Author Topic: GridMove Identified by Symantec AntiVirus as Backdoor Trojan (Read 29022 times)

Matt Caspermeyer · « **on:** July 11, 2008, 03:51 PM »

Today (July 11, 2008), Symantec AntiVirus identified GridMove as a Backdoor.Trojan with the 7/9/2008 rev. 3 definition file and deleted GridMove.exe from the Program Files folder and also the application link from Startup.

I imagine I can just re-install GridMove and it should be okay, but I'm pretty sure this is a false positive by Symantec AntiVirus since the previous definition file did not detect an infection, no other programs are infected, and GridMove launches on startup every time. Has anyone else had the same problem? I'm running Windows XP x64 if that makes any difference.

Here's a picture of what Symantec AntiVirus did:

GridMove Backdoor.Trojan Infection.PNG

Thanks for any information you can provide.

jgpaiva · « **Reply #1 on:** July 11, 2008, 04:25 PM »

Not again... GRR, damn! Antivirus programs frequently flag programs made with autohotkey, and yes, that's a false positive.
Thanks a lot for the heads up, Matt! Most people just delete it and go on with their lives, I'm glad you took the time to post here.
I have been making some updating to GridMove, and next week I expect to post a new version. This new version will be compiled with the most recent version of AHK, thus, it'll have no problems with antiviruses (at least, for some time

)
Sorry for the inconvinience, Matt!

Matt Caspermeyer · « **Reply #2 on:** July 11, 2008, 04:52 PM »

jgpaiva:

Thanks for the reply!

I'm more disappointed in the fact that Symantec blew

GridMove away (GridMove is one of my favorite little apps!

), without giving me a chance to save it!

Hmmm... since I rarely reboot, and since GridMove is still in memory (Hah! Symantec didn't remove it from memory!), maybe I'll try holding off reinstalling it until you get the new version of GridMove posted (I can probably go a week or two without rebooting unless Symantec (or usually it's Microsoft with an update) makes me).

Can't wait for the new version - thanks and keep up the awesome work!

jgpaiva · « **Reply #3 on:** July 11, 2008, 04:58 PM »

You don't actually have to go without rebooting.
Just change the name of the executable to GridMove2.exe or something, I'm pretty sure it won't delete it then

Can't wait for the new version - thanks and keep up the awesome work!
-Matt Caspermeyer (July 11, 2008, 04:52 PM)

I hope it'll bring some good improvements. Right now, I already have the "drag to edge" method working with multi-monitors, a long-overdue feature.
I also intend to clean up the menus a bit, improve the about box and hopefully add a "cycle to next grid element" feature that I think is really cool and has been requested a few times already

(But shhh.. noone can know about this, it's supposed to be a surprise

)

lanux128 · « **Reply #4 on:** July 11, 2008, 10:17 PM »

judging from the screenshot, Symantec AV has made a poor decision as it deems a "successful healing" is merely deleting the file but being unable to remove it from memory, leaving the user's PC in a vulnerable state.

luckily for Symantec, GridMove is NOT a virus/malware.

nosh · « **Reply #5 on:** July 12, 2008, 07:08 AM »

lol@ "cleaned by deletion" - why can't the monkeys just call it deleted?

I personally feel it's a really bad/dangerous choice to let an AV whack off files on its own without prompting the user for action, you never know what'll scare it next.

mouser · « **Reply #6 on:** July 12, 2008, 07:09 AM »

nosh, i could not agree more.
long thread here dealing with this same behavior for one of my programs: https://www.donation...ex.php?topic=12614.0

mxn · « **Reply #7 on:** October 08, 2008, 09:58 AM »

Any news regarding this? NOD32 has been buggning me for months now, thinking GridMove.exe is a backdoor trojan. Adding it to the exclude list doesn't help for some reason.

justice · « **Reply #8 on:** October 08, 2008, 10:05 AM »

download the latest version?

mxn · « **Reply #9 on:** October 08, 2008, 10:48 AM »

Thanks, updating solved the problem.

I was sure I had the latest version (seeing as it is almost a year old), but I was wrong.

jgpaiva · « **Reply #10 on:** October 08, 2008, 11:51 AM »

Actually, I still haven't updated since this topic was started (I know, my bad.. sorry but been really busy)...
I'm glad updating worked for you, mxn!

gdot · « **Reply #11 on:** October 30, 2008, 12:47 PM »

Keep up the good work, jg... Thanks!

FWIW, avast! has just spotted GridMove as a false positive, declared itself unable to heal and quarantined.
I whitelisted and "un-quarantined" GMove but the program was "not found" (apparently the quarantine un-quarantine process blew something up).

Closed avast, downloaded new version (new copy of v1192, indeed), re-installed... and

avast! spotted the false positive again.

Believe this issue belongs in avast! forums: how to whitelist an application!

lanux128 · « **Reply #12 on:** October 30, 2008, 08:23 PM »

in addition to white-listing, i believe that the AV vendors should improve their detection routine as well in order to reduce the alarming rate of false alarms.

gdot · « **Reply #13 on:** October 31, 2008, 06:35 AM »

in addition to white-listing, i believe that the AV vendors should improve their detection routine as well in order to reduce the alarming rate of false alarms.
-lanux128 (October 30, 2008, 08:23 PM)

Well, Lanux...

False alarms are extremely boring to you and me, but for the average client the false alarm is perceived as legit, thus improving his/her confidence in the product image, choice and fidelity.

False alarms increase sales... otherwise they would be long gone.

lanux128 · « **Reply #14 on:** October 31, 2008, 11:17 PM »

False alarms increase sales... otherwise they would be long gone.
-gdot (October 31, 2008, 06:35 AM)

that's why AV vendors find it easier label a program as a malware instead. what can i say, fear mongering works apparently.

gdot · « **Reply #15 on:** November 05, 2008, 05:19 AM »

Opened support ticket at avast!

No reply, but false positivie disappeared 2 days after complaint (solution probably embedded in an auto-update) and GridMove is working again.

lanux128 · « **Reply #16 on:** November 05, 2008, 06:37 AM »

excellent job, gdot!

at least now we know avast! at least listen to their users' complaints.

jgpaiva · « **Reply #17 on:** November 05, 2008, 07:05 AM »

thanks a lot, gdot!!

lanux128 · « **Reply #18 on:** November 05, 2008, 11:18 PM »

Opened support ticket at avast!

No reply, but false positivie disappeared 2 days after complaint (solution probably embedded in an auto-update) and GridMove is working again.
-gdot (November 05, 2008, 05:19 AM)

gdot: just curious, is the support line for paying customers only? if not, is it possible to link that post so that future visitors can re-directed to this thread. thanks again.

wickedwookie · « **Reply #19 on:** November 06, 2008, 06:00 AM »

I also complained to the Avast! people a couple of days ago, but with a simple email to [email protected]
Told them about the false positive etc...

jgpaiva · « **Reply #20 on:** November 06, 2008, 07:53 AM »

Oh man, now that's cool. I seriously wasn't expecting you guys to do that, since it was my own job. Thanks a lot!

Kamel · « **Reply #21 on:** November 21, 2008, 06:00 PM »

lol@ "cleaned by deletion" - why can't the monkeys just call it deleted?

I personally feel it's a really bad/dangerous choice to let an AV whack off files on its own without prompting the user for action, you never know what'll scare it next.

-nosh (July 12, 2008, 07:08 AM)

I actually had an AV remove a whole custom folder of things a friend helped me make for remotely controlling my PC. The AV (I think it was norton ironically enough) listed them as "hacking tools" and removed them without asking, gone forever. What the AV does when it finds what it THINKS are 'infections' is one of my #1 concerns when finding an AV now.

lanux128 · « **Reply #22 on:** November 25, 2008, 10:19 PM »

i heard BitDefender has an option to exclude files/folders from being scanned. i wonder if there is any truth in that? while it'll be good for custom AHK scripts, it leaves a door open for other malwares to reside in that folder.

jgpaiva · « **Reply #23 on:** December 03, 2008, 11:10 AM »

I've made an update to gridmove, let's see if it solves these problems.