Sign in
Microsoft.com
 
Microsoft
 
 
 

locked
Why is a Windows Service seen as a TR/Gen by an anti-virus? RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Greetings...

    I am probably not in the corrent forum, but feel free to redirect me...  Here's the problem...

    I wrote a Windows Service in VB.Net that basically speaking, looks at one folder every five minutes or so and sees if any new file has landed in that folder.   If there is new file, it sends an email to a user saying "This file has arrived" and of course, I give the filename.

    I was testing this Service tonight, and inadvertantly my anti-virus started its Friday night scan. I use Avira Premium.  To my surprise, it reported my Windows Service (called FTEN) as a TR/Gen virus and wanted to quarantine the Service!

    So simply put, (though the answer may be more complex) - what makes a service be "seen" as malware?  Mine is NOT malware - but it seems to be seen that way.

    Naturally, I can add this to the exclusions list and avoid the problem - but I would like to learn what I did wrong in the development of this rather simply Service.

    Thanks for any help you can offer.

    Saturday, January 12, 2013 2:47 AM

Answers

  • Question
    Sign in to vote
    1
    Sign in to vote

    At MacAfee the Overview, Indication of Infection for a Trojan/Generic (TR/Gen) is - This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

    I'd suppose Avira knows you're referencing files (filewatcher watching folder) and E-Mail (network communication). I can only suggest you contact Avira as to this issue and submit a false positive report at this link https://forum.avira.com/wbb/index.php?page=Thread&threadID=131204

    You've taught me everything I know but not everything you know.



    • Edited by Mr. Monkeyboy Tuesday, January 15, 2013 10:03 AM
    • Proposed as answer by Reed KimbleMVP Wednesday, January 16, 2013 4:45 PM
    • Marked as answer by B_E_L Friday, January 25, 2013 2:54 PM
    Tuesday, January 15, 2013 9:53 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    I am moving your thread into the Visual Basic Forum for dedicated support. Thanks for your understanding.

    Best Regards,

    Jack Zhai [MSFT]
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Tuesday, January 15, 2013 6:59 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    I don't understand why Jack sends this message to this forum. Probably he has seen the words VB and Services. 

    I don't know where you were starting but in fact has this nothing to do with VB. A virus scanner search mostly for certain signatures in an executable. Probably yours has one.

    I suggest moderators to move this question back to its original place or otherwise to Off Topic.

    Success
    Cor

    Tuesday, January 15, 2013 9:17 AM
  • Question
    Sign in to vote
    1
    Sign in to vote

    At MacAfee the Overview, Indication of Infection for a Trojan/Generic (TR/Gen) is - This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

    I'd suppose Avira knows you're referencing files (filewatcher watching folder) and E-Mail (network communication). I can only suggest you contact Avira as to this issue and submit a false positive report at this link https://forum.avira.com/wbb/index.php?page=Thread&threadID=131204

    You've taught me everything I know but not everything you know.



    • Edited by Mr. Monkeyboy Tuesday, January 15, 2013 10:03 AM
    • Proposed as answer by Reed KimbleMVP Wednesday, January 16, 2013 4:45 PM
    • Marked as answer by B_E_L Friday, January 25, 2013 2:54 PM
    Tuesday, January 15, 2013 9:53 AM
  • Question
    Sign in to vote
    1
    Sign in to vote

    You could submit the executable to VirusTotal, they run it past a plethora of AV programs.

    https://www.virustotal.com/

    Wednesday, January 16, 2013 6:25 AM
  • Question
    Sign in to vote
    1
    Sign in to vote

    I suspect there's a different bit setting in the process header in the service that makes it a service and it's not an ms service. That combination is probably setting off the anti-virus. I would guess that the exclude list is the only choice.

    Renee

    "MODERN PROGRAMMING is deficient in elementary ways BECAUSE of problems INTRODUCED by MODERN PROGRAMMING." Me

    Wednesday, January 16, 2013 2:05 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thank you very much for the suggestion.  I will start with Avira - I dont trust Norton, and we dumped MacAfee many months ago when they moved their Exclusions list to web-only (probably one of the dumbest ideas in all of computing history) - so we are solid Avira users and recommenders - Seems Norton and MacAfee have just gotten too big, too concerned about support revenue when its their mistake and lousy design, and too large as systems overall - they are resource hogs - for me to bother with them.

    Conversely, I HIGHLY recommend Avira - these guys have been great to us, with exceptional support, and a very fair price.  I will go that way.

    Thanks to all for good suggestions - it is appreciated!

    Friday, January 25, 2013 2:58 PM