Ghost Keylogger Exclusion Issue

[black296tuuk]

I use Ghost Keylogger on several of my boxes at home. I have used this on many machines in the past without issue. Recently I have been having the problem of Avast ignoring the exclusion and giving me a FP on something that I want to use.  I understand that there are two sets of exclusions and I have added the path to both. For the scan exclusion I am using C:\Program Files\Sync Manager\* and for the Standard Shield Exclusion I am using C:\Program Files\Sync Manager\syncconfig.exe and C:\Program Files\Sync Manager\agent\syncagent.exe. One is used for the configuration and one is used for the program itself. I have also tried using a wildcard in several locations without success.

When I try and start either EXE I am hit with the Trojan warning. I thought that maybe I was typing the file location wrong so I have even tried copying and pasting from the Avast notification window.

I have checked the ini file and the exclusion shows up correctly. I have tried disabling the self defense mode as well.

I am running Windows 2000 (sp4) with Avast home 4.8.1227

I have spent a bunch of time on this. I must be missing something simple.

Any ideas?

[DavidR]

You should definitely stick to the specific file as the use of a wildcard in the folder leaves too big a hole.

When the alert comes up, you can actually copy the actual path and file name to use in the exclusions lists.

You could also use the Program Settings, Exclusions, Add, use the browse button to actually select the file, now that should work (for the on-demand scans). You could also copy the path from the Selected paths: filed and use that in the Standard Shield, see image.

Note there are quotes around the path in the image, you could try that as the spaces in the path could be the issue in w2k. Or you could try the short path like Progra~1 style of writing folders with spaces.

You should also really confirm the detection is good/bad and have avast correct if bad, that is the right way to go about it, so it is corrected for all avast users.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

[Jtaylor83]

This may not be a false positive.

Ghost Keylogger is classified as Spyware.GhostKeylogger.B by Prevx.

Sunbelt Malware Research Labs classifies it as a surveillance tool.

A-squared classifies it as Adware.Win32.Ghost Keylogger.

[black296tuuk]

The scan has not been an issue. The issue has been the Standard Shield protection.

I copied the path from the alert on both. Alert still came back.

I tried adding quotes to both paths. Alert still came back.

I am not sure what to think about the false positive part. I don't consider the software malicious, but I am sure if it is used with the wrong intent it can be considered malicious. Either way, shouldn't I be able to get it to exclude the files?

Please let me know if I need to repost in a different section.

Thank you.

[DavidR]

This is the right section as it is related to a detection and it keeps the information together. But, lets get to the real issue the detection also.

The problem with keylogger tools is that avast isn't to know if it is used for good or evil.

You have to confirm or deny the detection as above and if an FP submit the sample/s to avast as in the link above.

[black296tuuk]

Here are the reports

http://www.virustotal.com/analisis/72398917af86fbf57e9d9164afa55bb4

http://www.virustotal.com/analisis/72f3285c7addd50720db746060fe9740

I would not consider this a fales positive. This does not change the fact that I would like to let the software run.

Also I tried C:\* in the Standard Shield exclusions and Avast still brings up the alert.

[DavidR]

Apart from the c:\* is absolutely crazy (if only for a test), so I don't know what is going on with your installation as that should effectively stop all scanning of the c drive.

You could try c:\*\syncconfig.exe and c:\*\syncagent.exe.

Can you post the entries in the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. Or easier C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log (it is just a text file copy and paste the entries.

What is it that you use the keylogger for ?
Perhaps there is a better option.