Page 3 of 4

Re: Virus or false positive?

Posted: Fri Jan 17, 2020 12:43 pm
by rrTea
No idea. I don't think it's something I'm doing (I never touched my Defender settings and keep everything on default + auto update).

Re: Virus or false positive?

Posted: Tue Feb 11, 2020 7:42 am
by VilleK
After yesterdays update of ZGE then rrTea informed me that Windows Defender is triggering.

And indeed if I make a specific scan for Player.bin then it shows the "Win32/Unwaders.B!ml" message here.

Uploading to VirusTotal triggers only 5/68 false positives: https://www.virustotal.com/gui/file/402 ... /detection

Not sure how to make Windows Defender stop triggering on this because there is no more info shown. Anyone have any ideas?

Re: Virus or false positive?

Posted: Sun Feb 16, 2020 1:09 am
by rrTea
The newest build (the one I tested after the PM) doesn't trigger Defender anymore! :D good job! /veryhappy!!!

Edit: That was on that day. But today…

Re: Virus or false positive?

Posted: Mon Feb 17, 2020 9:06 am
by VilleK
That is very annoying, it has also changed the kind of virus it thinks it is because it did not show "Fuery" before. And it seems your definitions are ahead of mine (because of different localization?) because it still passes Windows Defender here with definitions updated today.

Re: Virus or false positive?

Posted: Mon Feb 17, 2020 12:38 pm
by rrTea
Yes it is very annoying & impractical… If it means anything, on 11th Defender "recognized" "Unwaders", but later it switched the classification to "Fuery" before deleting it. For now I guess the only way to test my projects is within ZGE's preview window.

Re: Virus or false positive?

Posted: Wed Feb 19, 2020 3:35 am
by rrTea
Could it be that something in my project is triggering Defender? I'm not using any external libraries (not even for sound!) so this shouldn't be causing it (in my previous projects I usually turned off Microsoft's IME before going fullscreen, but now I'm not doing even that). I'm also not reading/writing anything to disk yet (high score table not yet implemented).

If that'd help shed any light on the matter, I can send over the project to you and you can try building it on your end. Clutching at straws really but for now I can't think of anything else I can do on my end short of turning Defender off (which I can not do because I also use this computer for work etc).

Re: Virus or false positive?

Posted: Wed Feb 19, 2020 7:33 am
by VilleK
Latest Player.bin still works here so it might indeed be worth testing if it is somehow related to your project. If you send it to me then I can try building it here and see what happens.

@Kjell: Is the Player.bin from latest ZGE working for you?

Re: Virus or false positive?

Posted: Wed Feb 19, 2020 11:56 am
by Kjell
Hej Ville,
VilleK wrote: Wed Feb 19, 2020 7:33 amIs the Player.bin from latest ZGE working for you?
Same problem here ( 1.309.1271.0 definitions ) ...

K

Re: Virus or false positive?

Posted: Wed Feb 19, 2020 12:38 pm
by VilleK
I updated definitions now and got "1.309.1282.0" version. Player.bin passes.

@rrTea: can you please check what version of virus definitions you have? The version number is shown in control panel after you select "Search for updates" on virus settings.

I also tried your game (looking good!) on virus total. First attempt got 19 hits. Then I removed the word "setup" (from App.Caption) and then it reduces to 15 hits. Just as an example on how arbitrary the virus scanners are.

When you are ready to release this game I can help you make the exe-file separate from the content. This seems to be more accepted by virus scanners. But we need to make player.bin accepted first.

Re: Virus or false positive?

Posted: Wed Feb 19, 2020 1:15 pm
by rrTea
For the record, today I have 1.309.1206.0 (last update check 8 hours ago). But I think it doesn't matter, since I can't guarantee that's what I had at the moment player.bin got deleted.

Also even if player.bin passes today, it's highly likely it will get attacked again later. I already tried confirming that by usually waiting for a day or two after player.bin gets deleted, downloading whatever is the latest build and copying it… every time the same story (that's why I posted that screenshot with the caption "As you can see it goes to my ZGE directory every few days and randomly attacks files."): if it doesn't get deleted immediately upon downloading, it will get deleted later.

Edit: It updated itself, now it's on 1.309.1282.0.
Edit: Removed the word "Setup" from the Caption (ridiculous… but let's do it)

Re: Virus or false positive?

Posted: Wed Feb 19, 2020 1:47 pm
by VilleK
I will find a way to make player.bin pass. It probably needs to be bloated even more :). Give me a few days.

Re: Virus or false positive?

Posted: Wed Feb 19, 2020 1:52 pm
by rrTea
It's crazy programs have to be bloated to work :P Anyway just take your time, as far as my project is concerned I will be working on the graphics meanwhile.

Re: Virus or false positive?

Posted: Thu Feb 20, 2020 4:59 am
by jinxtengu
It's crazy, I noticed windows 10 just deletes newly created EXEs made with z game editor, without warning, you have to add them to the exceptions list, every time a new version is saved.

Re: Virus or false positive?

Posted: Thu Feb 20, 2020 7:41 am
by VilleK
jinxtengu wrote: Thu Feb 20, 2020 4:59 am It's crazy, I noticed windows 10 just deletes newly created EXEs made with z game editor, without warning, you have to add them to the exceptions list, every time a new version is saved.
Are you also using Windows Defender and the very latest ZGE? http://www.zgameeditor.org/files/ZGameEditor_beta.zip

I hope to find a solution soon. I may have to increase the binary size and/or build with Freepascal instead of Delphi.

Re: Virus or false positive?

Posted: Thu Feb 20, 2020 9:44 am
by VilleK
Please try todays build where I built player.bin using Freepascal: http://www.zgameeditor.org/files/ZGameEditor_beta.zip