Store Page
Dark and Darker
All Discussions Screenshots Artwork Broadcasts Videos News Guides Reviews

Dark and Darker

Store Page
RockDad Jul 9, 2024 @ 1:42pm
4
1
Tavern.exe is suspicious
I've seen a few post talking about Tavern.exe or TavernWorker.exe being malware. After reading through the forums most of the people commenting either,
A. Don't know what it is or just echoing what's been said/assumed or
B. Don't care if it is malware.

This nerd trapped me because I genuinely wanted to see if it was just a anti-cheat or something nefarious.

Using sandbox tools such as Hybrid Analysis and Virus total I uploaded the suspected .exe's into virtual sandboxs. This is what I found...

TavernWorker.exe was clean.... Tavern.exe on the other hand could be malware...

Tavern.exe performs the following suspicious indicators...

  • Anti-Detection/Stealthyness through API calls
  • Anti-Reverse Engineering through Static Parser
  • Cryptographic Related (It's encrypting and compressing a binary file)
  • Environment Awareness (Executes WMI queries known for VM detection)
  • Found a potential email address in binary/memory (Although I am skeptical of this as the email seems to point to ZY Partners; a Chinese Law firm)
  • Spyware/information Retrival (Calls an API typically used to enumerate processes encountered for a System snapshot. As well as Executes WMI queries to gather system info)
  • Unusual characteristic

There are other things it does that is more informal then suspicious like accessing device drivers, etc. It would explain why one user reported his hard drive spinning up despite D&D being installed on his SSD.

Please note that just because it is suspicious does not mean its malware. There are false positives. However the dev's need to address this because whatever its doing its encrypting and hiding its work. We can get a rough idea through indicators but the exact nature of the .exe is a mystery.

I will still be looking into this. If anyone would like to join and shed some light on this; Welcome!

Please keep unhelpful comments to yourself.

I'm not playing or having anything more to do with this game or Tavern.exe.

Edit: I'm not playing or having anything more to do with this game or Tavern.exe. Please stop DM'ing me about it
Last edited by RockDad; Dec 20, 2024 @ 2:18pm
< >
Showing 1-15 of 51 comments
Dealman Jul 9, 2024 @ 2:22pm 
So, you just uploaded the exe to these online scanners and repeat what they reported...

WMI is used for a whole plethora of things, for example you can measure various performance metrics of a system such as the CPU usage. It's what the Task Manager uses for CPU utilization.

As for the email, it may just be that Tavern/TavernWorker is a kind of crash reporter and it sends crash data to that address.

Nothing about this is particularly suspicious, it just seems to be your typical in-house process used for gathering telemetry data and potentially anti-cheat purposes.
#1
Major Lee Ree Jul 9, 2024 @ 2:24pm 
I've got nothing to hide, it can do whatever it wants for me if it's gonna catch more cheaters.
Last edited by Major Lee Ree; Jul 9, 2024 @ 2:24pm
#2
Kankaku Jul 9, 2024 @ 2:44pm 
It's quite literally the games anticheat...
#3
MisterSmellies Jul 9, 2024 @ 3:04pm 
Get Muta to look in to it
#4
Boutus Jul 9, 2024 @ 3:14pm 
Malware.... Yea mate, the dev team are secretly putting malware on your computer.
#5
RockDad Jul 9, 2024 @ 3:23pm 
Originally posted by Dealman:

Nothing about this is particularly suspicious, it just seems to be your typical in-house process used for gathering telemetry data and potentially anti-cheat purposes.

The data says otherwise. Hence this post...

Virus software like Webroot classify the .exe as malware. The whole point of this post is to clarify if its a false positive or not with data...

Just saying, "it may be... etc, I don't care if, etc" is not at all helpful.
#6
RockDad Jul 9, 2024 @ 3:26pm 
Originally posted by Boutus:
Malware.... Yea mate, the dev team are secretly putting malware on your computer.

Mate, i believe the word used was "suspicious".

But you also didn't read or comprehend the last sentience either so I guess I shouldn't be surprised by your comment.
#7
chevalierknight Jul 9, 2024 @ 3:52pm 
Originally posted by RockDad:
I've seen a few post talking about Tavern.exe or TavernWorker.exe being malware. After reading through the forums most of the people commenting either,
A. Don't know what it is or just echoing what's been said/assumed or
B. Don't care if it is malware.

This nerd trapped me because I genuinely wanted to see if it was just a anti-cheat or something nefarious.

Using sandbox tools such as Hybrid Analysis and Virus total I uploaded the suspected .exe's into virtual sandboxs. This is what I found...

TavernWorker.exe was clean.... Tavern.exe on the other hand could be malware...

Tavern.exe performs the following suspicious indicators...

  • Anti-Detection/Stealthyness through API calls
  • Anti-Reverse Engineering through Static Parser
  • Cryptographic Related (It's encrypting and compressing a binary file)
  • Environment Awareness (Executes WMI queries known for VM detection)
  • Found a potential email address in binary/memory (Although I am skeptical of this as the email seems to point to ZY Partners; a Chinese Law firm)
  • Spyware/information Retrival (Calls an API typically used to enumerate processes encountered for a System snapshot. As well as Executes WMI queries to gather system info)
  • Unusual characteristic

There are other things it does that is more informal then suspicious like accessing device drivers, etc. It would explain why one user reported his hard drive spinning up despite D&D being installed on his SSD.

Please note that just because it is suspicious does not mean its malware. There are false positives. However the dev's need to address this because whatever its doing its encrypting and hiding its work. We can get a rough idea through indicators but the exact nature of the .exe is a mystery.

I will still be looking into this. If anyone would like to join and shed some light on this; Welcome!

Please keep unhelpful comments to yourself.
can i ask if i uninstall the game then uninstall tavern worker in the installed apps does this all so remove Tavern.exe too are both things removed? have you tested if uninstalling tavern removes both i only ask because i can see tarven worker is removed from services but tavern.exe never shows there when games installed and doesnt show in the task manger only worker and you put "Anti-Detection/Stealthyness through API calls" does this mean its hidden on the system i just want to know iv uninstalled it along side worker when i uninstalled it in the apps section
Last edited by chevalierknight; Jul 9, 2024 @ 4:19pm
#8
RockDad Jul 9, 2024 @ 5:16pm 
Originally posted by chevalierknight:
Originally posted by RockDad:
I've seen a few post talking about Tavern.exe or TavernWorker.exe being malware. After reading through the forums most of the people commenting either,
A. Don't know what it is or just echoing what's been said/assumed or
B. Don't care if it is malware.

This nerd trapped me because I genuinely wanted to see if it was just a anti-cheat or something nefarious.

Using sandbox tools such as Hybrid Analysis and Virus total I uploaded the suspected .exe's into virtual sandboxs. This is what I found...

TavernWorker.exe was clean.... Tavern.exe on the other hand could be malware...

Tavern.exe performs the following suspicious indicators...

  • Anti-Detection/Stealthyness through API calls
  • Anti-Reverse Engineering through Static Parser
  • Cryptographic Related (It's encrypting and compressing a binary file)
  • Environment Awareness (Executes WMI queries known for VM detection)
  • Found a potential email address in binary/memory (Although I am skeptical of this as the email seems to point to ZY Partners; a Chinese Law firm)
  • Spyware/information Retrival (Calls an API typically used to enumerate processes encountered for a System snapshot. As well as Executes WMI queries to gather system info)
  • Unusual characteristic

There are other things it does that is more informal then suspicious like accessing device drivers, etc. It would explain why one user reported his hard drive spinning up despite D&D being installed on his SSD.

Please note that just because it is suspicious does not mean its malware. There are false positives. However the dev's need to address this because whatever its doing its encrypting and hiding its work. We can get a rough idea through indicators but the exact nature of the .exe is a mystery.

I will still be looking into this. If anyone would like to join and shed some light on this; Welcome!

Please keep unhelpful comments to yourself.
can i ask if i uninstall the game then uninstall tavern worker in the installed apps does this all so remove Tavern.exe too are both things removed? have you tested if uninstalling tavern removes both i only ask because i can see tarven worker is removed from services but tavern.exe never shows there when games installed and doesnt show in the task manger only worker and you put "Anti-Detection/Stealthyness through API calls" does this mean its hidden on the system i just want to know iv uninstalled it along side worker when i uninstalled it in the apps section

Try the uninstall program in the game files. If that doesn't work and the tavern program is still present then that's even very odd
#9
Aldalómë Jul 9, 2024 @ 5:42pm 
Why is there 2 different programs running as anti-cheat? the "anti-cheat" scanning all your files is dubious as hell when will the devs talk about this crap?

Also, fanboys should stop dickriding companies especially when the anti-cheat system is dubious or poorly implemented.
Last edited by Aldalómë; Jul 9, 2024 @ 5:53pm
#10
Guntrigger Jul 9, 2024 @ 5:48pm 
Weird that after uninstalling the game TavernWorker still remains and has to be uninstalled using add/remove programs seperately. Tavern.exe doesn't seem to remain after this. It leaves some files in AppData, but it appears that they may just be logs.
#11
chevalierknight Jul 9, 2024 @ 6:58pm 
Originally posted by Guntrigger:
Weird that after uninstalling the game TavernWorker still remains and has to be uninstalled using add/remove programs seperately. Tavern.exe doesn't seem to remain after this. It leaves some files in AppData, but it appears that they may just be logs.
oh that good i was worried that it had stayed i deleted those logs and did a file search and nothing else pops up with tavern. i have an anxiety disorder and this was really effecting so i uninstalled the game and the worker app but the taverm.exe was really making me ill
Last edited by chevalierknight; Jul 9, 2024 @ 7:00pm
#12
Louis Harriger Jul 9, 2024 @ 7:58pm 
Originally posted by chevalierknight:
Originally posted by Guntrigger:
Weird that after uninstalling the game TavernWorker still remains and has to be uninstalled using add/remove programs seperately. Tavern.exe doesn't seem to remain after this. It leaves some files in AppData, but it appears that they may just be logs.
oh that good i was worried that it had stayed i deleted those logs and did a file search and nothing else pops up with tavern. i have an anxiety disorder and this was really effecting so i uninstalled the game and the worker app but the taverm.exe was really making me ill
Open up services and you can disable it there if you want to take another precaution.
#13
chevalierknight Jul 9, 2024 @ 8:02pm 
Originally posted by Louis Harriger:
Originally posted by chevalierknight:
oh that good i was worried that it had stayed i deleted those logs and did a file search and nothing else pops up with tavern. i have an anxiety disorder and this was really effecting so i uninstalled the game and the worker app but the taverm.exe was really making me ill
Open up services and you can disable it there if you want to take another precaution.
when i uninstalled it from apps it removed it from services i was just worried it didn't remove all of it
#14
Crunchy[Daz] Jul 10, 2024 @ 2:21am 
HDDs can spin up for MANY reasons. Someone saying "hey my HDD spun up when I was playing Dark and Darker" is by no means even worth mentioning, it has zero substance.
#15
< >
Showing 1-15 of 51 comments
Per page: 1530 50

Dark and Darker > General Discussions > Topic Details
Date Posted: Jul 9, 2024 @ 1:42pm
Posts: 51

Discussions Rules and Guidelines