Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: junkman on November 22, 2011, 06:30:07 AM

Title: WIN32-Hupigen-ONX[tri] with Paragon Drive Backup
Post by: junkman on November 22, 2011, 06:30:07 AM
Hi,
I’ve seen a couple other posts along this line, but didn’t see a clear answer.
I scan my computer for viruses with Avast and receive 0 infections.  I then create an image of my hard drive on an external USB drive with Paragon Drive Backup 9 Personal.  When Avast anti-virus scans the drive image files I just created it detects a threat of WIN32-Hupigen-ONX[tri] in the created images.  This has happened multiple times with multiple Avast virus definition files.

Three Questions:
1.  How do I check to ensure these image files are still intact?  (Avast “removes” the infection from the backup.)
2.  Is this a false positive because of the way Paragon processes things or am I really detecting a virus?
3.  Is the paid version of Avast or Avast Internet Security any better in this situation?
thanks

Thanks,

Paragon Drive Backup 9.0 Personal

Windows XP Home SP3
CPU-Intel Pentium 4 Dual 3.0 Ghz
2G RAM
External USB Drive -Western Digital 640G
Title: Re: WIN32-Hupigen-ONX[tri] with Paragon Drive Backup
Post by: ady4um on November 22, 2011, 11:45:59 AM
1_ Don't let Avast take any automatic action. If Avast asks you what to do with that "infection" and you can't skip it, then you would need to add a temporary exclusion / exception.

2_ You need to provide more info. What exactly is being reported as infected? What infection / malware is detected? Is this being changed from the original (compare it with checksum)? Can you scan in the original system the exact same items that are "detected" in the backup? Have you checked / scanned the backup software itself?

3_ The antivirus definitions are the same across versions, so I don't think there is any difference in this case.
Title: Re: WIN32-Hupigen-ONX[tri] with Paragon Drive Backup
Post by: Pondus on November 22, 2011, 12:29:26 PM
Quote
2.  Is this a false positive because of the way Paragon processes things or am I really detecting a virus?
do you have the file in avast chest?

if so you can upload it to a online multiscanner to see if it is only avast trhat detect it....or many others also

here is how to
Quote
Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder.

Now you go to one of these online scanners and brows to that folder/file and test it
when done post the link to the scan result here



upload suspicious file(s) to www.virustotal.com and test with 40+ malware scanners
when you have the result, copy the url in the address bar and post it here for us to see


alternative
Jotti     http://virusscan.jotti.org/en
VirSCAN   http://virscan.org/
Metascan   http://www.metascan-online.com/


Title: Re: WIN32-Hupigen-ONX[tri] with Paragon Drive Backup
Post by: DavidR on November 22, 2011, 02:39:06 PM
I rather doubt the detection on a backup image would be able to be uploaded to VT or any of the other multi-engine scanners as a hard disk image even when compressed is going to be massive.

I guess that the detection is only on the actual backup image file and not a file within it, is that correct (as you don't give the full details of the detection, file name and full path) ?

When I see WIN32:Hupigen detections on drive imaging software, I think FP as these massive, highly compressed files, seem to confound avast, you only need to search for WIN32:Hupigen in the forums to see they are invariably on backup image files and or pagefile.sys.

####
I scan my system before doing my weekly image backup and exclude my backup images form being scanned (they are inert until you elect to open them or restore them), example g:\Backups\DriveImages\*.v21 this is the file type for my DriveImage backup files, replace the *.v21 with the * and your image file type.

That can be entered in the avastUI, Settings, Exclusions, if you accept the limited risk this may present, given that we don't actually know what file it is detecting, but as said if on a file inside the image backup then that is inert until you open/restore it. At that point if there was a truly infected file inside it would be detected by avast's file system shield as you restore the image (if restored whilst windows is running) or on a subsequent on-demand scan.
Title: Re: WIN32-Hupigen-ONX[tri] with Paragon Drive Backup
Post by: Pondus on November 22, 2011, 02:45:48 PM
Quote
I rather doubt the detection on a backup image would be able to be uploaded to VT or any of the other multi-engine scanners as a hard disk image even when compressed is going to be massive.
you say massive, would it then be moved to chest! or should there also be an avast error message....avast can not...... ?
Title: Re: WIN32-Hupigen-ONX[tri] with Paragon Drive Backup
Post by: DavidR on November 22, 2011, 02:55:46 PM
No, as I believe it would also exceed the maximum size to send which is 16MB I believe. There would normally be a message that it couldn't be moved, and possibly something not so helpful like

However, much of this and my other reply is speculation as we don't have the full facts of the detection, file name and full path.

So it would depend on A) if avast is actually able to unpack these massive image backup files, B) if so, can it extract infected files (action not supported error) without corrupting the main image file and (C exactly what it is that is to be moved to the chest, a file within the image backup or the whole image backup file.
Title: Re: WIN32-Hupigen-ONX[tri] with Paragon Drive Backup
Post by: Asyn on November 22, 2011, 03:05:11 PM
No, as I believe it would also exceed the maximum size to send which is 16MB I believe.

Well, that's the standard setting. You could set it higher, if needed.
Anyway, I wouldn't do that with a (usually very large) backup image. ;)
Title: Re: WIN32-Hupigen-ONX[tri] with Paragon Drive Backup
Post by: DavidR on November 22, 2011, 03:27:19 PM
Yes you could, but for the greatest majority that is left on the default settings and why any such move would fail in the first instance. But as I said all of this is speculation until we get some feedback from the OP.
Title: Re: WIN32-Hupigen-ONX[tri] with Paragon Drive Backup
Post by: DonZ63 on November 22, 2011, 10:39:36 PM
I posted a while back on this issue.

I use Paragon 9 and Avast 6.0.1289 found the same trojan in my Paragon archives. I went so far as to delete all my old archives and then create a new one. Avast said it also contained that trojan. My XP installation is clean as a whistle.

Strange part of all this was it found the trojan in my XP archives but not my WIN 7 archives. I run a dual boot XP SP3 and WIN 7 x64 SP1 configuration.

My personal opinion is Avast has a problem with Paragon XP archives. I would view the Avast detection as a false positive.