Page 2 of 4

Re: Virus or false positive?

Posted: Wed Aug 14, 2019 10:17 am
by Kjell
Hi rrTea,
rrTea wrote:
Wed Aug 14, 2019 1:54 am
So I tested my new project (was just getting ready to publish it) and it came out with a 20/66 score ("seriously suspicious" I assume), crazy! I have no idea what to do :(
Once you're completely done with a project, you can submit it to the AV vendors that have detected it as false-positive for analysis. Be aware that even the slightest change to your executable might trigger false-positives again ( hence the "completely done" ).

Avast, AVG, Comodo, McAfee, Microsoft, Symantec etc.

Full list here

K

Re: Virus or false positive?

Posted: Sat Sep 21, 2019 11:35 am
by Ats
Hi,

We can't download ZGE anymore from this website using chrome:
"Dangerous file", no options other than abort. :x

This is getting really annoying... I'm installing Midori in order to try.

Edit: Midori is working like a charm for downloading "risky" files.

Re: Virus or false positive?

Posted: Mon Sep 23, 2019 7:36 am
by VilleK
I assume the virus scanners have issues with player.bin because it is so small. For the game by rrTea I made a custom build of player.bin that is 800kb and that works much better. I may have to "bloat" the main ZGE download too in the same way. But it really feels silly because one of my main design criteria with ZGE was to make such a small runtime as possible and now it has to be artificially inflated just to please the antivirus software.

Re: Virus or false positive?

Posted: Mon Sep 23, 2019 9:20 am
by rrTea
After using the "sign of the times" build for a week or two, I can report that it scores much lower on VirusTotal and doesn't cause alarms at all (at least on my computer)! I have the impression launching builds is slightly slower (I keep my project on an old SD card so file size differences can be felt) but nothing to worry about really. I just have to remember to untick "Remove unused code" every time I start ZGE, otherwise Windows won't let the built programs run.

I agree with Ville that it makes no sense to bloat the file for no reason other than to please security software but it seems there is no other way. The builds are still smaller than anything any other engine would produce for a project of comparable complexity though ;)

btw I see nobody took up my quiz from the previous page :D maybe for the best since it's quite irritating (no matter what you do it always asks for a permission, even with a new ZGE build) and when you find out why is it behaving like that… it's unsettling (nothing to do with ZGE).

Re: Virus or false positive?

Posted: Mon Sep 23, 2019 10:58 am
by VilleK
rrTea wrote:
Mon Sep 23, 2019 9:20 am
when you find out why is it behaving like that… it's unsettling (nothing to do with ZGE).
Why does it behave like that? I did not get a warning here (could be that I'm using the larger player.bin) but I'm curious to what trick it is that you mention.

Re: Virus or false positive?

Posted: Mon Sep 23, 2019 11:17 am
by VilleK
I tried to update ZGE here with medium bloated runtimes (350kb). They only produce 4 false positives when uploaded to virus total but I still get the download blocked when trying from Firefox here: http://www.zgameeditor.org/files/ZGameEditor_beta.zip

Edge browser downloads it fine.

Re: Virus or false positive?

Posted: Mon Sep 23, 2019 1:02 pm
by rrTea
VilleK wrote:
Mon Sep 23, 2019 10:58 am
Why does it behave like that? I did not get a warning here (could be that I'm using the larger player.bin) but I'm curious to what trick it is that you mention.
Did you try to build + launch the project as is after downloading it? On my end it asks for administration account no matter what I do with it. But why? It's an empty project! And only this particular build, no other builds do that. No matter how much or little code I put in, only this particular file always asks for administration every time I want to run it.

Anyway here is the answer, select the text to see it:
As long as the file name contains the word "setup", it will attract attention of security systems even if it's empty :D So the methods for determining what is "suspicious" can be unexpectedly low-tech (as we saw on the previous page: size matters?). I discovered it by mistake because I named one of the builds "new enemy SETUP". I guess this mechanism's there because it does work for some cases but still :P

Re: Virus or false positive?

Posted: Mon Sep 30, 2019 10:32 am
by Ats
Thanks VilleK!!!
Ok, the resulted exe is a bit bigger, but it works perfectly. Hopefully I won't have bad review regarding antivirus problems with Omeganaut :D

Re: Virus or false positive?

Posted: Mon Sep 30, 2019 12:38 pm
by VilleK
Ats wrote:
Mon Sep 30, 2019 10:32 am
Thanks VilleK!!!
Ok, the resulted exe is a bit bigger, but it works perfectly. Hopefully I won't have bad review regarding antivirus problems with Omeganaut :D
Good to hear :). Also I notice that this week I can download the ZGE beta in Firefox without issues so they must have updated their virus database.

Re: Virus or false positive?

Posted: Wed Jan 15, 2020 4:34 am
by rrTea
I stopped reporting about this, but this is still a real annoyance on my end. Windows Defender sometimes just deletes Player.bin from my HD, sometimes it digs up a random build from my archive and warns me about it + deletes it (I have lots of old test builds from before "Remove unused code" option existed), and sometimes after I launch a project for testing (even though I always keep "Remove unused code" off) it just shuts the project down after half a minute or so.

Some Defender versions / builds are more prone to attacking ZGE, some less, but on average this happens at least once / month here (on bad months around ten times).

Sadly I have to keep Defender on default settings on the computer I use for ZGE.

Re: Virus or false positive?

Posted: Wed Jan 15, 2020 9:11 am
by VilleK
I haven't noticed it here for a long time and I have Defender with latest definitions. So is this happening with latest version of ZGE or just older versions?

Re: Virus or false positive?

Posted: Wed Jan 15, 2020 9:30 am
by rrTea
I also have Defender with latest updates (a new update downloaded while I was typing).

It's happening on basically everything ZGE-related, old and new… it's really hard to say. For example I have a directory "builds" where I keep copies of various ZGE builds after I download them from the forum. From time to time Defender would just pick one of the builds, proclaim it dangerous and delete it. The player.bin that disappeared today was from the newest ZGE build. This never happens with anything else on this computer.

Re: Virus or false positive?

Posted: Wed Jan 15, 2020 11:24 am
by Kjell
Hi guys,

Just chiming in that i haven't had any Windows Defender false-positives on my computer(s) either since the September 27, 2018 occurrence.

K

Re: Virus or false positive?

Posted: Fri Jan 17, 2020 3:11 am
by rrTea
Meanwhile, on my end…
剪贴板图片 (3).png
This is from today, a few minutes after Defender got the newest updates. (I marked the date when I downloaded the ZGE build.)
剪贴板图片 (3).png (18.46 KiB) Viewed 3644 times
剪贴板图片 (4).png
This is the current list, all of these are related exclusively to ZGE. There were more but I cleaned it up two weeks or so ago. As you can see it goes to my ZGE directory every few days and randomly attacks files.
剪贴板图片 (4).png (11.32 KiB) Viewed 3643 times

Re: Virus or false positive?

Posted: Fri Jan 17, 2020 9:14 am
by VilleK
That is strange. I checked that my Defender installation have definitions from today, then ran a extra scan on Player.bin alone and it passes without problems.

I can also download ZGE using Firefox without issues.