Virus or false positive?

[Ats]

I just discovered that each and every exe files generated by ZGameEditor gives a positive to a lot of anti-virus software.
Here's the scan for my last version of Omeganaut:
https://www.virustotal.com/#/file/2d659 ... /detection

My problem is that, because of the update I uploaded yesterday, my website was listed by Google as malicious and everything you could download on it is now blocked by Chrome... I already saw that in old example files on your forum. Do you know what can I do?

[VilleK]

Hi, perhaps try a version that is not Upx compressed? Some AV-software give false positives on all compressed executables.

[Ats]

Here's the result for the uncompressed version: https://www.virustotal.com/#/file/17a13 ... /detection
It's a bit better

Somehow, I managed to produce a zip that is "virus" free: https://www.virustotal.com/#/url/b5e0e8 ... /detection
Don't know how or why. It seems very random...

Now I can only wait for googlebot to rescan my website and mark it as not malicious.

[Ats]

So after some research, it appears that all exe files made out of Delphi/Pascal always gives a false positive on anti-virus softwares that are scanning files heuristicaly. And once Google bots decides that a file hosted on your website is infected, it automatically prevents ALL downloads from your website in Chrome.

In order to repair that, you have to:

• Get rid of the "infected" file on your ftp
• Upload it to some other file sharing website
• Update the download link on your website
• Go to Google Search Console: https://www.google.com/webmasters/tools/home?hl=fr
• Follow what they tell you in order to verify that the website is yours (it consists of uploading a file to your ftp and verify the link)
• Fill a security review request (https://www.google.com/webmasters/tools/security-issues), explaining what you have done to repair your bad behaviour
• Wait 24h to 72h

Google has received and processed your security review request. Google systems indicate that http://www.txori.com/ no longer contains links to harmful sites or downloads. The warnings visible to users are being removed from your site. This may take a few hours to happen.

YEAH!!!!!

[Ats]

I'm back again for some ZGE. But player.bin is missing from my folder. I don't remember why...
So I tried to download the current version of ZGE but it was instantly blocked by Windows Defender:

Trojan:Win32/Zpevdo.A
Alert level: Severe
Status: Active

Recommended action: Remove the threat now.

Category: Trojan
Details: This program is dangerous and executes commands from an attacker.
Affected items:
containerfile: C:\Users\Ats\Downloads\ZGameEditor_beta.zip
file: C:\Users\Ats\Downloads\ZGameEditor_beta.zip->ZGameEditor/Player.bin
webfile: C:\Users\Ats\Downloads\ZGameEditor_beta.zip|http://www.zgameeditor.org/files/ZGameE ... 7330341242

That's new...

[Kjell]

Hi Ats,

I just updated my Windows Defender definitions and had it scan my ZGameEditor folder ... got the same false-positive

K

[VilleK]

Yep, same here. Annoying. Anyone know how to tell Defender that this is a false positive? It is not even compressed.

[VilleK]

I submitted the file to Microsoft as a false positive. Btw, when I update the definitions today it does no longer seem to indicate that the file is malware so maybe it is already fixed?

[Ats]

This seems to be working
Thanks

[rrTea]

I tried to upload one of my projects to various sites, but it got rejected in some places. Here is what happens if a site uses VirusTotal for checking files:
https://www.virustotal.com/gui/file/9ce ... /detection
15/62 is deemed to dangerous. This is the project in question:
viewtopic.php?p=9263#p9263
(in fact if you try to download it Windows Defender will try to block it)

Maybe ZGE should have an additional build option "year 2020 version" where it produces a 64 Mb exe for an empty project, I bet such a file would be treated with much more respect >:-P

[VilleK]

We've simplified what we can in the engine so only option now is to tell the anti-virus companies that this is a false positives.

I read on several occasions that "the virus scanners killed the 64k scene". It is nearly impossible to make small exe-files these days. Indeed it would probably help to simply inflate the exe file up to a 1mb size with zeroes.

[Kjell]

Hi rrTea,

Maybe ZGE should have an additional build option "year 2020 version" where it produces a 64 Mb exe for an empty project, I bet such a file would be treated with much more respect >:-P

I know this is just a snarky / jokingly remark. But you can easily put this to the test by adding a File component to your project and embedding a large file ( use the "Import" button of the FileEmbedded property ). Using a small test project ( that triggered 17 false-positives untouched ), i got 16 false-positives with a 8MB file embedded, 11 false-positives with a 32MB file embedded, and 8 false-positives with a 128MB file embedded

K

[VilleK]

i got 16 false-positives with a 8MB file embedded, 11 false-positives with a 32MB file embedded, and 8 false-positives with a 128MB file embedded

Nice idea, and also proof that some virus scanners are seriously flawed.

[rrTea]

I haven't actually tested it, it was just a ridiculous remark that comes to mind along the lines of "if that's how this whole system works, then this means… Hey hold on!…" etc. But it turns out it's really true!

Blah, that's ridiculous, the bigger the size the more "trustworthy" it is I mean I understand why it's like that (both why certain anti virus programs and Windows behave like that) but still, quite annoying.

Edit: what would have happened if I compressed the build with kkrunchy or UPX?… Hmm maybe best if I don't try that

[rrTea]

So I tested my new project (was just getting ready to publish it) and it came out with a 20/66 score ("seriously suspicious" I assume), crazy! I have no idea what to do

Anyway just to show how silly this can be, try to download this ZGE file and compile it for some fun! Under normal circumstances, Windows will not let you do it without flashing a stern warning beforehand. Can anybody guess why? (I already showed this trick in #ZGameEditor, Kjell: you probably remember.)