Butikksiden
Dark and Darker
Alle Diskusjoner Skjermbilder Kunstverk Kringkastninger Videoer Nyheter Veiledninger Anmeldelser

Dark and Darker

Butikksiden
RockDad 9. juli 2024 kl. 13.42
4
1
Tavern.exe is suspicious
I've seen a few post talking about Tavern.exe or TavernWorker.exe being malware. After reading through the forums most of the people commenting either,
A. Don't know what it is or just echoing what's been said/assumed or
B. Don't care if it is malware.

This nerd trapped me because I genuinely wanted to see if it was just a anti-cheat or something nefarious.

Using sandbox tools such as Hybrid Analysis and Virus total I uploaded the suspected .exe's into virtual sandboxs. This is what I found...

TavernWorker.exe was clean.... Tavern.exe on the other hand could be malware...

Tavern.exe performs the following suspicious indicators...

  • Anti-Detection/Stealthyness through API calls
  • Anti-Reverse Engineering through Static Parser
  • Cryptographic Related (It's encrypting and compressing a binary file)
  • Environment Awareness (Executes WMI queries known for VM detection)
  • Found a potential email address in binary/memory (Although I am skeptical of this as the email seems to point to ZY Partners; a Chinese Law firm)
  • Spyware/information Retrival (Calls an API typically used to enumerate processes encountered for a System snapshot. As well as Executes WMI queries to gather system info)
  • Unusual characteristic

There are other things it does that is more informal then suspicious like accessing device drivers, etc. It would explain why one user reported his hard drive spinning up despite D&D being installed on his SSD.

Please note that just because it is suspicious does not mean its malware. There are false positives. However the dev's need to address this because whatever its doing its encrypting and hiding its work. We can get a rough idea through indicators but the exact nature of the .exe is a mystery.

I will still be looking into this. If anyone would like to join and shed some light on this; Welcome!

Please keep unhelpful comments to yourself.

I'm not playing or having anything more to do with this game or Tavern.exe.

Edit: I'm not playing or having anything more to do with this game or Tavern.exe. Please stop DM'ing me about it
Sist redigert av RockDad; 20. des. 2024 kl. 14.18
< >
Viser 115 av 51 kommentarer
Dealman 9. juli 2024 kl. 14.22 
So, you just uploaded the exe to these online scanners and repeat what they reported...

WMI is used for a whole plethora of things, for example you can measure various performance metrics of a system such as the CPU usage. It's what the Task Manager uses for CPU utilization.

As for the email, it may just be that Tavern/TavernWorker is a kind of crash reporter and it sends crash data to that address.

Nothing about this is particularly suspicious, it just seems to be your typical in-house process used for gathering telemetry data and potentially anti-cheat purposes.
#1
Major Lee Ree 9. juli 2024 kl. 14.24 
I've got nothing to hide, it can do whatever it wants for me if it's gonna catch more cheaters.
Sist redigert av Major Lee Ree; 9. juli 2024 kl. 14.24
#2
Kankaku 9. juli 2024 kl. 14.44 
It's quite literally the games anticheat...
#3
MisterSmellies 9. juli 2024 kl. 15.04 
Get Muta to look in to it
#4
Boutus 9. juli 2024 kl. 15.14 
Malware.... Yea mate, the dev team are secretly putting malware on your computer.
#5
RockDad 9. juli 2024 kl. 15.23 
Opprinnelig skrevet av Dealman:

Nothing about this is particularly suspicious, it just seems to be your typical in-house process used for gathering telemetry data and potentially anti-cheat purposes.

The data says otherwise. Hence this post...

Virus software like Webroot classify the .exe as malware. The whole point of this post is to clarify if its a false positive or not with data...

Just saying, "it may be... etc, I don't care if, etc" is not at all helpful.
#6
RockDad 9. juli 2024 kl. 15.26 
Opprinnelig skrevet av Boutus:
Malware.... Yea mate, the dev team are secretly putting malware on your computer.

Mate, i believe the word used was "suspicious".

But you also didn't read or comprehend the last sentience either so I guess I shouldn't be surprised by your comment.
#7
chevalierknight 9. juli 2024 kl. 15.52 
Opprinnelig skrevet av RockDad:
I've seen a few post talking about Tavern.exe or TavernWorker.exe being malware. After reading through the forums most of the people commenting either,
A. Don't know what it is or just echoing what's been said/assumed or
B. Don't care if it is malware.

This nerd trapped me because I genuinely wanted to see if it was just a anti-cheat or something nefarious.

Using sandbox tools such as Hybrid Analysis and Virus total I uploaded the suspected .exe's into virtual sandboxs. This is what I found...

TavernWorker.exe was clean.... Tavern.exe on the other hand could be malware...

Tavern.exe performs the following suspicious indicators...

  • Anti-Detection/Stealthyness through API calls
  • Anti-Reverse Engineering through Static Parser
  • Cryptographic Related (It's encrypting and compressing a binary file)
  • Environment Awareness (Executes WMI queries known for VM detection)
  • Found a potential email address in binary/memory (Although I am skeptical of this as the email seems to point to ZY Partners; a Chinese Law firm)
  • Spyware/information Retrival (Calls an API typically used to enumerate processes encountered for a System snapshot. As well as Executes WMI queries to gather system info)
  • Unusual characteristic

There are other things it does that is more informal then suspicious like accessing device drivers, etc. It would explain why one user reported his hard drive spinning up despite D&D being installed on his SSD.

Please note that just because it is suspicious does not mean its malware. There are false positives. However the dev's need to address this because whatever its doing its encrypting and hiding its work. We can get a rough idea through indicators but the exact nature of the .exe is a mystery.

I will still be looking into this. If anyone would like to join and shed some light on this; Welcome!

Please keep unhelpful comments to yourself.
can i ask if i uninstall the game then uninstall tavern worker in the installed apps does this all so remove Tavern.exe too are both things removed? have you tested if uninstalling tavern removes both i only ask because i can see tarven worker is removed from services but tavern.exe never shows there when games installed and doesnt show in the task manger only worker and you put "Anti-Detection/Stealthyness through API calls" does this mean its hidden on the system i just want to know iv uninstalled it along side worker when i uninstalled it in the apps section
Sist redigert av chevalierknight; 9. juli 2024 kl. 16.19
#8
RockDad 9. juli 2024 kl. 17.16 
Opprinnelig skrevet av chevalierknight:
Opprinnelig skrevet av RockDad:
I've seen a few post talking about Tavern.exe or TavernWorker.exe being malware. After reading through the forums most of the people commenting either,
A. Don't know what it is or just echoing what's been said/assumed or
B. Don't care if it is malware.

This nerd trapped me because I genuinely wanted to see if it was just a anti-cheat or something nefarious.

Using sandbox tools such as Hybrid Analysis and Virus total I uploaded the suspected .exe's into virtual sandboxs. This is what I found...

TavernWorker.exe was clean.... Tavern.exe on the other hand could be malware...

Tavern.exe performs the following suspicious indicators...

  • Anti-Detection/Stealthyness through API calls
  • Anti-Reverse Engineering through Static Parser
  • Cryptographic Related (It's encrypting and compressing a binary file)
  • Environment Awareness (Executes WMI queries known for VM detection)
  • Found a potential email address in binary/memory (Although I am skeptical of this as the email seems to point to ZY Partners; a Chinese Law firm)
  • Spyware/information Retrival (Calls an API typically used to enumerate processes encountered for a System snapshot. As well as Executes WMI queries to gather system info)
  • Unusual characteristic

There are other things it does that is more informal then suspicious like accessing device drivers, etc. It would explain why one user reported his hard drive spinning up despite D&D being installed on his SSD.

Please note that just because it is suspicious does not mean its malware. There are false positives. However the dev's need to address this because whatever its doing its encrypting and hiding its work. We can get a rough idea through indicators but the exact nature of the .exe is a mystery.

I will still be looking into this. If anyone would like to join and shed some light on this; Welcome!

Please keep unhelpful comments to yourself.
can i ask if i uninstall the game then uninstall tavern worker in the installed apps does this all so remove Tavern.exe too are both things removed? have you tested if uninstalling tavern removes both i only ask because i can see tarven worker is removed from services but tavern.exe never shows there when games installed and doesnt show in the task manger only worker and you put "Anti-Detection/Stealthyness through API calls" does this mean its hidden on the system i just want to know iv uninstalled it along side worker when i uninstalled it in the apps section

Try the uninstall program in the game files. If that doesn't work and the tavern program is still present then that's even very odd
#9
Aldalómë 9. juli 2024 kl. 17.42 
Why is there 2 different programs running as anti-cheat? the "anti-cheat" scanning all your files is dubious as hell when will the devs talk about this crap?

Also, fanboys should stop dickriding companies especially when the anti-cheat system is dubious or poorly implemented.
Sist redigert av Aldalómë; 9. juli 2024 kl. 17.53
#10
Guntrigger 9. juli 2024 kl. 17.48 
Weird that after uninstalling the game TavernWorker still remains and has to be uninstalled using add/remove programs seperately. Tavern.exe doesn't seem to remain after this. It leaves some files in AppData, but it appears that they may just be logs.
#11
chevalierknight 9. juli 2024 kl. 18.58 
Opprinnelig skrevet av Guntrigger:
Weird that after uninstalling the game TavernWorker still remains and has to be uninstalled using add/remove programs seperately. Tavern.exe doesn't seem to remain after this. It leaves some files in AppData, but it appears that they may just be logs.
oh that good i was worried that it had stayed i deleted those logs and did a file search and nothing else pops up with tavern. i have an anxiety disorder and this was really effecting so i uninstalled the game and the worker app but the taverm.exe was really making me ill
Sist redigert av chevalierknight; 9. juli 2024 kl. 19.00
#12
Louis Harriger 9. juli 2024 kl. 19.58 
Opprinnelig skrevet av chevalierknight:
Opprinnelig skrevet av Guntrigger:
Weird that after uninstalling the game TavernWorker still remains and has to be uninstalled using add/remove programs seperately. Tavern.exe doesn't seem to remain after this. It leaves some files in AppData, but it appears that they may just be logs.
oh that good i was worried that it had stayed i deleted those logs and did a file search and nothing else pops up with tavern. i have an anxiety disorder and this was really effecting so i uninstalled the game and the worker app but the taverm.exe was really making me ill
Open up services and you can disable it there if you want to take another precaution.
#13
chevalierknight 9. juli 2024 kl. 20.02 
Opprinnelig skrevet av Louis Harriger:
Opprinnelig skrevet av chevalierknight:
oh that good i was worried that it had stayed i deleted those logs and did a file search and nothing else pops up with tavern. i have an anxiety disorder and this was really effecting so i uninstalled the game and the worker app but the taverm.exe was really making me ill
Open up services and you can disable it there if you want to take another precaution.
when i uninstalled it from apps it removed it from services i was just worried it didn't remove all of it
#14
Crunchy[Daz] 10. juli 2024 kl. 2.21 
HDDs can spin up for MANY reasons. Someone saying "hey my HDD spun up when I was playing Dark and Darker" is by no means even worth mentioning, it has zero substance.
#15
< >
Viser 115 av 51 kommentarer
Per side: 1530 50

Dark and Darker > Generelle diskusjoner > Emnedetaljer
Dato lagt ut: 9. juli 2024 kl. 13.42
Innlegg: 51

Diskusjonsregler og retningslinjer