F-Secure Anti-Virus DeepGuard issue
-
- Xpadder Xpert
- Posts: 2437
- Joined: 09 Feb 2010, 16:41
- Location: Germany
- Contact:
F-Secure Anti-Virus DeepGuard issue
I currently try out new AntiVirus programs. F-Secure Anti-Virus has a feature named DeepGuard. It detects starting suspicious programs and asks the user if he trusts this program.
For Xpadder comes following message:
DeepGuard has determined, that a program tries to alter or quit another process, which is potentially dangerous.
What does Xpadder do in this direction while starting? Maybe it has something to do with that problem.
For Xpadder comes following message:
DeepGuard has determined, that a program tries to alter or quit another process, which is potentially dangerous.
What does Xpadder do in this direction while starting? Maybe it has something to do with that problem.
Re: [DISCUSSING] F-Secure Anti-Virus DeepGuard issue
Are you able to get F-Secure to ask this question each time you run Xpadder?
If so we can perform some tests...
If so we can perform some tests...
-
- Xpadder Xpert
- Posts: 2437
- Joined: 09 Feb 2010, 16:41
- Location: Germany
- Contact:
Re: [DISCUSSING] F-Secure Anti-Virus DeepGuard issue
Principally yes.
F-Secure AV has a list for the trusted programs. Some programs will be written automatically in this list and for others, like Xpadder, it will ask the user, if it should do that or if it should block it. Strangely Xpadder was the only program it asks me about that yet.
I can delete the entry for Xpadder from this list, to get this message again with the next start of Xpadder.
On what are you thinking to test?
Edit: I have found another hint. I couldn't read since it didn't fit in the window, but now I have moved the mouse cursor over it and it magically appeared .
F-Secure AV has a list for the trusted programs. Some programs will be written automatically in this list and for others, like Xpadder, it will ask the user, if it should do that or if it should block it. Strangely Xpadder was the only program it asks me about that yet.
I can delete the entry for Xpadder from this list, to get this message again with the next start of Xpadder.
On what are you thinking to test?
Edit: I have found another hint. I couldn't read since it didn't fit in the window, but now I have moved the mouse cursor over it and it magically appeared .
Action: Attempt to write in the memory of another application by installing an global Windows messaging port.
Re: [DISCUSSING] F-Secure Anti-Virus DeepGuard issue
This is very interesting! I wonder if the action Xpadder is performing is also causing MMORPG problems?
Try disabling AutoProfile and see if FS blocks Xpadder. AutoProfile constantly monitors window titles and process launches and this could be the issue?
Try disabling AutoProfile and see if FS blocks Xpadder. AutoProfile constantly monitors window titles and process launches and this could be the issue?
-
- Xpadder Xpert
- Posts: 2437
- Joined: 09 Feb 2010, 16:41
- Location: Germany
- Contact:
Re: [DISCUSSING] F-Secure Anti-Virus DeepGuard issue
The stupid thing on that DeepGuard is, that it doesn't even detect Xpadder in any way when it starts with Windows. OK, that just logically since the AV tool also just starts. But that makes that feature much less useful, since a "good" malware would also start with Windows.
However, I have disabled the AutoProfile and it made no difference.
I have also tried to disable:
However, I have disabled the AutoProfile and it made no difference.
I have also tried to disable:
- Start minimized (if started by user)
Use Xinput
Process non selected controllers
Associate files
Connect virtual controller for testing
Re: [DISCUSSING] F-Secure Anti-Virus DeepGuard issue
Missing a program when Windows starts is a big security risk! Maybe DG starts after Xpadder so it misses its launch?
It does prove though that it is Xpadder starting or trying to start that causes the error.
When you run Xpadder normally does DG stop it before it even runs or does Xpadder appear but then DG blocks it? Have a look in task manager to see if Xpadder.exe appears at all.
It could be that DG is scanning the Xpadder executable and finding functions it does not like before Xpadder even starts. I'll investigate via a VM if this is the case...
It does prove though that it is Xpadder starting or trying to start that causes the error.
When you run Xpadder normally does DG stop it before it even runs or does Xpadder appear but then DG blocks it? Have a look in task manager to see if Xpadder.exe appears at all.
It could be that DG is scanning the Xpadder executable and finding functions it does not like before Xpadder even starts. I'll investigate via a VM if this is the case...
-
- Xpadder Xpert
- Posts: 2437
- Joined: 09 Feb 2010, 16:41
- Location: Germany
- Contact:
Re: [DISCUSSING] F-Secure Anti-Virus DeepGuard issue
Definitely, at least DeepGuard isn't running at this moment. Normally detected programs an automatically approved programs will be written in this list that I have already mentioned. But in this case Xpadder was started and isn't to find in this list.Jonathan wrote:Maybe DG starts after Xpadder so it misses its launch?
Xpadder does appear in the TaskManager, but not in the System Tray. Also it seems not really to run.When you run Xpadder normally does DG stop it before it even runs or does Xpadder appear but then DG blocks it? Have a look in task manager to see if Xpadder.exe appears at all.
I use Sysinternals Process Explorer as replacement to the TaskManager. Among others it gives the possibility to see the CPU history for each process individually. Xpadder has all the time 0% until I tell F-Secure AV that I trust this program.
Also here a screenshot with the first part of the list with Xpadder.
- Text/Images: Show
On the other hand I have started a program that is made to write in the memory of other applications ("Cheat-O-Matic", a multi-cheattool), and it was automatically approved. But it doesn't do that autonomously, but only by user input.
Re: [DISCUSSING] F-Secure Anti-Virus DeepGuard issue
I use SysInternals tools a lot too (even before Microsoft bought them)
If Xpadder.exe appears then the program is loaded in memory and ready to start. There are a few things that Xpadder does before it begins its actual function - these are general windows program functions. They are nothing that I have added - they are just things that all programs do when they start. It's possible that something that Xpadder does in this stage is causing DG to complain.
To double-check can you make a copy of Notepad.exe (or any other safe exe) and then rename this copy to Xpadder.exe and run it. This will check to see if DG hasn't blacklisted the name "Xpadder".
Another idea would be to try the Hardware Scanner program that is in the iMON topic (a quick search will find it). This tool uses the same global messaging system that Xpadder does. If the HS tool is also blocked by DS then this will make fixing it easier (HS is much smaller than Xpadder and easier to update).
If Xpadder.exe appears then the program is loaded in memory and ready to start. There are a few things that Xpadder does before it begins its actual function - these are general windows program functions. They are nothing that I have added - they are just things that all programs do when they start. It's possible that something that Xpadder does in this stage is causing DG to complain.
To double-check can you make a copy of Notepad.exe (or any other safe exe) and then rename this copy to Xpadder.exe and run it. This will check to see if DG hasn't blacklisted the name "Xpadder".
Another idea would be to try the Hardware Scanner program that is in the iMON topic (a quick search will find it). This tool uses the same global messaging system that Xpadder does. If the HS tool is also blocked by DS then this will make fixing it easier (HS is much smaller than Xpadder and easier to update).
-
- Xpadder Xpert
- Posts: 2437
- Joined: 09 Feb 2010, 16:41
- Location: Germany
- Contact:
Re: [DISCUSSING] F-Secure Anti-Virus DeepGuard issue
Well, that's it. That with the notepad didn't caused problems. But I have renamed the "Xpadder.exe" to "Xpadder, not.exe", and that really causes that Xpadder will be automatically approved.Jonathan wrote:To double-check can you make a copy of Notepad.exe (or any other safe exe) and then rename this copy to Xpadder.exe and run it. This will check to see if DG hasn't blacklisted the name "Xpadder".
Edit: Your Hardware Scanner causes the same message too.
-
- Xpadder Xpert
- Posts: 2437
- Joined: 09 Feb 2010, 16:41
- Location: Germany
- Contact:
Re: [DISCUSSING] F-Secure Anti-Virus DeepGuard issue
Now the stupid renaming doesn't work anymore , so everything back to start. Could it be that DeepGuard is teachable?
I have an apparently useful error message of Xpadder, it comes if I decide to block Xpadder. If Xpadder is already listed to be blocked, another standard Windows error message occurs.
I have an apparently useful error message of Xpadder, it comes if I decide to block Xpadder. If Xpadder is already listed to be blocked, another standard Windows error message occurs.
Re: [DISCUSSING] F-Secure Anti-Virus DeepGuard issue
This problem seems to be split into 3 now!
1) DG does learn the exe name but it's not a big online database but a list on your PC. This is why the rename worked but now doesn't. We'll assume now that the name is not the issue and renaming is not a permanent workaround
2) Now your screenshot is interesting. DG is blocking Xpadder's attempt to link to the SendInput function (the part that simulates key and mouse actions). On my VM this triggers the error. Xpadder states "Missing library" but I don't think this is the case - it should be something like "access denied" because DG is blocking the attempt to link. I am now researching this error myself and will update Xpadder with more detailed error explainations.
3) I have now installed DG on a VM and I get no errors when running the Hardware Scanner. I get the Xpadder errors about "Action: Attempt to write in the memory of another application by installing an global Windows messaging port." but the Hardware Scanner works ok everytime. What error do you get with the Hardware Scanner?
1) DG does learn the exe name but it's not a big online database but a list on your PC. This is why the rename worked but now doesn't. We'll assume now that the name is not the issue and renaming is not a permanent workaround
2) Now your screenshot is interesting. DG is blocking Xpadder's attempt to link to the SendInput function (the part that simulates key and mouse actions). On my VM this triggers the error. Xpadder states "Missing library" but I don't think this is the case - it should be something like "access denied" because DG is blocking the attempt to link. I am now researching this error myself and will update Xpadder with more detailed error explainations.
3) I have now installed DG on a VM and I get no errors when running the Hardware Scanner. I get the Xpadder errors about "Action: Attempt to write in the memory of another application by installing an global Windows messaging port." but the Hardware Scanner works ok everytime. What error do you get with the Hardware Scanner?
-
- Xpadder Xpert
- Posts: 2437
- Joined: 09 Feb 2010, 16:41
- Location: Germany
- Contact:
Re: [DISCUSSING] F-Secure Anti-Virus DeepGuard issue
I'm not sure about that. Sometimes the "Xpadder, not.exe" will again be approved automatically, and sometimes but more rare it also will approve the normal "Xpadder.exe" automatically. For example I have tried the normal Xpadder.exe 5 times in a row, and finally at fifth time it was automatically approved. So it works really strange.Jonathan wrote:1) DG does learn the exe name but it's not a big online database but a list on your PC. This is why the rename worked but now doesn't. We'll assume now that the name is not the issue and renaming is not a permanent workaround
I would say that this .dll is definitely not missing since Xpadder normally can start without any problems. So DeepGuard is definitely blocking the access to this file.Jonathan wrote:2) Now your screenshot is interesting. DG is blocking Xpadder's attempt to link to the SendInput function (the part that simulates key and mouse actions). On my VM this triggers the error. Xpadder states "Missing library" but I don't think this is the case - it should be something like "access denied" because DG is blocking the attempt to link. I am now researching this error myself and will update Xpadder with more detailed error explainations.
I guess you mean the F-Secure AV, since I am not aware of an stand alone edition of DeepGuard.Jonathan wrote:3) I have now installed DG on a VM and I get no errors when running the Hardware Scanner. I get the Xpadder errors about "Action: Attempt to write in the memory of another application by installing an global Windows messaging port." but the Hardware Scanner works ok everytime. What error do you get with the Hardware Scanner?
I get for your Hardware Scanner exactly the same message as for Xpadder. The strange part on it is, that it starts despite of my selection to block it.
Also there is a difference between selecting to block a program in this message, and to have it already in this list to block the program.
I guess with the first the .exe will start but it will be stopped on the the potential dangerous part, but with the second it won't start at all.
Re: [DISCUSSING] F-Secure Anti-Virus DeepGuard issue
I have updated the development version (but not released yet) - the true error is "Access denied" as expected.
Here's the sequence:
1) Run Xpadder
2) When Xpadder tries to access DirectInput DLL we get the first DG error
3) If we allow this alert we jump to step 5 else if we block it we continue to step 4
4) The first error is blocked. DirectInput initialises ok but the following SendInput is blocked (actually the library is blocked even before SendInput is requested) - Xpadder exits
5) We allowed the first error but now we get a second error. This is actually at exactly the same point in the program! It's almost as if DG is saying "Are you sure you want to allow?"
6) If we allow OR block everything works fine.
EDIT: If we block the second error then Xpadder cannot launch programs (Test in Notepad, Game Controllers panel etc)
For some reason I am now getting the Hardware Scanner error message
The error is the same as always "...installing Windows messaging hook" - the strange thing is that the Xpadder DLL errors said the same thing
I'll see if I can prevent this error then roll the update into Xpadder and see if Xpadder can run error-free.
Here's the sequence:
1) Run Xpadder
2) When Xpadder tries to access DirectInput DLL we get the first DG error
3) If we allow this alert we jump to step 5 else if we block it we continue to step 4
4) The first error is blocked. DirectInput initialises ok but the following SendInput is blocked (actually the library is blocked even before SendInput is requested) - Xpadder exits
5) We allowed the first error but now we get a second error. This is actually at exactly the same point in the program! It's almost as if DG is saying "Are you sure you want to allow?"
6) If we allow OR block everything works fine.
EDIT: If we block the second error then Xpadder cannot launch programs (Test in Notepad, Game Controllers panel etc)
For some reason I am now getting the Hardware Scanner error message
The error is the same as always "...installing Windows messaging hook" - the strange thing is that the Xpadder DLL errors said the same thing
I'll see if I can prevent this error then roll the update into Xpadder and see if Xpadder can run error-free.
Re: [DISCUSSING] F-Secure Anti-Virus DeepGuard issue
Ok, the "installing Windows messaging hook" actually means "linking to a DLL" - the error message is clearly inaccurate. Removing the messaging hook still gave the same error.
DG complains when Xpadder links to a DLL but this is necessary for Xpadder to work - there is no reasonable way to get around this. Allowing both error messages will allow Xpadder to function as usual.
This issue has been useful because I've improved the DLL code as a result. I will now move this topic to the "Problems starting Xpadder" subforum for future reference.
DG complains when Xpadder links to a DLL but this is necessary for Xpadder to work - there is no reasonable way to get around this. Allowing both error messages will allow Xpadder to function as usual.
This issue has been useful because I've improved the DLL code as a result. I will now move this topic to the "Problems starting Xpadder" subforum for future reference.
-
- Xpadder Xpert
- Posts: 2437
- Joined: 09 Feb 2010, 16:41
- Location: Germany
- Contact:
Re: [DISCUSSING] F-Secure Anti-Virus DeepGuard issue
For me it's a little bit else.
1) Run Xpadder
2) When Xpadder tries to access DirectInput DLL we get the first DG error
3) If we allow this alert we jump to step 5 else if we block it we continue to step 4
4) The first error is blocked. DirectInput initialises ok but the following SendInput is blocked (actually the library is blocked even before SendInput is requested) - Xpadder exits + with this error message I have already posted (but I guess you have it too)
5) Xpadder starts problem free, no further questions by DeepGuard
If Xpadder is already in this List to be blocked, I get a Windows error massage:
"To the selected device, path or file cannot be accessed. You may not have sufficient permissions, to access to the element"
Xpadder doesn't even start. Also I get a message from DeepGuard, that I have selected to not to trust this program.
Edit: Yes, principally this problem is not that big. Simply select to thrust Xpadder and done.
But it is better if you can tell your customers why this happens.
1) Run Xpadder
2) When Xpadder tries to access DirectInput DLL we get the first DG error
3) If we allow this alert we jump to step 5 else if we block it we continue to step 4
4) The first error is blocked. DirectInput initialises ok but the following SendInput is blocked (actually the library is blocked even before SendInput is requested) - Xpadder exits + with this error message I have already posted (but I guess you have it too)
5) Xpadder starts problem free, no further questions by DeepGuard
If Xpadder is already in this List to be blocked, I get a Windows error massage:
"To the selected device, path or file cannot be accessed. You may not have sufficient permissions, to access to the element"
Xpadder doesn't even start. Also I get a message from DeepGuard, that I have selected to not to trust this program.
Edit: Yes, principally this problem is not that big. Simply select to thrust Xpadder and done.
But it is better if you can tell your customers why this happens.