DPH: Trojan.Encoder in Reg Organizer – False Positive of Dr.Web

Brief Description

Since 2017, the behavioral analyzer of the Dr.Web antivirus occasionally blocks the operation of the official executable file of the Reg Organizer utility, labeling it as DPH: Trojan.Encoder (ransomware), even though the same antivirus does not detect any threats in Reg Organizer during its scan. The antivirus developers acknowledge that this is a false positive (see the full history of this issue) and promise to fix it in the future.

This occurs when the utility accesses files, folders, or registry keys that Dr.Web protects. Instead of displaying a message about the process being blocked from accessing protected areas of the system, it triggers the protection against ransomware trojans, and Reg Organizer is placed in quarantine. Users then see a message indicating that the antivirus successfully blocked a dangerous threat and mistakenly assume that Reg Organizer has infected their computer with a virus.

The problem last occurred in December 2022 when we released the first beta version of Reg Organizer 9.10 beta 1.

To verify that this is a false positive, you can also refer to the VirusTotal report (an online service that checks files with all major antivirus systems simultaneously). You can review the latest report through the link provided below.

VirusTotal Report (RegOrganizer.exe)

You can also independently submit any file from Reg Organizer, downloaded from the official website (chemtable.com, files.chemtable.com), to VirusTotal for verification and ensure their cleanliness.

How to Configure Dr.Web to Prevent It From Blocking Reg Organizer

To work around the issue, the antivirus developers recommend reinstalling Reg Organizer and, without launching it, adding the utility’s files to the antivirus exclusions.

Follow these steps:

1. Go to the Security Center.
2. Navigate to Preventive Protection → Ransomware Protection.
3. Select Add Application.
4. Add the Reg Organizer executable files there:

– C:\Program Files\Reg Organizer\RegOrganizer.exe
– C:\Program Files\Reg Organizer\Updater.exe
– C:\Program Files\Reg Organizer\StartupCheckingService.exe

If the triggering occurs on temporary files with the *.tmp extension during the utility update process, it is recommended to temporarily disable the ransomware protection during the update.

Adjusting Settings In Reg Organizer

Starting from version 9.11 of Reg Organizer, some features are automatically disabled if Dr.Web antivirus is present on the system. After adding the utility to the exclusions, you can reactivate these features. To do so, you need to enable the specified sections within Reg Organizer itself. Some sections may not appear in the list. For example, if you do not have Yandex.Browser installed, you will not see its item in the system cleanup (and therefore, it will be impossible to enable it). Similarly, if you do not use certain browsers, you can choose not to enable them.

In System Cleanup:

• MS Edge cache
• Firefox Cache
• New MS Edge Cache and Compacting DB
• Yandex.Browser Cache and Compacting DB
• Chrome Cache and Compacting DB
• Opera Cache and Compacting DB
• Temporary files of Internet Explorer

In Private Data Cleanup:

• Recent Documents
• Additional Web Cache

How to Submit a False Positive Report to Dr.Web Developers

If you encounter a false positive with Dr.Web, it is important to report it to the antivirus developers by attaching the log file of the antivirus program’s activity to your message.

The log file can be found at the following path (you can directly paste it into File Explorer using percent signs):

%ProgramData%\Doctor Web\Logs\dwservice.log

You should send this log file to the antivirus support team using the link provided below.

https://support.drweb.com/

The more reports they receive, the faster the antivirus developers can address the false positive issue.

Full History of the Issue (Since 2017)

We initially raised this issue with the developers of Dr.Web, and on July 18, 2017, we received the following response:

The antivirus algorithms functioned correctly according to their formal specifications, but in this particular case, it was a false positive. The issue will be resolved in the future.

In November 2017, the problem with Dr.Web antivirus remained unresolved, so we reached out to the developers of the product again for clarification. On November 27, 2017, we received the following response:

Reg Organizer software accesses the system registry for modification, alteration, and deletion of registry keys, which is a typical virus-like activity. Currently, there is no definitive solution, only a “workaround”.

Our developers are aware of the issue, but there are still no specific timelines for a global solution.

Thus, Dr.Web considers the registry access by the system utility as virus activity. As a result, certain features of the Reg Organizer program, such as uninstalling applications via the context menu or updating, will be unavailable if Dr.Web is installed on the system. In some cases, Dr.Web may block the program’s operation entirely.

From the fall of 2017 until the end of 2022, no significant issues arose.

In December 2022, the antivirus once again started blocking the operation of the Reg Organizer utility after the release of the first beta version 9.10, prompting us to reach out to the developers of Dr.Web again.

Currently, as a workaround for the blocking issue, you can create a rule in the preventive protection settings.
I have attached a screenshot below: Security Center – Preventive Protection – Ransomware Protection – Add Application – C:\Program Files\Reg Organizer\RegOrganizer.exe, and set it to “Allow”.

If this doesn’t help, we will need a report from the utility http://download.geo.drweb.com/pub/drweb/tools/dwsysinfo.exe from one of the systems where the triggering occurs after adding the rule for the RegOrganizer.exe executable in preventive protection. We are also interested in a screenshot of the specified rule.

If the triggering is happening on temporary files, it becomes more complicated. If the executable file that triggers the detection is now located in the tmp directory, the only option left is to temporarily disable the Ransomware Protection entirely while performing actions from that temporary directory, as it is not possible to create a rule for unidentified executable files with random names.

However, they were still unable to reproduce the triggering on their systems.

As a result of collecting data from our users over a period of time, we consolidated the information and partially reproduced the false positive triggering of the antivirus during the utility’s operation. We immediately informed the antivirus developers about this on January 31, 2023, and proposed to be added to the antivirus whitelist. We received the following response:

Thank you for your feedback. In cases like these, adding a rule for the executable file C:\Program Files\Reg Organizer\RegOrganizer.exe in the Ransomware Protection section should help prevent the triggering.

I don’t see any specific exceptions in the current log, but there might not have been any if the goal was to reproduce the detection.

Regarding the trusted list, we do have one, and applications are added to it regardless of their versions. However, unfortunately, the decision was made by the antivirus laboratory not to add Reg Organizer to the trusted list. Therefore, without exceptions, triggers will occur when attempting various changes to system files, registry branches, and protected areas. If a Dr.Web user trusts Reg Organizer, they can add corresponding exceptions to suppress antivirus triggers. At the moment, we can’t offer any other solution, unfortunately.

In our subsequent communication, we emphasized that our mutual clients trust their antivirus and consider their computers infected with ransomware due to the false positive, which is not the case. We requested an official response from the antivirus developers on this matter, so that we could provide it to our users.

In response, the developers suggested using a workaround by adding the utility to the antivirus exclusions, stating that they do not intend to add it to the whitelist because it is a “registry cleaning” tool.

Based on the review of your inquiry, we would like to inform you that during the system cleanup process using Reg Organizer software in the presence of Dr.Web antivirus products, our protection may trigger due to the similarity of actions performed by the mentioned software to those of ransomware threats.

Adding this software to the trusted list is not possible due to the current policy of the virus laboratory regarding programs whose functions are focused on system registry cleanup.

In light of the above, we can recommend to customers using Dr.Web antivirus to add the executable file of the Reg Organizer program to the exceptions.

We promptly provided clarification that the registry cleaning functions have not been included in the standard version of the utility since 2017, as this tool has lost its effectiveness on modern operating systems, as stated in the utility’s usage instructions. We also requested a reconsideration of the possibility of being added to the whitelist.

On March 6, 2023, the Dr.Web developers responded that they are aware of all the information but do not have any specific timelines or decisions, after which they closed the dialogue by closing the support ticket.

Our developers are aware of the information, but there is still no timeline for a global solution.
Once we receive any information from them, we will promptly inform you.

Thank you for your inquiry.