Virus or false positive?

All topics about ZGameEditor goes here.

Moderator: Moderators

User avatar
rrTea
Posts: 426
Joined: Sat Feb 15, 2014 9:54 am
Contact:

Re: Virus or false positive?

Post by rrTea » Fri Jan 17, 2020 12:43 pm

No idea. I don't think it's something I'm doing (I never touched my Defender settings and keep everything on default + auto update).

User avatar
VilleK
Site Admin
Posts: 2077
Joined: Mon Jan 15, 2007 4:50 pm
Location: Stockholm, Sweden
Contact:

Re: Virus or false positive?

Post by VilleK » Tue Feb 11, 2020 7:42 am

After yesterdays update of ZGE then rrTea informed me that Windows Defender is triggering.

And indeed if I make a specific scan for Player.bin then it shows the "Win32/Unwaders.B!ml" message here.

Uploading to VirusTotal triggers only 5/68 false positives: https://www.virustotal.com/gui/file/402 ... /detection

Not sure how to make Windows Defender stop triggering on this because there is no more info shown. Anyone have any ideas?

User avatar
rrTea
Posts: 426
Joined: Sat Feb 15, 2014 9:54 am
Contact:

Re: Virus or false positive?

Post by rrTea » Sun Feb 16, 2020 1:09 am

The newest build (the one I tested after the PM) doesn't trigger Defender anymore! :D good job! /veryhappy!!!

Edit: That was on that day. But today…
Attachments
剪贴板图片 (1).png
Player.bin is no more…
剪贴板图片 (1).png (14.76 KiB) Viewed 3236 times

User avatar
VilleK
Site Admin
Posts: 2077
Joined: Mon Jan 15, 2007 4:50 pm
Location: Stockholm, Sweden
Contact:

Re: Virus or false positive?

Post by VilleK » Mon Feb 17, 2020 9:06 am

That is very annoying, it has also changed the kind of virus it thinks it is because it did not show "Fuery" before. And it seems your definitions are ahead of mine (because of different localization?) because it still passes Windows Defender here with definitions updated today.

User avatar
rrTea
Posts: 426
Joined: Sat Feb 15, 2014 9:54 am
Contact:

Re: Virus or false positive?

Post by rrTea » Mon Feb 17, 2020 12:38 pm

Yes it is very annoying & impractical… If it means anything, on 11th Defender "recognized" "Unwaders", but later it switched the classification to "Fuery" before deleting it. For now I guess the only way to test my projects is within ZGE's preview window.
Attachments
剪贴板图片 (2).png
On 16th it switched to "Fuery".
剪贴板图片 (2).png (4.94 KiB) Viewed 3222 times

User avatar
rrTea
Posts: 426
Joined: Sat Feb 15, 2014 9:54 am
Contact:

Re: Virus or false positive?

Post by rrTea » Wed Feb 19, 2020 3:35 am

Could it be that something in my project is triggering Defender? I'm not using any external libraries (not even for sound!) so this shouldn't be causing it (in my previous projects I usually turned off Microsoft's IME before going fullscreen, but now I'm not doing even that). I'm also not reading/writing anything to disk yet (high score table not yet implemented).

If that'd help shed any light on the matter, I can send over the project to you and you can try building it on your end. Clutching at straws really but for now I can't think of anything else I can do on my end short of turning Defender off (which I can not do because I also use this computer for work etc).

User avatar
VilleK
Site Admin
Posts: 2077
Joined: Mon Jan 15, 2007 4:50 pm
Location: Stockholm, Sweden
Contact:

Re: Virus or false positive?

Post by VilleK » Wed Feb 19, 2020 7:33 am

Latest Player.bin still works here so it might indeed be worth testing if it is somehow related to your project. If you send it to me then I can try building it here and see what happens.

@Kjell: Is the Player.bin from latest ZGE working for you?

User avatar
Kjell
Posts: 1731
Joined: Sat Feb 23, 2008 11:15 pm

Re: Virus or false positive?

Post by Kjell » Wed Feb 19, 2020 11:56 am

Hej Ville,
VilleK wrote:
Wed Feb 19, 2020 7:33 am
Is the Player.bin from latest ZGE working for you?
Same problem here ( 1.309.1271.0 definitions ) ...

K
Attachments
Defender.png
Defender.png (22.01 KiB) Viewed 3203 times

User avatar
VilleK
Site Admin
Posts: 2077
Joined: Mon Jan 15, 2007 4:50 pm
Location: Stockholm, Sweden
Contact:

Re: Virus or false positive?

Post by VilleK » Wed Feb 19, 2020 12:38 pm

I updated definitions now and got "1.309.1282.0" version. Player.bin passes.

@rrTea: can you please check what version of virus definitions you have? The version number is shown in control panel after you select "Search for updates" on virus settings.

I also tried your game (looking good!) on virus total. First attempt got 19 hits. Then I removed the word "setup" (from App.Caption) and then it reduces to 15 hits. Just as an example on how arbitrary the virus scanners are.

When you are ready to release this game I can help you make the exe-file separate from the content. This seems to be more accepted by virus scanners. But we need to make player.bin accepted first.

User avatar
rrTea
Posts: 426
Joined: Sat Feb 15, 2014 9:54 am
Contact:

Re: Virus or false positive?

Post by rrTea » Wed Feb 19, 2020 1:15 pm

For the record, today I have 1.309.1206.0 (last update check 8 hours ago). But I think it doesn't matter, since I can't guarantee that's what I had at the moment player.bin got deleted.

Also even if player.bin passes today, it's highly likely it will get attacked again later. I already tried confirming that by usually waiting for a day or two after player.bin gets deleted, downloading whatever is the latest build and copying it… every time the same story (that's why I posted that screenshot with the caption "As you can see it goes to my ZGE directory every few days and randomly attacks files."): if it doesn't get deleted immediately upon downloading, it will get deleted later.

Edit: It updated itself, now it's on 1.309.1282.0.
Edit: Removed the word "Setup" from the Caption (ridiculous… but let's do it)

User avatar
VilleK
Site Admin
Posts: 2077
Joined: Mon Jan 15, 2007 4:50 pm
Location: Stockholm, Sweden
Contact:

Re: Virus or false positive?

Post by VilleK » Wed Feb 19, 2020 1:47 pm

I will find a way to make player.bin pass. It probably needs to be bloated even more :). Give me a few days.

User avatar
rrTea
Posts: 426
Joined: Sat Feb 15, 2014 9:54 am
Contact:

Re: Virus or false positive?

Post by rrTea » Wed Feb 19, 2020 1:52 pm

It's crazy programs have to be bloated to work :P Anyway just take your time, as far as my project is concerned I will be working on the graphics meanwhile.

jinxtengu
Posts: 83
Joined: Wed Oct 14, 2009 2:05 pm
Contact:

Re: Virus or false positive?

Post by jinxtengu » Thu Feb 20, 2020 4:59 am

It's crazy, I noticed windows 10 just deletes newly created EXEs made with z game editor, without warning, you have to add them to the exceptions list, every time a new version is saved.

User avatar
VilleK
Site Admin
Posts: 2077
Joined: Mon Jan 15, 2007 4:50 pm
Location: Stockholm, Sweden
Contact:

Re: Virus or false positive?

Post by VilleK » Thu Feb 20, 2020 7:41 am

jinxtengu wrote:
Thu Feb 20, 2020 4:59 am
It's crazy, I noticed windows 10 just deletes newly created EXEs made with z game editor, without warning, you have to add them to the exceptions list, every time a new version is saved.
Are you also using Windows Defender and the very latest ZGE? http://www.zgameeditor.org/files/ZGameEditor_beta.zip

I hope to find a solution soon. I may have to increase the binary size and/or build with Freepascal instead of Delphi.

User avatar
VilleK
Site Admin
Posts: 2077
Joined: Mon Jan 15, 2007 4:50 pm
Location: Stockholm, Sweden
Contact:

Re: Virus or false positive?

Post by VilleK » Thu Feb 20, 2020 9:44 am

Please try todays build where I built player.bin using Freepascal: http://www.zgameeditor.org/files/ZGameEditor_beta.zip

Post Reply