Virus or false positive?

All topics about ZGameEditor goes here.

Moderator: Moderators

User avatar
Ats
Posts: 603
Joined: Fri Sep 28, 2012 10:05 am
Contact:

Virus or false positive?

Post by Ats »

I just discovered that each and every exe files generated by ZGameEditor gives a positive to a lot of anti-virus software.
Here's the scan for my last version of Omeganaut:
https://www.virustotal.com/#/file/2d659 ... /detection

My problem is that, because of the update I uploaded yesterday, my website was listed by Google as malicious and everything you could download on it is now blocked by Chrome... I already saw that in old example files on your forum. Do you know what can I do?
User avatar
VilleK
Site Admin
Posts: 2274
Joined: Mon Jan 15, 2007 4:50 pm
Location: Stockholm, Sweden
Contact:

Re: Virus or false positive?

Post by VilleK »

Hi, perhaps try a version that is not Upx compressed? Some AV-software give false positives on all compressed executables.
User avatar
Ats
Posts: 603
Joined: Fri Sep 28, 2012 10:05 am
Contact:

Re: Virus or false positive?

Post by Ats »

Here's the result for the uncompressed version: https://www.virustotal.com/#/file/17a13 ... /detection
It's a bit better :lol:

Somehow, I managed to produce a zip that is "virus" free: https://www.virustotal.com/#/url/b5e0e8 ... /detection
Don't know how or why. It seems very random...

Now I can only wait for googlebot to rescan my website and mark it as not malicious.
User avatar
Ats
Posts: 603
Joined: Fri Sep 28, 2012 10:05 am
Contact:

Re: Virus or false positive?

Post by Ats »

So after some research, it appears that all exe files made out of Delphi/Pascal always gives a false positive on anti-virus softwares that are scanning files heuristicaly. And once Google bots decides that a file hosted on your website is infected, it automatically prevents ALL downloads from your website in Chrome.

In order to repair that, you have to:
Google has received and processed your security review request. Google systems indicate that http://www.txori.com/ no longer contains links to harmful sites or downloads. The warnings visible to users are being removed from your site. This may take a few hours to happen.
YEAH!!!!!
User avatar
Ats
Posts: 603
Joined: Fri Sep 28, 2012 10:05 am
Contact:

Re: Virus or false positive?

Post by Ats »

I'm back again for some ZGE. But player.bin is missing from my folder. I don't remember why...
So I tried to download the current version of ZGE but it was instantly blocked by Windows Defender:
Trojan:Win32/Zpevdo.A
Alert level: Severe
Status: Active

Recommended action: Remove the threat now.

Category: Trojan
Details: This program is dangerous and executes commands from an attacker.
Affected items:
containerfile: C:\Users\Ats\Downloads\ZGameEditor_beta.zip
file: C:\Users\Ats\Downloads\ZGameEditor_beta.zip->ZGameEditor/Player.bin
webfile: C:\Users\Ats\Downloads\ZGameEditor_beta.zip|http://www.zgameeditor.org/files/ZGameE ... 7330341242
That's new... :(
User avatar
Kjell
Posts: 1876
Joined: Sat Feb 23, 2008 11:15 pm

Re: Virus or false positive?

Post by Kjell »

Hi Ats,

I just updated my Windows Defender definitions and had it scan my ZGameEditor folder ... got the same false-positive :(

K
User avatar
VilleK
Site Admin
Posts: 2274
Joined: Mon Jan 15, 2007 4:50 pm
Location: Stockholm, Sweden
Contact:

Re: Virus or false positive?

Post by VilleK »

Yep, same here. Annoying. Anyone know how to tell Defender that this is a false positive? It is not even compressed.
User avatar
VilleK
Site Admin
Posts: 2274
Joined: Mon Jan 15, 2007 4:50 pm
Location: Stockholm, Sweden
Contact:

Re: Virus or false positive?

Post by VilleK »

I submitted the file to Microsoft as a false positive. Btw, when I update the definitions today it does no longer seem to indicate that the file is malware so maybe it is already fixed?
User avatar
Ats
Posts: 603
Joined: Fri Sep 28, 2012 10:05 am
Contact:

Re: Virus or false positive?

Post by Ats »

This seems to be working :D
Thanks
User avatar
rrTea
Posts: 475
Joined: Sat Feb 15, 2014 9:54 am

Re: Virus or false positive?

Post by rrTea »

I tried to upload one of my projects to various sites, but it got rejected in some places. Here is what happens if a site uses VirusTotal for checking files:
https://www.virustotal.com/gui/file/9ce ... /detection
15/62 is deemed to dangerous. This is the project in question:
viewtopic.php?p=9263#p9263
(in fact if you try to download it Windows Defender will try to block it)

Maybe ZGE should have an additional build option "year 2020 version" where it produces a 64 Mb exe for an empty project, I bet such a file would be treated with much more respect >:-P
User avatar
VilleK
Site Admin
Posts: 2274
Joined: Mon Jan 15, 2007 4:50 pm
Location: Stockholm, Sweden
Contact:

Re: Virus or false positive?

Post by VilleK »

We've simplified what we can in the engine so only option now is to tell the anti-virus companies that this is a false positives.

I read on several occasions that "the virus scanners killed the 64k scene". It is nearly impossible to make small exe-files these days. Indeed it would probably help to simply inflate the exe file up to a 1mb size with zeroes.
User avatar
Kjell
Posts: 1876
Joined: Sat Feb 23, 2008 11:15 pm

Re: Virus or false positive?

Post by Kjell »

Hi rrTea,
rrTea wrote: Tue Aug 13, 2019 12:46 amMaybe ZGE should have an additional build option "year 2020 version" where it produces a 64 Mb exe for an empty project, I bet such a file would be treated with much more respect >:-P
I know this is just a snarky / jokingly remark. But you can easily put this to the test by adding a File component to your project and embedding a large file ( use the "Import" button of the FileEmbedded property ). Using a small test project ( that triggered 17 false-positives untouched ), i got 16 false-positives with a 8MB file embedded, 11 false-positives with a 32MB file embedded, and 8 false-positives with a 128MB file embedded :?

K
User avatar
VilleK
Site Admin
Posts: 2274
Joined: Mon Jan 15, 2007 4:50 pm
Location: Stockholm, Sweden
Contact:

Re: Virus or false positive?

Post by VilleK »

Kjell wrote: Tue Aug 13, 2019 12:59 pmi got 16 false-positives with a 8MB file embedded, 11 false-positives with a 32MB file embedded, and 8 false-positives with a 128MB file embedded :?
Nice idea, and also proof that some virus scanners are seriously flawed.
User avatar
rrTea
Posts: 475
Joined: Sat Feb 15, 2014 9:54 am

Re: Virus or false positive?

Post by rrTea »

I haven't actually tested it, it was just a ridiculous remark that comes to mind along the lines of "if that's how this whole system works, then this means… Hey hold on!…" etc. But it turns out it's really true!

Blah, that's ridiculous, the bigger the size the more "trustworthy" it is :P I mean I understand why it's like that (both why certain anti virus programs and Windows behave like that) but still, quite annoying.

Edit: what would have happened if I compressed the build with kkrunchy or UPX?… Hmm maybe best if I don't try that :-)
Last edited by rrTea on Sun Aug 25, 2019 12:20 pm, edited 1 time in total.
User avatar
rrTea
Posts: 475
Joined: Sat Feb 15, 2014 9:54 am

Re: Virus or false positive?

Post by rrTea »

So I tested my new project (was just getting ready to publish it) and it came out with a 20/66 score ("seriously suspicious" I assume), crazy! I have no idea what to do :(

Anyway just to show how silly this can be, try to download this ZGE file and compile it for some fun! Under normal circumstances, Windows will not let you do it without flashing a stern warning beforehand. Can anybody guess why? (I already showed this trick in #ZGameEditor, Kjell: you probably remember.)
Attachments
fresh project (bare setup, dummy components).zgeproj
Open it in ZGE and try to "Build and run" it (F9)!
(396 Bytes) Downloaded 433 times
Last edited by rrTea on Sun Aug 25, 2019 12:18 pm, edited 1 time in total.
Post Reply