Malware scan claims trojan in Proton / Wine >

All Discussions > Steam Forums > Help and Tips > Topic Details

geordiejedi Jun 25, 2023 @ 11:54am

Hi there guys.

I was wondering if you could help me with an issue that I've just discovered
on my Steam installation

I run Linux as my main OS for my computer.
Occasionally I will used a USB stick with some anti-malware apps on them and scan
my Linux box for any kind of malware (Windows or Linux) or associated issues.

I came across this hit/issue this morning, after running a scan last night.

HEUR:Trojan.Win32.Msb.a @Filesystem[33336756-65dd-e261-038e-7d45410180e1]/[my username]/.steam/debian-installation/steamapps/common/Proton 8.0/dist/lib64/wine/x86_64-windows/mscoree.dll Trojan program MD5:D5A6CC9419D9ED38976A3008BA0ED790 SHA256:495CB7D12B425220BF98D9A191B0DF2FAF82DD07FF44BD32F3940CEFB077B501

Questions:

1. Based up on the information above, should I be worried ?

2. Is this a false positive ?
(The anti-virus / malware app) doesn't appear to like this file

3. Has anyone else had the same or something similar when using Steam on their
Linux box ?

TIA for any help or advice

Useful information:
OS: Linux (Ubuntu 22.04 LTS)
DE: KDE Plasma Version: 5.24.7
Kernel version: 5.19.0-45-generic (64-bit)

Steam version: (Built) May 30 2023 at 20:40:51
Steam package version: 1685488080

Motherboard: Sabertooth 990 FX
CPU: AMD FX(tm)-8150 (8 cores)
RAM: 16 GB
GFX: Nvidea GeForce GT 640
HDD: Samsung Evo SSD (500 GB)

Last edited by geordiejedi; Jun 25, 2023 @ 12:02pm

< >

Showing 1-3 of 3 comments

Azure Fang Jun 25, 2023 @ 12:03pm

1. No
2. Yes

HEUR:Trojan.Win32.Msb.a

That HEUR tag means this was a heuristic detection. Long story short, it's a guess by the scanner that something is potentially malicious based on a vague subset of rules. Proton relies on a number functions that are benign when used properly but CAN be used maliciously, usually memory scanning and injection routines. This is, without a doubt, a false positive.

Crashed Jun 25, 2023 @ 12:34pm

Originally posted by Azure Fang:
1. No
2. Yes

HEUR:Trojan.Win32.Msb.a
That HEUR tag means this was a heuristic detection. Long story short, it's a guess by the scanner that something is potentially malicious based on a vague subset of rules. Proton relies on a number functions that are benign when used properly but CAN be used maliciously, usually memory scanning and injection routines. This is, without a doubt, a false positive.

Definitely send the file in question to the antivirus provider so they can whitelist it.
mscoree.dll is the runtime for the .NET Framework.

geordiejedi Jun 25, 2023 @ 1:07pm

@Azure Fang; @Crashed

Fantastic !

You're right, that makes a great deal more sense now
I can't believe that I missed the HEUR tag

Thank you VERY much for your help
It's much appreciated

< >

Showing 1-3 of 3 comments

Per page: 1530 50

All Discussions > Steam Forums > Help and Tips > Topic Details

Date Posted: Jun 25, 2023 @ 11:54am

Posts: 3

Start a New Discussion

Discussions Rules and Guidelines

Report this post