F-Secure Anti-Virus DeepGuard issue

Post Reply
Primal Fear
Xpadder Xpert
Posts: 2437
Joined: 09 Feb 2010, 16:41
Location: Germany
Contact:

F-Secure Anti-Virus DeepGuard issue

Post by Primal Fear »

I currently try out new AntiVirus programs. F-Secure Anti-Virus has a feature named DeepGuard. It detects starting suspicious programs and asks the user if he trusts this program.
For Xpadder comes following message:
DeepGuard has determined, that a program tries to alter or quit another process, which is potentially dangerous.

What does Xpadder do in this direction while starting? Maybe it has something to do with that problem.

Jonathan
Xpadder creator
Posts: 1648
Joined: 24 Aug 2009, 11:33
Location: England
Contact:

Re: [DISCUSSING] F-Secure Anti-Virus DeepGuard issue

Post by Jonathan »

Are you able to get F-Secure to ask this question each time you run Xpadder?
If so we can perform some tests...

Primal Fear
Xpadder Xpert
Posts: 2437
Joined: 09 Feb 2010, 16:41
Location: Germany
Contact:

Re: [DISCUSSING] F-Secure Anti-Virus DeepGuard issue

Post by Primal Fear »

Principally yes.
F-Secure AV has a list for the trusted programs. Some programs will be written automatically in this list and for others, like Xpadder, it will ask the user, if it should do that or if it should block it. Strangely Xpadder was the only program it asks me about that yet.
I can delete the entry for Xpadder from this list, to get this message again with the next start of Xpadder.

On what are you thinking to test?

Edit: I have found another hint. I couldn't read since it didn't fit in the window, but now I have moved the mouse cursor over it and it magically appeared :shifty:.
Action: Attempt to write in the memory of another application by installing an global Windows messaging port.

Jonathan
Xpadder creator
Posts: 1648
Joined: 24 Aug 2009, 11:33
Location: England
Contact:

Re: [DISCUSSING] F-Secure Anti-Virus DeepGuard issue

Post by Jonathan »

This is very interesting! I wonder if the action Xpadder is performing is also causing MMORPG problems?

Try disabling AutoProfile and see if FS blocks Xpadder. AutoProfile constantly monitors window titles and process launches and this could be the issue?

Primal Fear
Xpadder Xpert
Posts: 2437
Joined: 09 Feb 2010, 16:41
Location: Germany
Contact:

Re: [DISCUSSING] F-Secure Anti-Virus DeepGuard issue

Post by Primal Fear »

The stupid thing on that DeepGuard is, that it doesn't even detect Xpadder in any way when it starts with Windows. OK, that just logically since the AV tool also just starts. But that makes that feature much less useful, since a "good" malware would also start with Windows. :roll:

However, I have disabled the AutoProfile and it made no difference.
I have also tried to disable:
  • Start minimized (if started by user)
    Use Xinput
    Process non selected controllers
    Associate files
    Connect virtual controller for testing
Also no success.

Jonathan
Xpadder creator
Posts: 1648
Joined: 24 Aug 2009, 11:33
Location: England
Contact:

Re: [DISCUSSING] F-Secure Anti-Virus DeepGuard issue

Post by Jonathan »

Missing a program when Windows starts is a big security risk! Maybe DG starts after Xpadder so it misses its launch?

It does prove though that it is Xpadder starting or trying to start that causes the error.

When you run Xpadder normally does DG stop it before it even runs or does Xpadder appear but then DG blocks it? Have a look in task manager to see if Xpadder.exe appears at all.

It could be that DG is scanning the Xpadder executable and finding functions it does not like before Xpadder even starts. I'll investigate via a VM if this is the case...

Primal Fear
Xpadder Xpert
Posts: 2437
Joined: 09 Feb 2010, 16:41
Location: Germany
Contact:

Re: [DISCUSSING] F-Secure Anti-Virus DeepGuard issue

Post by Primal Fear »

Jonathan wrote:Maybe DG starts after Xpadder so it misses its launch?
Definitely, at least DeepGuard isn't running at this moment. Normally detected programs an automatically approved programs will be written in this list that I have already mentioned. But in this case Xpadder was started and isn't to find in this list.
When you run Xpadder normally does DG stop it before it even runs or does Xpadder appear but then DG blocks it? Have a look in task manager to see if Xpadder.exe appears at all.
Xpadder does appear in the TaskManager, but not in the System Tray. Also it seems not really to run.
I use Sysinternals Process Explorer as replacement to the TaskManager. Among others it gives the possibility to see the CPU history for each process individually. Xpadder has all the time 0% until I tell F-Secure AV that I trust this program.

Also here a screenshot with the first part of the list with Xpadder.
Text/Images: Show
Image
I don't think that this helps, but I found another program that causes exactly this message. It is "Lara Croft and the Guardian of Light", also on this screenshot.
On the other hand I have started a program that is made to write in the memory of other applications ("Cheat-O-Matic", a multi-cheattool), and it was automatically approved. But it doesn't do that autonomously, but only by user input.

Jonathan
Xpadder creator
Posts: 1648
Joined: 24 Aug 2009, 11:33
Location: England
Contact:

Re: [DISCUSSING] F-Secure Anti-Virus DeepGuard issue

Post by Jonathan »

I use SysInternals tools a lot too (even before Microsoft bought them)

If Xpadder.exe appears then the program is loaded in memory and ready to start. There are a few things that Xpadder does before it begins its actual function - these are general windows program functions. They are nothing that I have added - they are just things that all programs do when they start. It's possible that something that Xpadder does in this stage is causing DG to complain.

To double-check can you make a copy of Notepad.exe (or any other safe exe) and then rename this copy to Xpadder.exe and run it. This will check to see if DG hasn't blacklisted the name "Xpadder".

Another idea would be to try the Hardware Scanner program that is in the iMON topic (a quick search will find it). This tool uses the same global messaging system that Xpadder does. If the HS tool is also blocked by DS then this will make fixing it easier (HS is much smaller than Xpadder and easier to update).

Primal Fear
Xpadder Xpert
Posts: 2437
Joined: 09 Feb 2010, 16:41
Location: Germany
Contact:

Re: [DISCUSSING] F-Secure Anti-Virus DeepGuard issue

Post by Primal Fear »

Jonathan wrote:To double-check can you make a copy of Notepad.exe (or any other safe exe) and then rename this copy to Xpadder.exe and run it. This will check to see if DG hasn't blacklisted the name "Xpadder".
Well, that's it. That with the notepad didn't caused problems. But I have renamed the "Xpadder.exe" to "Xpadder, not.exe", and that really causes that Xpadder will be automatically approved. :o

Edit: Your Hardware Scanner causes the same message too.

Primal Fear
Xpadder Xpert
Posts: 2437
Joined: 09 Feb 2010, 16:41
Location: Germany
Contact:

Re: [DISCUSSING] F-Secure Anti-Virus DeepGuard issue

Post by Primal Fear »

Now the stupid renaming doesn't work anymore :noob:, so everything back to start. Could it be that DeepGuard is teachable? :shifty:

I have an apparently useful error message of Xpadder, it comes if I decide to block Xpadder. If Xpadder is already listed to be blocked, another standard Windows error message occurs.
Image

Jonathan
Xpadder creator
Posts: 1648
Joined: 24 Aug 2009, 11:33
Location: England
Contact:

Re: [DISCUSSING] F-Secure Anti-Virus DeepGuard issue

Post by Jonathan »

This problem seems to be split into 3 now!

1) DG does learn the exe name but it's not a big online database but a list on your PC. This is why the rename worked but now doesn't. We'll assume now that the name is not the issue and renaming is not a permanent workaround

2) Now your screenshot is interesting. DG is blocking Xpadder's attempt to link to the SendInput function (the part that simulates key and mouse actions). On my VM this triggers the error. Xpadder states "Missing library" but I don't think this is the case - it should be something like "access denied" because DG is blocking the attempt to link. I am now researching this error myself and will update Xpadder with more detailed error explainations.

3) I have now installed DG on a VM and I get no errors when running the Hardware Scanner. I get the Xpadder errors about "Action: Attempt to write in the memory of another application by installing an global Windows messaging port." but the Hardware Scanner works ok everytime. What error do you get with the Hardware Scanner?

Primal Fear
Xpadder Xpert
Posts: 2437
Joined: 09 Feb 2010, 16:41
Location: Germany
Contact:

Re: [DISCUSSING] F-Secure Anti-Virus DeepGuard issue

Post by Primal Fear »

Jonathan wrote:1) DG does learn the exe name but it's not a big online database but a list on your PC. This is why the rename worked but now doesn't. We'll assume now that the name is not the issue and renaming is not a permanent workaround
I'm not sure about that. Sometimes the "Xpadder, not.exe" will again be approved automatically, and sometimes but more rare it also will approve the normal "Xpadder.exe" automatically. For example I have tried the normal Xpadder.exe 5 times in a row, and finally at fifth time it was automatically approved. So it works really strange.
Jonathan wrote:2) Now your screenshot is interesting. DG is blocking Xpadder's attempt to link to the SendInput function (the part that simulates key and mouse actions). On my VM this triggers the error. Xpadder states "Missing library" but I don't think this is the case - it should be something like "access denied" because DG is blocking the attempt to link. I am now researching this error myself and will update Xpadder with more detailed error explainations.
I would say that this .dll is definitely not missing since Xpadder normally can start without any problems. So DeepGuard is definitely blocking the access to this file.
Jonathan wrote:3) I have now installed DG on a VM and I get no errors when running the Hardware Scanner. I get the Xpadder errors about "Action: Attempt to write in the memory of another application by installing an global Windows messaging port." but the Hardware Scanner works ok everytime. What error do you get with the Hardware Scanner?
I guess you mean the F-Secure AV, since I am not aware of an stand alone edition of DeepGuard.
I get for your Hardware Scanner exactly the same message as for Xpadder. The strange part on it is, that it starts despite of my selection to block it. :roll:

Also there is a difference between selecting to block a program in this message, and to have it already in this list to block the program.
I guess with the first the .exe will start but it will be stopped on the the potential dangerous part, but with the second it won't start at all.

Jonathan
Xpadder creator
Posts: 1648
Joined: 24 Aug 2009, 11:33
Location: England
Contact:

Re: [DISCUSSING] F-Secure Anti-Virus DeepGuard issue

Post by Jonathan »

I have updated the development version (but not released yet) - the true error is "Access denied" as expected.
Here's the sequence:

1) Run Xpadder
2) When Xpadder tries to access DirectInput DLL we get the first DG error
3) If we allow this alert we jump to step 5 else if we block it we continue to step 4
4) The first error is blocked. DirectInput initialises ok but the following SendInput is blocked (actually the library is blocked even before SendInput is requested) - Xpadder exits
5) We allowed the first error but now we get a second error. This is actually at exactly the same point in the program! It's almost as if DG is saying "Are you sure you want to allow?"
6) If we allow OR block everything works fine.

EDIT: If we block the second error then Xpadder cannot launch programs (Test in Notepad, Game Controllers panel etc)

For some reason I am now getting the Hardware Scanner error message :?
The error is the same as always "...installing Windows messaging hook" - the strange thing is that the Xpadder DLL errors said the same thing :?

I'll see if I can prevent this error then roll the update into Xpadder and see if Xpadder can run error-free.

Jonathan
Xpadder creator
Posts: 1648
Joined: 24 Aug 2009, 11:33
Location: England
Contact:

Re: [DISCUSSING] F-Secure Anti-Virus DeepGuard issue

Post by Jonathan »

Ok, the "installing Windows messaging hook" actually means "linking to a DLL" - the error message is clearly inaccurate. Removing the messaging hook still gave the same error.

DG complains when Xpadder links to a DLL but this is necessary for Xpadder to work - there is no reasonable way to get around this. Allowing both error messages will allow Xpadder to function as usual.

This issue has been useful because I've improved the DLL code as a result. I will now move this topic to the "Problems starting Xpadder" subforum for future reference.

Primal Fear
Xpadder Xpert
Posts: 2437
Joined: 09 Feb 2010, 16:41
Location: Germany
Contact:

Re: [DISCUSSING] F-Secure Anti-Virus DeepGuard issue

Post by Primal Fear »

For me it's a little bit else.

1) Run Xpadder
2) When Xpadder tries to access DirectInput DLL we get the first DG error
3) If we allow this alert we jump to step 5 else if we block it we continue to step 4
4) The first error is blocked. DirectInput initialises ok but the following SendInput is blocked (actually the library is blocked even before SendInput is requested) - Xpadder exits + with this error message I have already posted (but I guess you have it too)
5) Xpadder starts problem free, no further questions by DeepGuard

If Xpadder is already in this List to be blocked, I get a Windows error massage:
"To the selected device, path or file cannot be accessed. You may not have sufficient permissions, to access to the element"
Xpadder doesn't even start. Also I get a message from DeepGuard, that I have selected to not to trust this program.

Edit: Yes, principally this problem is not that big. Simply select to thrust Xpadder and done.
But it is better if you can tell your customers why this happens.

Post Reply

Return to “Xpadder is reported as a virus or unsafe”