Steam for Linux
All Discussions Artwork Videos News Guides

Steam for Linux

sgtghost3222 Jan 3, 2022 @ 10:40am
Win.Trojan Virus on Steam, Proton, Ubuntu
Clamav => 8 copies of Win.Trojan.Generic in steam and Origin files.
I recently installed steam & proton, followed by litrus and origin, but nothing else. Any one run into this? False positive?

Ubuntu: 20.04.3 LTS
Steam: steam_client_ubuntu12 version 1639697812, installed version 1639697812
Proton: proton_experimental; proton_6.3-8
Lutris: 0.5.9.1
Origin Games: ?
Wine: wine-5.0 (Ubuntu 5.0-3ubuntu1)

Virus: Win.Trojan.Generic-9907909-0
Clamscan: ClamAv Engine version: 0.103.2

Results:
~/Games/origin/drive_c/ProgramData/Package Cache/{844ECB74-9B63-3D5C-958C-30BD23F19EE4}v14.0.24212/packages/vcRuntimeAdditional_x86/cab1.cab: Win.Trojan.Generic-9907909-0 FOUND
~/Games/origin/drive_c/ProgramData/Package Cache/{F20396E5-D84E-3505-A7A8-7358F0155F6C}v14.0.24212/packages/vcRuntimeAdditional_amd64/cab1.cab: Win.Trojan.Generic-9907909-0 FOUND
~/Games/origin/drive_c/windows/syswow64/mfc140ita.dll: Win.Trojan.Generic-9907909-0 FOUND
~/Games/origin/drive_c/windows/system32/mfc140ita.dll: Win.Trojan.Generic-9907909-0 FOUND
~/.steam/debian-installation/steamapps/compatdata/674020/pfx/drive_c/ProgramData/Package Cache/{69BCE4AC-9572-3271-A2FB-9423BDA36A43}v14.0.24215/packages/vcRuntimeAdditional_x86/cab1.cab: Win.Trojan.Generic-9907909-0 FOUND
~/.steam/debian-installation/steamapps/compatdata/674020/pfx/drive_c/ProgramData/Package Cache/{EF1EC6A9-17DE-3DA9-B040-686A1E8A8B04}v14.0.24215/packages/vcRuntimeAdditional_amd64/cab1.cab: Win.Trojan.Generic-9907909-0 FOUND
~/.steam/debian-installation/steamapps/compatdata/674020/pfx/drive_c/windows/syswow64/mfc140ita.dll: Win.Trojan.Generic-9907909-0 FOUND
~/.steam/debian-installation/steamapps/compatdata/674020/pfx/drive_c/windows/system32/mfc140ita.dll: Win.Trojan.Generic-9907909-0 FOUND
< >
Showing 1-15 of 17 comments
Zyro Jan 3, 2022 @ 10:59am 
IMHO, this is false poitives for PROTON Dlls. Check it with some online malware scanner.
#1
meheezen Jan 3, 2022 @ 11:19am 
why is there a sudden surge of folks running clamav on steam files?
also noticeable is that none of them seen to know what the results mean
#2
meheezen Jan 3, 2022 @ 11:34am 
Originally posted by Xenophobe:
Originally posted by meheezen:
why is there a sudden surge of folks running clamav on steam files?
also noticeable is that none of them seen to know what the results mean
probably people abandoning windows (I did 4 months ago) that are used to having an antivirus program running, and aren't aware hat to linux, certain windows functions via proton may appear malicious because of how they normally function in a windows environment.
hmmm, i was wondering if some popular "tech" site decided to recommend using clamav on linux or something.
thanks anyways.
#3
Marlock Jan 3, 2022 @ 1:09pm 
there is a good chance someone recommended it, but it may as well be just a habit

the latest LTT video didn't say anything about it, but maybe a previous one did show them evaluating AVs for linux... I haven't seen all of them yet
#4
sgtghost3222 Jan 3, 2022 @ 8:40pm 
Originally posted by Xenophobe:
if you use the clamtk gui, there is an analysis button to compare to a database of 64 antivirus programs findings, mine showed no actual virus/trojan/malware indication. also, check this thread on the same exact issue ... https://steamcommunity.com/app/221410/discussions/0/3192488348523006124/

thanks for the link. No info in the ui analysis, unfortunately. I've never used steam or clamav
but its still odd to see positive results for origin and steam.
#5
Ussul w+m1 Jan 4, 2022 @ 4:06pm 
So, if this does not pop up on your system, what antivirus are you are using?
#6
jason Jan 4, 2022 @ 6:41pm 
Originally posted by Ussul w+m1:
So, if this does not pop up on your system, what antivirus are you are using?

None. Never saw a need to.

Out of curiosity I installed clamav, updated and started it. Ran clamdscan --verbose --multiscan --fdpass on an entirely arbitrary 30*/pfx/drive_c, as good as any random 10 prefixes would be. No infected files found.

Ran it on all */pfx/drive_c/windows/system32/mfc*.dll. No infected files found.

sha1sum's of versions of mfc140ita.dll I have:
16413615ac45a4d5e1e5badbc403eb00887b0f57
5058c2a8aab4580ab8da890746b574a4dcd3f942
618e4fba0e7577584dc222236b699b66131fd979
8dba03d4972f53974ddc535b59715080d3c23a02
b1c6f9bd6b9567a5b3be1b5083206be46da9f115
Not being in this list does not mean anything.

I don't have anything with Origin or the specific appid in the OP.

I don't know how slow any antivirus is expected to be but it was taking too long to do more than a few groups of files. It would probably have taken weeks to scan everything.
#7
Der tüddelige Fußgänger Jan 5, 2022 @ 1:42am 
If you are that concerned about malware.
Just run steam as a flatpak and simply denie as much acces to your system as possible with flatseal.
#8
jrubz Jan 5, 2022 @ 2:11pm 
Your best antivirus on Linux is really not running something you don't trust, or otherwise shelling it within a virtual machine.
#9
Der tüddelige Fußgänger Jan 5, 2022 @ 2:59pm 
Originally posted by jrubz:
Your best antivirus on Linux is really not running something you don't trust, or otherwise shelling it within a virtual machine.
But vm's are very cpu and ram hungry.
Flatpaks are much less intense on your machine since, well, you don't run 2 os's at the same time
And we're talking about steam with games. Getting all of that running in a vm means that your vm is going to require more storage than your host system.
And then there is a lot of performance loss especially on the gpu side.
I wouldn't recommend playing your games in a vm at all.
#10
Marlock Jan 5, 2022 @ 3:42pm 
you could use a VM with GPU passthrough to avoid the graphics performance loss but it's not trivial to setup...

on the other hand, flatpak steam also has issues, especially with recent versions of Proton (since Valve revamped the steam linux runtimes... proton >5.11.x iirc?)

this thread mentions the issue with protin vs. flatpak and some workarounds:
https://steamcommunity.com/app/221410/discussions/0/3154202142451497519/#c3194736442560089725
Last edited by Marlock; Jan 5, 2022 @ 3:44pm
#11
Aoi Blue Jan 7, 2022 @ 1:34pm 
Originally posted by Marlock:
you could use a VM with GPU passthrough to avoid the graphics performance loss but it's not trivial to setup...

on the other hand, flatpak steam also has issues, especially with recent versions of Proton (since Valve revamped the steam linux runtimes... proton >5.11.x iirc?)

this thread mentions the issue with protin vs. flatpak and some workarounds:
https://steamcommunity.com/app/221410/discussions/0/3154202142451497519/#c3194736442560089725
VM GPU passthrough still has penalty unless you have an entire card dedicated to the VM.

Splitting a GPU across multiple VMs requires at least one of the GPU cores to remain dedicated to the host to handle the splitting. It also requires a portion of the GPU memory.

Still, this is leaps and bounds in efficiency over old VMs where you had to run an emulated GPU.

The other option, GL API passthrough (VirGL) has roughly about the same amount of penalty.

Either way it will cost you a small amount of GPU, VRAM, CPU and system RAM resources. If you have enough to spare it shouldn't be an issue one bit. The overhead is nothing compared to what it was in the past.
#12
Der tüddelige Fußgänger Jan 7, 2022 @ 1:45pm 
Originally posted by Aoi Blue:
Originally posted by Marlock:
you could use a VM with GPU passthrough to avoid the graphics performance loss but it's not trivial to setup...

on the other hand, flatpak steam also has issues, especially with recent versions of Proton (since Valve revamped the steam linux runtimes... proton >5.11.x iirc?)

this thread mentions the issue with protin vs. flatpak and some workarounds:
https://steamcommunity.com/app/221410/discussions/0/3154202142451497519/#c3194736442560089725
VM GPU passthrough still has penalty unless you have an entire card dedicated to the VM.

Splitting a GPU across multiple VMs requires at least one of the GPU cores to remain dedicated to the host to handle the splitting. It also requires a portion of the GPU memory.

Still, this is leaps and bounds in efficiency over old VMs where you had to run an emulated GPU.

The other option, GL API passthrough (VirGL) has roughly about the same amount of penalty.

Either way it will cost you a small amount of GPU, VRAM, CPU and system RAM resources. If you have enough to spare it shouldn't be an issue one bit. The overhead is nothing compared to what it was in the past.
Thing is.
Vm's were never designed for gaming.
You probably wouldn't intall qubes os and expect the greatest gaming performance for example.
Vm's for end users are great if you want to run a windows only app, try arround different Linux distros (or maybe use macos if you are that kind of person)
Yes it is possible, but it's, as you said, far from perfect.
I know i repeat myself, and I'm not a flatpak fanboy.
But if you think steam is spying on you, for gods sake just use the flatpak version and set it up that steam only has acces to the absolute necissary. That comes with no performance penalty and is way quicker to set up.
#13
Marlock Jan 7, 2022 @ 4:11pm 
I'd go to flatpak first too... just being aware that proton in flatpak is a PITA (the linked thread helps)
Last edited by Marlock; Jan 7, 2022 @ 4:12pm
#14
Enigmatic Jan 7, 2022 @ 11:31pm 
I use firejail.
But I hear good things about bubble wrap as well.
#15
< >
Showing 1-15 of 17 comments
Per page: 1530 50

Steam for Linux > General Discussions > Topic Details
Date Posted: Jan 3, 2022 @ 10:40am
Posts: 17

Discussions Rules and Guidelines