Install Steam
login
|
language
简体中文 (Simplified Chinese)
繁體中文 (Traditional Chinese)
日本語 (Japanese)
한국어 (Korean)
ไทย (Thai)
Български (Bulgarian)
Čeština (Czech)
Dansk (Danish)
Deutsch (German)
Español - España (Spanish - Spain)
Español - Latinoamérica (Spanish - Latin America)
Ελληνικά (Greek)
Français (French)
Italiano (Italian)
Bahasa Indonesia (Indonesian)
Magyar (Hungarian)
Nederlands (Dutch)
Norsk (Norwegian)
Polski (Polish)
Português (Portuguese - Portugal)
Português - Brasil (Portuguese - Brazil)
Română (Romanian)
Русский (Russian)
Suomi (Finnish)
Svenska (Swedish)
Türkçe (Turkish)
Tiếng Việt (Vietnamese)
Українська (Ukrainian)
Report a translation problem
Well sure, but I don’t think this was a false positive, the anti malware cleaned the infections (identified by SHA2 and signatures presumably), and proton still works, so these files might’ve been infected by someone working on proton or the server that releases them so steam grabbed them? I’m not sure.
Apparently they're all on the i386-windows directory:
See link: https://mastodon.online/@argenis/112514775859606881
You have to do behavioral analyse and deep scans to verify any claims and for that you have run it simulated see what it deploys what it injects which ports it accesses and which sites it retrieves or sends data to.
For that you either need a paid Virustotal account, one your endpoint provider offers or if you are reviewed and deemed trusted something like JoeSandbox. Or if you have the resources your own test-lab.
Can you provide a link to the scanned resource itself from the official source I can at the very least scan it with my enterprise endpoint see if it detects any behavior.
Addendum
Above offer stands for 48 hours from now. If by than you did not provide the information need which is a link to the build, commit URL I will assume you are not interested in the scan. No hard feelings just simply time restricted how long I can and want to spend on individual cases of this kind of nature.
Hmm...
It’s funny when their link shows what you’d expect, false positives from a bunch of nonsense heuristics from unknown vendors or from ones who are known to be objectively bad because they want to make money so false positives are the way they do this.
Virustotal happens to agree with the malware findings too, those I ran afterwards.
Now either the SHA-256 signatures happen to match with known malware (very unlikely), or there was something on whomever compiled those or the server where they were compiled, or the distribution pipeline.
It’s all heuristic garbage or “we are so bad at this we’re just guessing, please tell us if this is real or not”
Don’t parrot off nonsense from VirusTotal if you have no clue what the output from the website actually means
False positives are very common especially when the scanners that it triggers think its a generic signature defined by gen.variant In addition of risk-ware which it can think of anything that does lowlevel operations which is required for emulation purposes if it need to connect to your network at any point.
And if you indeed have an Enterprise version simply contact your assigned support desk or liaison your paying for the subscription so why do all the work yourselves.
The build/commit source is:
Steam Beta Branch: Stable Client
Steam Version: 1716584667
Steam Client Build Date: Fri, May 24 13:48 UTC -08:00
Steam Web Build Date: Fri, May 24 13:31 UTC -08:00
Steam API Version: SteamClient021
I installed the Steam client, then once there, I enable Proton Experimental on a game and it downloads.
I've been able to replicate this via removing and re-downloading proton experimental:
App ID: 1493710
Build ID: 14456479
Installed content updated: May 24, 2024 at 21:49
https://steamdb.info/depot/1493711/history/?changeid=M:7743326805990044174
https://www.virustotal.com/gui/file/723c879ec2df19a5df12ca022d26e92c840662127b4715f4972cfa83aac84fb7/detection
Here's what I can tell you right now without having done any investigation locally: it's a false positive.
How do I know? Because it would be utterly pointless to hide malware in shutdown.exe inside a Proton installation. There are almost no cases where that program would be run by any game. Certainly no instances of shutdown.exe being called in any Steam game I'm aware of.
But in the interest of completeness, I will now load shutdown.exe into Ghidra, the NSA's software reverse engineering framework. We're looking for some difference from the source code at https://github.com/ValveSoftware/wine/blob/bleeding-edge/programs/shutdown/main.c which was last edited in 2019 and has had no substantial changes since 2015 (though one could argue that there were no substantial changes between that version and AT&T's implementation of /bin/true from 1984: https://trillian.mit.edu/~jc/humor/ATT_Copyright_true.html
And what do we find? About what we should expect:
An implementation of /bin/true with some debug logging.
That's the part below, that's all the info I have, steam itself only says the following for Proton Experimental:
App ID: 1493710
Build ID: 14456479
Installed content updated: May 24, 2024 at 21:49
Anything beyond that I would not know how to get, on its directory there's a file called version that says some extra stuff: 1716388226 experimental-9.0-20240522
Manifest:
"manifest"
{
"version" "2"
"commandline" "/proton %verb%"
"require_tool_appid" "1628350"
"use_sessions" "1"
"compatmanager_layer_name" "proton"
}
I got a chuckle reading millions of steam users , use Linux, that's false are steams own demographic show linux at 1% of usage or less then, meaning even less then 300,000 people use Linux.
Math on that 30,000,000/1%
It's good you found and removed the infection, more people need to be vigilant, thanks op for bringing this issue to the surface