This morning I was greated with the above warning from AVAST anti-virus concerning ShadowProtectSvc.exe. I deleted SPD3.2 and reinstalled (had to stop AVAST protection to do so) only to get the same warning. Furthermore AVAST will not permit SPD3.2 to run at all (from windows) because of this Trojan Horse detection. I am assuming this is a false positive due to the recent (yesterday) update of the AVAST virus database - but am not sure. I have had no problems with 3.2 before today. In any event, AVAST and SPD3.2 cannot currently coexist in windows. It makes no difference if the reinstall of SP is done from the downloaded trial or from the CD made from the 3.2 ISO. Please advise.

Yes, it is a false positive. This has been reported in other forums as well. AVAST is complaining about the "ShadowProtectSvc.Exe" file. I'm not familiar with AVAST, so I'm not sure whether or not you can place "ShadowProtectSvc.Exe" on an "exemption" list or not. Hopefully AVAST will update their database VERY soon.

I have a similar message popping up from F-Secure Client Security 7.11:

Virus & Spy Protection has detected Backdoor.Win32. Rbot.pia in file shadowprotectsvc.exe  

 Kaspersky IS 7

 Send it to Kaspersky, so they can correct this behaviour in their signatures.

Obviously there is something peculiar to that file that is triggering these warnings from several different AV products. Hopefully someone from Storagecraft reads this thread and is able to offer an explanation or a solution.

Well I could tell you what's happening but then I'd have to shoot you all... ;)

The binary mistaken for malware is protected by a software copy protection system to hinder unauthorized modification and it seems some virus writer got clever and also used this scheme in his own creation. Then some sloppy/dumb persons at virus companies added a pattern identifying the protection shell as "the malware" even though the real malware lies encrypted and obfuscated in the binary's guts.

You got some options:

- Contact AV vendor and tell them that they created a false positive

- White list the flagged binary and put it into trusted zone (at least of KAV I know this is possible)

- Switch back to 3.1 for the time being 

- Deinstall ShadowProtect and switch to Acronis (just kidding)

This is one among a few reasons we do no longer put AV on servers because one day a sloppy AV pattern curator will release something that will put a bunch of vital windows files into quarantine...
 

ShadowProtectSvc.exe (ShadowProtect's NT service) incorporates security mechanisms which occasionally cause anti-virus products to mis-classify the file ShadowProtectSvc.exe as malware.

The 3.2 (and greater) versions of ShadowProtectSvc.exe are digitally signed with a Class-3 Software Publisher's Certificate (SPC) from Verisign.  You can use this to determine if the ShadowProtectSvc.exe file has been altered since it came from StorageCraft.  If the digital signature of ShadowProtectSvc.exe is OK then you know that the anti-virus warning is a false positive, and that the ShadowProtectSvc.exe file is okay.  However, if the digital signature is invalid, then you know that the file ShadowProtectSvc.exe has been altered since it was created by StorageCraft, and may indeed be infected with malware.

To test the digital certificate, use File Explorer to right-click on the file ShadowProtectSvc.exe (in the directory C:\Program Files\StorageCraft\ShadowProtect) and in the Properties dialog click on the Digital Signatures tab.  If this tab is missing then your version of ShadowProtectSvc.exe is not digitally signed.  Note, again, that StorageCraft started signing ShadowProtectSvc.exe starting with version 3.2, so you will not find a digital signature for version 3.1. In the Digital Signatures tab, select the  StorageCraft signature in the list and click on the Details button.  At the top of the General tab of the Digital Signature Details dialog it will either say that "The digital signature is OK." or that it is invalid.

After you have verified that the digital signature of ShadowProtectSvc.exe is valid, you can safely add it to your anti-virus product's exception list (hopefully your AV product has such a feature). 

 Got response from Kaspersky:

AVAST has also updated to exclude the false positive.

I just got the updated AVAST signatures (5/12/08) and the problem has been corrected.