Antivirus False Positives: The Saga :: Scavenger SV-4 General Discussion [No Spoilers]

Σελίδα Καταστήματος

Scavenger SV-4

Όλα Συζητήσεις Στιγμιότυπα Εικόνες Μεταδόσεις Βίντεο Νέα Οδηγοί Κριτικές

Scavenger SV-4 > General Discussion [No Spoilers] > Λεπτομέρειες θέματος

Αυτό το θέμα έχει επισημανθεί, οπότε πιθανώς είναι σημαντικό

Khallis [δημιουργός] 11 Ιουλ 2018, 20:18

Antivirus False Positives: The Saga

If you are experiencing errors with the game starting, or crashing when you try to begin a new game, or the config options panel not working, odds are very good your antivirus software has quarantined the game.

The game does not have a virus or trojan. These are all false positives. There is a page written by Valve, on Steam, describing these sorts of issues.
https://support.steampowered.com/kb_article.php?ref=4361-MVDP-3638&l=english

I have pushed several patches to fight this. V1.08, v1.09 and v1.095 were all mainly about minimizing this. Unfortunately, it's a moving target - each of those patches had very few false positives when I uploaded them, and then changing rules and heuristics by the AV packages caused more false positives to appear.

My new strategy is to submit false positive reports with the antivirus vendors so they stop producing false positives on Scavenger SV-4. This thread will contain my status updates, so you can follow along and see how 's going.

I can't have every antivirus software installed on my computers, so I use http://virustotal.com to analyze the executables. There are 3 exes in the game.

Scavenger.exe is the main one, it is the game. If it's quarantined, your game won't start.
configtool.exe is a standalone that sets up the options - resolution, starting equipment, keybinding, and so on. If it's quarantined, "options" won't work.
magrathea.exe is the program that builds new worlds for you to explore. If it's quarantined, the game will probably crash during the menus when you try to start a new game.

Virustotal uses about 67 av programs to scan with. Of those, many are pretty obscure.

As of the beginning of this saga three days ago, the counts were:

Scavenger.exe 21/67 false positive, configtool.exe 20/67 false positive, magrathea.exe 7/67.

It is worthwhile to note that the virustotal.com results change day by day - sometimes just pushing "rescan" results in a slightly different set of results. This is not a precise science apparently.

Additionally, you can run these tests yourself. Feel free to upload the three .exe files to VirusTotal and see what the as-of-that-instant results are.

Τελευταία επεξεργασία από Khallis; 11 Ιουλ 2018, 20:34

< >

Εμφάνιση 1-15 από 35 σχόλια

Khallis [δημιουργός] 11 Ιουλ 2018, 20:22

I submitted a report to Kaspersky. They were very helpful.

Sorry, it was a false detection. It will be fixed.
Thank you for your help.

Best regards,
Pavel Sinenko, Malware Analyst, Kaspersky Lab

As of the time of this posting, Kaspersky no longer false positives on any of the three EXEs.

Khallis [δημιουργός] 11 Ιουλ 2018, 20:24

I submitted a report to Microsoft. They were also very helpful.

Submission ID: 5d84211f-a6ee-4ca2-9400-a13ead5399d0
Analyst comments:

... We have reviewed the file and we have removed the detection. Please try the following steps to clear cached detections and obtain the latest malware definitions. 1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender 2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures” The latest definition is available for download here: https://www.microsoft.com/en-us/wdsi/definitions Best regards, Windows Defender Response

As of the time of this posting, the Microsoft: line shows Clean for all three EXEs.

Khallis [δημιουργός] 11 Ιουλ 2018, 20:25

I submitted a report to Symantec. They were very helpful.

In relation to submission 98522.

Upon further analysis and investigation we have verified your submission
and, as such, the detection(s) for the following file(s) will be removed
from our products:

File name: ConfigTool.exe
MD5: 9EB4CDF87633EB906EBCA243EA828A42
SHA256:ACC574F2F9FB388F07F74722F35C7BA395336B73E75014B021A796E64E055E9A

As of the time of this posting, Symantec shows Clean on Virustotal for the config tool and magrathea, but is still throwing a false positive on Scavenger.exe:
"ML.Attribute.HighConfidence"

They haven't replied to me yet about that. I'll re-report it if I don't hear something soon.

Τελευταία επεξεργασία από Khallis; 11 Ιουλ 2018, 20:45

Khallis [δημιουργός] 11 Ιουλ 2018, 20:27

I submitted a report to Trend Micro, but between the time I submitted the report and them getting back to me, Trend Micro Housecall: stopped showing the false positives on VirusTotal. I am not sure if they took specific action or not.

It is worthwhile to note that the virustotal.com results change day by day - sometimes just pushing "rescan" results in a slightly different set of results. This is not a precise science apparently.

Khallis [δημιουργός] 11 Ιουλ 2018, 20:36

I submitted a report to ESET. They were great. They got back to me a few hours later with:

Thank you for your submission.
It is a false positive of our scanner and this issue will be fixed in the
next update of detection engine.

Regards,
ESET Malware Response Team

As of the time of this posting, ESET-NOD32 now shows Clean on VirusTotal for all three EXEs.

Khallis [δημιουργός] 11 Ιουλ 2018, 20:40

I am trying to pick the larger more common AV suites first, on the logic that probably none of my users are using Qihoo-360, Jiangmin, or Cylance.

Khallis [δημιουργός] 11 Ιουλ 2018, 20:43

I submitted a report to FortiNet. They were very cool about it. They replied:

Based on our analysis we have decided to disabled the detection on the following file:
Scavenger.exe - MD5:862d698a8032f88f5dbcfe57eeec4e59

We regret any inconvenience this might have caused you. The detection will be removed in our earliest possible Virus Signature update.

As of this posting, Fortinet shows Clean on VirusTotal for all three EXEs.

Khallis [δημιουργός] 11 Ιουλ 2018, 20:49

I sent a false positive report to McAfee, and they replied back with an automated scan alert saying "Inconclusive". They are currently false positiving with two products on VirusTotal on all three of the executables.

McAfee: Scavenger.exe, "RDN/Generic.dx", configtool, "RDN/Generic.hbg", magrathea, "RDN/Generic.RP"

McAfee-GW-Edition: Scavenger.exe, "BehavesLike.Win32.Dropper.jc", configool "RDN/Generic.hbg", magrathea.exe "BehavesLike.Win32.Dropper.gh"

They haven't gotten back to me with a human being yet. As of this posting, both McAfee products on virustotal false positive on all three of my executables.

Khallis [δημιουργός] 11 Ιουλ 2018, 20:57

There are two things I'd like to call out, during this process.

1) I basically can't patch the game code after this.

If I change my signatures, by pushing another patch to the game, every single one of these whitelisted reports and changes with the AV vendors will become invalid. It will be seen as a new program, and the manually entered exception on file with all these vendors will no longer apply.

To patch anything in the code, I'd have to resubmit every single one of these reports.

That doesn't necessarily mean 1.095 is the Last Edition Ever of Scavenger SV-4, but it does mean the *code* isn't gonna change from here out. v1.10 is therefore more likely to be something like a texture improvement pack to try to improve the look of things a little.

2) If you get an antivirus quarantine alert, and it isn't for one that I've already talked about as a known open vendor ticket in this thread, please let me know here.

Virustotal.com isn't perfect, and doesn't cover everything, and I otherwise have no way of knowing it happens if you don't tell me. I'm happy to try to fix this situation for your use case, but you have to let me know.

Khallis [δημιουργός] 11 Ιουλ 2018, 21:08

Current snapshot:

scavenger.exe, 16/67
configtool.exe, 17/67
magrathea.exe, 5/67

Open tickets: McAfee, Symantec

#10

Khallis [δημιουργός] 12 Ιουλ 2018, 7:51

Avast just got back to me. They've whitelisted all three executables. It checks out, Avast does not at time of this post false positive any of the three on virustotal.

Current snapshot:

scavenger.exe, 15/67
configtool, 17/67
magrathea, 5/67

#11

HTWingNut

12 Ιουλ 2018, 20:10

configtool.exe (again) flagged by Bitdefdender:
The file d:\steam\steamapps\common\scavenger sv-4\configtool.exe is infected with Trojan.GenericKD.31075384 and was moved to quarantine.

#12

Khallis [δημιουργός] 13 Ιουλ 2018, 1:02

Cool, thanks for the heads up. I'll resubmit to BitDefender.

#13

Khallis [δημιουργός] 13 Ιουλ 2018, 1:16

Current snapshot:

scavenger.exe, 12/67
configtool 18/67
magrathea, 4/67

McAfee is thus far being less than helpful. They are trying to act like my false positive report is a suspicious files report, when that is exactly the opposite. More updates to follow.

#14