customer service personnel have BitDefender on their PCs and have not been able to install their own software, even when they turn BitDefender off.


    I find this hard to believe. When BitDefender is disabled, it really is disabled and it won't block anything. (trust me, I even worked with real viruses and BD didn't react at all while it was disabled).


    They are asking me to see the file that was marked as having a virus, and, as I already mentioned to you, I can't find it. They asked if it was quarantined, and I don't think it was. My BitDefender History says that it was "blocked" which doesn't sound like a quarantine. Was it? Do you have any idea where that file might be?


    I assume that the file wasn't even written on your HDD, because BitDefender blocked it.


    If the file would have been moved to quarantine, BD would have said that. "Blocked" means only that the access to that file was denied.


    I very much want to install the PositScience software, and I don't see how that will be possible unless I can send you the CD and have you check it for viruses.


    If the archived installation kit has a size below 100MB, you can try to upload it on a file-sharing web-site and send me the PM in a link. Otherwise... you have a few alternatives:

    1. Ask PositScience to send you the requested file (LaunchPad.exe). Be sure to tell them to put it in a password-archive (infected should be the password, but any password is good as long as you can tell it to us), or otherwise BitDefender from your computer will block the e-mail.
    2. You can try to disable BD Realtime Protection before installing the software, install it, and send us the file. Since you used this application before and you trust it, I am more than sure this is nothing more then a false positive.
    3. If still you don't want to assume any risks, you can do another thing: in BitDefender, add the installation folder as an excluded from scan path. This way, BitDefender can remain enabled and protect your system, but the folder of that application will be ignored, therefore the application can install correctly. (you can do this from BitDefender -> Antivirus -> Exceptions).
    Cris.
  • Hello there,


    My name is JP Connelly and I am with Posit Science. I am happy to send both Launchpad.exe and Activate.exe to BitDefender for evaluation. Please advise of where to send and I shall do so ASAP. I am attaching the files to this post but not sure if this will suffice. We very much want MBenay to be able to use our software.


    Additionally, we've had 2 other customers contact us over the past few days referencing issues with BitDefender in conjunction with our program.


    Please advise as to how we may quickly resolve this issue.


    Many thanks!


    JP Connelly


    Supervisor, Customer Delight


    jpconnelly@positscience.com

  • alexcrist
    alexcrist
    edited January 2008

    Hello Mr. Connely,


    There are no files attached to your post. This means that either you forgot to actually attach them (or there was an error sending the files), or you tried to attach the files as they are (EXE files) which is not possible (because these types of files are not allowed).


    It's enough to attach the files here. To do this, please put the file(s) in a ZIP archive, with the password infected. They will be downloaded and checked by a BitDefender Virus Analyst and detection will be removed. The password-encryption is needed so that the file won't be rejected by any antiviruses/firewalls along the way, since these files appear to be detected as threats.


    One small thing I'd like to mention: you mentioned something about a certain Activate.exe. If my assumption is correct and this file is used to activate your software, then I'd like to assure you that it won't be used by anyone to illegally use this software. On this board (Malware Talk), only Virus Analysts and Moderators have access to attachments, and the attached files are only used for research.


    Thank you for your support.


    Cris.

  • Hi Cris,


    I have created and attached the zip file as requested. Please let me know if you require further information.


    If it is easier, you can always email me at customerservice@positscience.com - just use "Attn: JP" as the subject line and it will get right to me.


    Thank you for your efforts in this matter!


    Respectfully,


    JP Connely


    Supervisor, Customer Delight


    Posit Science

    /applications/core/interface/file/attachment.php?id=1276" data-fileid="1276" rel="">LaunchPad.zip

  • Hello Mr. Connely,


    Thank you for the samples! Detection removed for launchpad.exe.


    best regards,


    Marius Botis

  • Hi Marius (or Cris),


    Does your response mean that there is no virus in the PositScience software?


    Thanks,


    Marcia


    Hello Mr. Connely,


    Thank you for the samples! Detection removed for launchpad.exe.


    best regards,


    Marius Botis

  • Does your response mean that there is no virus in the PositScience software?


    Yes, that's what Marius' response is: the file is clean and detection was removed. The file won't be detected from now on, so you can install the software without getting any alerts. :)


    As I said, it was detected based on heuristics. Heuristics is a method to detect new viruses, which don't yet have signatures in the Virus Database. It detects the threats by analyzing what a file does (what instructions it uses) and, based on some rules, BitDefender decides if it is a possible threat or not.


    This method is very good for protection against new, unknown viruses. But also can produce False Positives, such as this one. In my opinion, a few False Positives is a good price to pay for protection against something that's unknown ;)


    If you have other problems/questions, don't hesitate to post.


    Cris.

  • Yes, I agree -- I'd rather have a few false positives than miss even one virus! Thanks for all your help Cris!


    Marcia

  • Thank you, Cris.


    What about activate.exe? Is it also removed from detection? Activate.exe only needs to touch our server once but it needs to do so to unlock the program on the customer's side.


    Launchpad touches our server each time a session of the program has been completed.


    Any informatin would be appreciated.


    Thank you.

  • alexcrist
    alexcrist
    edited January 2008

    Well...is activate.exe also detected by BitDefender as a virus? If it is, please upload it here (like you did with the other file). If it's not detected, then it will work without any problems. :)


    Cris.