Gameguard is now falsely detected as infected

[Trerro]

As of today's virus definitions update, GameGuard, a commonly used anti-cheat program used by a bunch of games, is detected as a trojan. While Gameguard is a rather annoyingly aggressive program, it is not a trojan, even if it's use of API hooks to check everything you do makes it look like one. Avast is currently stopping games from running that use this security program.

The virus is detected as "Win 32:Trojan-gen {Other}".
I can confirm that the game Grand Chase is doing this, and based on the other thread I see about a "video game related" virus, it appears every or almost every game presently using Gameguard is affected by this false flag.
Edit: Looks like that other thread is something different. It may just be GC that's doing this. Has anyone else tried a game that uses GG since the last Avast update?

[Jtaylor83]

Hi there. There have been some issues between GameGuard and antiviruses (including avast!).



Please upload the file to VirusTotal and post the results.

[Trerro]

A few other programs are seeing it as a trojan, including one that thinks it's a rootkit, but 30/35 are currently listing it as harmless.

File dump_wmimmc.sys.vir received on 07.28.2008 04:34:29 (CET)
Antivirus   Version   Last Update   Result
AhnLab-V3   2008.7.26.0   2008.07.27   -
AntiVir   7.8.1.12   2008.07.26   SPR/Agent.IF
Authentium   5.1.0.4   2008.07.28   -
Avast   4.8.1195.0   2008.07.27   Win32:Trojan-gen {Other}
AVG   8.0.0.130   2008.07.27   -
BitDefender   7.2   2008.07.28   -
CAT-QuickHeal   9.50   2008.07.25   -
ClamAV   0.93.1   2008.07.28   -
DrWeb   4.44.0.09170   2008.07.27   -
eSafe   7.0.17.0   2008.07.27   -
eTrust-Vet   31.6.5983   2008.07.26   -
Ewido   4.0   2008.07.27   -
F-Prot   4.4.4.56   2008.07.28   -
F-Secure   7.60.13501.0   2008.07.28   -
Fortinet   3.14.0.0   2008.07.26   -
GData   2.0.7306.1023   2008.07.28   Win32:Trojan-gen
Ikarus   T3.1.1.34.0   2008.07.28   Trojan.Rootkit
Kaspersky   7.0.0.125   2008.07.28   -
McAfee   5347   2008.07.25   -
Microsoft   1.3704   2008.07.28   -
NOD32v2   3301   2008.07.27   -
Norman   5.80.02   2008.07.25   -
Panda   9.0.0.4   2008.07.27   -
PCTools   4.4.2.0   2008.07.27   -
Prevx1   V2   2008.07.28   -
Rising   20.54.62.00   2008.07.27   -
Sophos   4.31.0   2008.07.28   -
Sunbelt   3.1.1536.1   2008.07.25   -
Symantec   10   2008.07.28   -
TheHacker   6.2.96.389   2008.07.25   -
TrendMicro   8.700.0.1004   2008.07.26   -
VBA32   3.12.8.1   2008.07.27   -
ViRobot   2008.7.26.1311   2008.07.28   -
VirusBuster   4.5.11.0   2008.07.27   -
Webwasher-Gateway   6.6.2   2008.07.28   Riskware.Agent.IF
Additional information
File size: 203143 bytes
MD5...: e4fca8005f625177e1ab713e5fdb1ac1
SHA1..: b43fdc5bbd53aec25afd8782246a1e04c8c279e9
SHA256: c10d67d802c2a28a11debf8a66d4e5510335f2ef51555f00c8697b790c1d9873
SHA512: abc5cf9c8583adc01f1a55e45e07b80f8362c1233d095e9a3a8fb912f9797daa<br>2cf04718e20e9224d5f7a1b5a07c98e7dc6986b12e3da1ec6fe9ae7f140016a4
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x19e6d<br>timedatestamp.....: 0x47900a55 (Fri Jan 18 02:09:25 2008)<br>machinetype.......: 0x14c (I386)<br><br>( 4 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x280 0x7078 0x7080 7.35 33fb0b72e420d0ba9000d89d2fda3f7f<br>.data 0x7300 0x1d10 0x1d80 0.51 bda8490f8d800f1f7ff788269730eb31<br>INIT 0x9080 0x1b2c 0x1b80 7.36 72c36c45932dede200185ce9f7668ea9<br>.reloc 0xac00 0x26d87 0x26d87 7.69 e68bdb161d3e22db8dbcdd947e886f52<br><br>( 2 imports ) <br>&gt; ntoskrnl.exe: _allmul, PsGetVersion, ObfDereferenceObject, ObReferenceObjectByHandle, PsGetCurrentProcessId, strncmp, IoGetCurrentProcess, ZwClose, ObOpenObjectByName, RtlCompareUnicodeString, memcpy, ExAllocatePoolWithTag, ExFreePoolWithTag, RtlCompareMemory, ObOpenObjectByPointer, MmProbeAndLockPages, ProbeForRead, _except_handler3, IoFreeMdl, MmUnlockPages, MmUnmapLockedPages, KeDetachProcess, MmMapLockedPagesSpecifyCache, MmCreateMdl, KeAttachProcess, _stricmp, strcpy, ZwQuerySystemInformation, RtlFreeUnicodeString, RtlAnsiStringToUnicodeString, RtlInitAnsiString, PsTerminateSystemThread, KeCancelTimer, KeWaitForMultipleObjects, KeSetTimerEx, KeSetEvent, KeInitializeTimerEx, memset, _vsnprintf, KeReadStateEvent, KdEnteredDebugger, KdDebuggerEnabled, Ke386SetIoAccessMap, Ke386QueryIoAccessMap, KeStackAttachProcess, KeGetCurrentThread, PsCreateSystemThread, KeInitializeEvent, Ke386IoSetAccessProcess, KeClearEvent, memmove, IoGetRelatedDeviceObject, ZwDuplicateObject, IofCompleteRequest, IoDeleteDevice, IoDeleteSymbolicLink, RtlInitUnicodeString, MmFreeNonCachedMemory, PsSetCreateProcessNotifyRoutine, ZwQueryInformationProcess, ZwOpenProcess, MmIsAddressValid, IoCreateNotificationEvent, PsLookupProcessByProcessId, KeServiceDescriptorTable, MmAllocateNonCachedMemory, IoCreateSymbolicLink, IoCreateDevice, strlen, PsGetCurrentThreadId, KeSetTimer, strncpy, KeWaitForSingleObject<br>&gt; HAL.dll: KfLowerIrql, KeRaiseIrqlToDpcLevel<br><br>( 0 exports )

[Jtaylor83]

Send the file in a password-protected zip folder to virus@avast.com.

[Trerro]

Ok, I sent the file to that address in a passworded .zip file, and included a link to this thread so they can also see the VirusTotal report.