Virus or false positive?

All topics about ZGameEditor goes here.

Moderator: Moderators

User avatar
Kjell
Posts: 1876
Joined: Sat Feb 23, 2008 11:15 pm

Re: Virus or false positive?

Post by Kjell »

Hi rrTea,
rrTea wrote: Wed Aug 14, 2019 1:54 amSo I tested my new project (was just getting ready to publish it) and it came out with a 20/66 score ("seriously suspicious" I assume), crazy! I have no idea what to do :(
Once you're completely done with a project, you can submit it to the AV vendors that have detected it as false-positive for analysis. Be aware that even the slightest change to your executable might trigger false-positives again ( hence the "completely done" ).

Avast, AVG, Comodo, McAfee, Microsoft, Symantec etc.

Full list here

K
User avatar
Ats
Posts: 603
Joined: Fri Sep 28, 2012 10:05 am
Contact:

Re: Virus or false positive?

Post by Ats »

Hi,

We can't download ZGE anymore from this website using chrome:
"Dangerous file", no options other than abort. :x

This is getting really annoying... I'm installing Midori in order to try.

Edit: Midori is working like a charm for downloading "risky" files.
Last edited by Ats on Sun Sep 29, 2019 2:08 am, edited 1 time in total.
User avatar
VilleK
Site Admin
Posts: 2274
Joined: Mon Jan 15, 2007 4:50 pm
Location: Stockholm, Sweden
Contact:

Re: Virus or false positive?

Post by VilleK »

I assume the virus scanners have issues with player.bin because it is so small. For the game by rrTea I made a custom build of player.bin that is 800kb and that works much better. I may have to "bloat" the main ZGE download too in the same way. But it really feels silly because one of my main design criteria with ZGE was to make such a small runtime as possible and now it has to be artificially inflated just to please the antivirus software.
User avatar
rrTea
Posts: 475
Joined: Sat Feb 15, 2014 9:54 am

Re: Virus or false positive?

Post by rrTea »

After using the "sign of the times" build for a week or two, I can report that it scores much lower on VirusTotal and doesn't cause alarms at all (at least on my computer)! I have the impression launching builds is slightly slower (I keep my project on an old SD card so file size differences can be felt) but nothing to worry about really. I just have to remember to untick "Remove unused code" every time I start ZGE, otherwise Windows won't let the built programs run.

I agree with Ville that it makes no sense to bloat the file for no reason other than to please security software but it seems there is no other way. The builds are still smaller than anything any other engine would produce for a project of comparable complexity though ;)

btw I see nobody took up my quiz from the previous page :D maybe for the best since it's quite irritating (no matter what you do it always asks for a permission, even with a new ZGE build) and when you find out why is it behaving like that… it's unsettling (nothing to do with ZGE).
User avatar
VilleK
Site Admin
Posts: 2274
Joined: Mon Jan 15, 2007 4:50 pm
Location: Stockholm, Sweden
Contact:

Re: Virus or false positive?

Post by VilleK »

rrTea wrote: Mon Sep 23, 2019 9:20 amwhen you find out why is it behaving like that… it's unsettling (nothing to do with ZGE).
Why does it behave like that? I did not get a warning here (could be that I'm using the larger player.bin) but I'm curious to what trick it is that you mention.
User avatar
VilleK
Site Admin
Posts: 2274
Joined: Mon Jan 15, 2007 4:50 pm
Location: Stockholm, Sweden
Contact:

Re: Virus or false positive?

Post by VilleK »

I tried to update ZGE here with medium bloated runtimes (350kb). They only produce 4 false positives when uploaded to virus total but I still get the download blocked when trying from Firefox here: http://www.zgameeditor.org/files/ZGameEditor_beta.zip

Edge browser downloads it fine.
User avatar
rrTea
Posts: 475
Joined: Sat Feb 15, 2014 9:54 am

Re: Virus or false positive?

Post by rrTea »

VilleK wrote: Mon Sep 23, 2019 10:58 amWhy does it behave like that? I did not get a warning here (could be that I'm using the larger player.bin) but I'm curious to what trick it is that you mention.
Did you try to build + launch the project as is after downloading it? On my end it asks for administration account no matter what I do with it. But why? It's an empty project! And only this particular build, no other builds do that. No matter how much or little code I put in, only this particular file always asks for administration every time I want to run it.

Anyway here is the answer, select the text to see it:
As long as the file name contains the word "setup", it will attract attention of security systems even if it's empty :D So the methods for determining what is "suspicious" can be unexpectedly low-tech (as we saw on the previous page: size matters?). I discovered it by mistake because I named one of the builds "new enemy SETUP". I guess this mechanism's there because it does work for some cases but still :P
Last edited by rrTea on Tue Oct 01, 2019 11:55 pm, edited 2 times in total.
User avatar
Ats
Posts: 603
Joined: Fri Sep 28, 2012 10:05 am
Contact:

Re: Virus or false positive?

Post by Ats »

Thanks VilleK!!!
Ok, the resulted exe is a bit bigger, but it works perfectly. Hopefully I won't have bad review regarding antivirus problems with Omeganaut :D
User avatar
VilleK
Site Admin
Posts: 2274
Joined: Mon Jan 15, 2007 4:50 pm
Location: Stockholm, Sweden
Contact:

Re: Virus or false positive?

Post by VilleK »

Ats wrote: Mon Sep 30, 2019 10:32 am Thanks VilleK!!!
Ok, the resulted exe is a bit bigger, but it works perfectly. Hopefully I won't have bad review regarding antivirus problems with Omeganaut :D
Good to hear :). Also I notice that this week I can download the ZGE beta in Firefox without issues so they must have updated their virus database.
User avatar
rrTea
Posts: 475
Joined: Sat Feb 15, 2014 9:54 am

Re: Virus or false positive?

Post by rrTea »

I stopped reporting about this, but this is still a real annoyance on my end. Windows Defender sometimes just deletes Player.bin from my HD, sometimes it digs up a random build from my archive and warns me about it + deletes it (I have lots of old test builds from before "Remove unused code" option existed), and sometimes after I launch a project for testing (even though I always keep "Remove unused code" off) it just shuts the project down after half a minute or so.

Some Defender versions / builds are more prone to attacking ZGE, some less, but on average this happens at least once / month here (on bad months around ten times).

Sadly I have to keep Defender on default settings on the computer I use for ZGE.
User avatar
VilleK
Site Admin
Posts: 2274
Joined: Mon Jan 15, 2007 4:50 pm
Location: Stockholm, Sweden
Contact:

Re: Virus or false positive?

Post by VilleK »

I haven't noticed it here for a long time and I have Defender with latest definitions. So is this happening with latest version of ZGE or just older versions?
User avatar
rrTea
Posts: 475
Joined: Sat Feb 15, 2014 9:54 am

Re: Virus or false positive?

Post by rrTea »

I also have Defender with latest updates (a new update downloaded while I was typing).

It's happening on basically everything ZGE-related, old and new… it's really hard to say. For example I have a directory "builds" where I keep copies of various ZGE builds after I download them from the forum. From time to time Defender would just pick one of the builds, proclaim it dangerous and delete it. The player.bin that disappeared today was from the newest ZGE build. This never happens with anything else on this computer.
User avatar
Kjell
Posts: 1876
Joined: Sat Feb 23, 2008 11:15 pm

Re: Virus or false positive?

Post by Kjell »

Hi guys,

Just chiming in that i haven't had any Windows Defender false-positives on my computer(s) either since the September 27, 2018 occurrence.

K
User avatar
rrTea
Posts: 475
Joined: Sat Feb 15, 2014 9:54 am

Re: Virus or false positive?

Post by rrTea »

Meanwhile, on my end…
This is from today, a few minutes after Defender got the newest updates. (I marked the date when I downloaded the ZGE build.)
This is from today, a few minutes after Defender got the newest updates. (I marked the date when I downloaded the ZGE build.)
剪贴板图片 (3).png (18.39 KiB) Viewed 11777 times
This is the current list, all of these are related exclusively to ZGE. There were more but I cleaned it up two weeks or so ago. As you can see it goes to my ZGE directory every few days and randomly attacks files.
This is the current list, all of these are related exclusively to ZGE. There were more but I cleaned it up two weeks or so ago. As you can see it goes to my ZGE directory every few days and randomly attacks files.
剪贴板图片 (4).png (11.29 KiB) Viewed 11776 times
User avatar
VilleK
Site Admin
Posts: 2274
Joined: Mon Jan 15, 2007 4:50 pm
Location: Stockholm, Sweden
Contact:

Re: Virus or false positive?

Post by VilleK »

That is strange. I checked that my Defender installation have definitions from today, then ran a extra scan on Player.bin alone and it passes without problems.

I can also download ZGE using Firefox without issues.
Attachments
zge_antivirus.png
zge_antivirus.png (31.07 KiB) Viewed 11764 times
Post Reply