Program is 'probably infected by PE virus' and false alarms
PE stands for 'Portable Executable', which is the executable file type used by Windows 32 bit OS (Windows 9x, Millennium, NT, 200x, XP). PE infectors are viruses that affect PE files, uniquely.
A single file flagged by IV as containing 'suspect PE code' isn't necessarily infected.
True viruses and malicious code disclose their presence in more than one way. If you have been running the particular program before and no other file was flagged as containing suspect PE code, no other warning message was issued by IV, or the file was obtained from a reliable and trusty source, then it's very likely that the file is benign.
To the attention of users running under W2K, XP or NT: These platforms when running InVircible regularly are unlikely to become massively infected by a PE infector. The reason is IV's real time integrity monitoring (RTIM). For more information read the linked page.
Online virus checking is provided by some AV producers. When in doubt, then submit the file for online inspection. This procedure is especially useful to identify the attacking virus, and determine the best course of action to get rid of it.
XP and Millenium Edition (ME), System Restore, and virus issues: The 'system restore' feature implemented in both XP and ME poses special problems when dealing with malware, and especially when trying to get rid from. If you run under ME or XP, then read first the topic from this link, then come back to this page and read on.
Instances where you should take no chances is when IV flags a fresh download, especially if it was downloaded from an obscure source, or received through e-mail.
Stopping a false alarm: If sure that the file is benign and you wish to keep and use it, then you may choose from the following options:
If the flagged file is a setup program, like Windows' update, then disable Interceptor momentarily by clicking the IV icon, select 'status' and then 'none'. Or you could 'unload' Interceptor altogether, to run the setup program. Interceptor will reload the next time Windows is started.
If else, then you can add the file name to the 'executables exclude list', to prevent Interceptor from alerting on it.
A simple method for adding a file name to the exclude list is to scan the drive/directory with Audit&Integrity, then right-click the file in the report window and add it to the 'ignore' list.
Deleting suspicious files. If sure that the file is infected, or if you don't want to take any chance on its trustworthiness, then press the 'Delete' button in the Interceptor popup window and the offensive file will be removed.
Please don't send us e-mail with suspicious files for inspection. We have no interest in them, and we don't collect virus samples. Files sent without obtaining our permission first will be removed from the mail server, without being opened.
Please don't attach screen captures with error messages. Screen captures are useless in the interpretation of problems and they waste bandwidth. Instead, attach to e-mail the Interceptor real-time report, named Realtime.rpt, and found in C:IVRPT.
Users with an investigative soul and the mastering of DOS command line may download the CheckPEI utility. CheckPEI is self explanatory. It provides more detailed analysis of the reason for which a file is suspected and will let a better assessment of the risks involved with running the suspected program.
Site Map
