AVG found win32 virus in anticheat.dll

[SidDManiac]

Hello,

I am not sure if this is the place to post this, but I wonder if anyone else found the win32\heur infection in anticheat.dll from r1q2.  I just upgraded to AVG 8.0 free edition and as soon as I opened Q2, it alerted me. I chose to place the file in quarantine and as soon as I did that I found my r1gl client appeared to show better graphics rendition.

I was worried that this may have been a false positive so I sent the file to Grisoft to verify and they replied that the detection is correct. I am not sure how this file alone could have been infected in my q2 directory, but I think It was downloaded from r1ch.net .

This is just a heads up and I am wondering how an infected file was downloaded from that site if that is what happened. Check for yourselves just in case...

[Whirlingdervish]

it's generating a false positive with AVG, and it's harmless.

you can take it out of quarantine.

This has been going on for a few months now.
Nothing to worry about.

 

[console]

I am not sure if this is the place to post this, but I wonder if anyone else found the win32\heur infection in anticheat.dll from r1q2.  I just upgraded to AVG 8.0 free edition and as soon as I opened Q2, it alerted me. I chose to place the file in quarantine and as soon as I did that I found my r1gl client appeared to show better graphics rendition.

I was worried that this may have been a false positive so I sent the file to Grisoft to verify and they replied that the detection is correct.

Others have reported this as well.  My understanding is that in all cases so far it has been a false positive.

I'm guessing whoever you talked to at Grisoft likely didn't take time to actually research the issue.

(Regarding the difference in r1q2 rendering quality, I'm going to presume that was a psychological effect.  If it were a real virus, the likelihood that it would affect OpenGL rendering quality seems kinda slim. )


Regards,

[QwazyWabbit]

This is a false postive from AVG. The anticheat DLL is compressed and has a "phone home" capability (necessary for talking to the anti-cheat server) that makes it look like a virus. AVG triggers on these characteristics in their heuristic detection and that's why you get the alert. You can safely ignore the alert on anticheat. AVG is known to be a little more sensitive to false positives than some other A-V programs. (I use NOD32 and it has never triggered on R1ch's anticheat dll.)

If you are getting alerts from other executable files with the same alert, it may be time to do deeper scans of those files.

[X'tyfe]

you can you set AVG to ignore the quake2 folder, thats what i did
but it seem you cant make it ignore a single file

[SidDManiac]

Here is the reply I got from AVG:

-----------------------------------------------------------------------------------------------------------

This email is an auto-response message. Please do not reply.

AVG Anti-virus Research Lab has analyzed the file(s) you have sent from your AVG Virus Vault. Below you can find the results for each file. The final verdict on the file is either a correct detection or a false positive detection.

Further information about the verdicts are available at our website:
http://www.avg.com/faq-1184

"D:\Apps\Quake2\anticheat.dll" - detection is correct



     Best regards,

     AVG Technical Support
     website: http://www.avg.com

-------------------------------------------------------------------------------------------------------

In any case guys,  I'll take your word for it that this is a false positive.  Thanks!

Maybe I should shell out some big bucks for a real antivirus solution after all!

[metaL]

didnt know so many people used avg (i do).

[The Happy Friar]

switch antiviri programs?  I use & like avast.  doesn't tell me q2 is infected. 

[X'tyfe]

i may do that soon, i dont like where avg is going
it used to be good, but there latest version seems to have turned it into those shitty bloated payfor ones

[Theo]

I had this error as well. It's refreshing to hear that I'm not the only one with this problem. I guess it's harmless.

[R1CH]

If you could update your AVG definitions and scan again over the next 2-3 days, I have been told this will be fixed in an upcoming virus database.

[reaper]

I've never bothered with this, and never had any problems.  but it seems best to check the md5, to make sure it's a good file, versus relying on anti-virus scanning

[QwazyWabbit]

http://www.virustotal.com/analisis/f9d53153b2b7f46abdb7aaa77d865bff

The false positive arises from the way the file is packed.
In the past, AVG and Panda seem to be the most frequently reported false positives.
AVG marks it safe but if R1ch comes out with a newer version the signature is different and AVG has problems with it again.

R1ch doesn't publish the file's MD5 hash in his documentation or web site. (Perhaps it's time to start.)

Latest version (no version info due to packing) anticheat.dll MD5: a67414c7a740e34e0b92a231820c0ffe

[R1CH]

http://www.virustotal.com/analisis/f9d53153b2b7f46abdb7aaa77d865bff

Unfortunately VirusTotal isn't too reliable, especially with AVG. I'm not sure if they use an old or different scanner (with heuristics off?) but it never seems to flag files that the actual client does.

[QwazyWabbit]

I agree, but it's an indicator that AVG isn't the only one that flags the signature. I have seen them all come up clean on actual viruses too. A lot depends on the currency of the sig files as well as the engine. They seem to be a bit more up to date today. It's been a while since I used that site. The interface is cleaner. I like that. They used to state the scans were based on "default" configuration of the scanners. I'm not sure that's true anymore.