Bug Report - Virus Detection on 4.379 Server Patch with Windows Defender

[Mirzayev]

The server update for 4.379 is triggering a Trojan detection via Windows Defender. I was able to get it to work via exclusions, but it took some experimentation. Figured this might be worth testing prior to the next release. 

 

Results were the same regardless of browser (Opera, Chrome, and Edge) used. 

 

Edited March 24, 2023 by Mirzayev

[Ssnake]

"Funny". My Windows Defender doesn't show a threat.

Thanks for the alert.

[Volcano]

I think I had a similar warning years ago when I modified the controls file (Controls menu, saved customized controls profile), and my virus scanner thought it was a trojan. It was incorrect of course, I just had to whitelist the EXE. But maybe its a matter of a sensitivity setting in Windows Defender, perhaps.

[Arch]

2 minutes ago, Volcano said:

I think I had a similar warning years ago when I modified the controls file (Controls menu, saved customized controls profile), and my virus scanner thought it was a trojan. It was incorrect of course, I just had to whitelist the EXE. But maybe its a matter of a sensitivity setting in Windows Defender, perhaps.

That can happen when an app modifies a .dll, .ini etc. file and Windows thinks a (system) configuration file is being modified by a program.

[Sean]

It's been run through several AVs now, and none of them seem to find a threat.  It seems like its a common thing for defender to false alarm on rar files with this result, but its always a good idea to scan the file again with a second opinion scanner if you have questions.  Thanks for the report!

[RENEGADE-623]

 

 

I was able to download it once, but get the error in screenshot posted.  tried deleting it but wont let me,  tried redownloading it, but my antivirus automatically deletes it.  That is only file

I cannot delete or run in my downloads folder.  every other file in  it I can.

 

[RENEGADE-623]

here are screenies of  my antivirus

 

  

[Abraxas]

Maybe it's only the bundle. I downloaded in the old fashion way all eight parts! And everything works fine.

No alert by AVIRA and windows!

Maybe NORTON has problems with the or this SBProPEBundleinstaller_4379.exe ?

[Volcano]

9 hours ago, Abraxas said:

Maybe it's only the bundle. I downloaded in the old fashion way all eight parts! And everything works fine.

No alert by AVIRA and windows!

Maybe NORTON has problems with the or this SBProPEBundleinstaller_4379.exe ?

That is a good theory (specific to the bundle installer).

 

Most likely there isn't an actual threat in the bundle installer, but its something that the bundle installer does to "take over" to figure out what version is installed, and to do what it needs to do to determine/accomplish what should be done to update everything.

 

(I had a similar situation in some strategy games I worked on where we had to put out a patch/update that reorganized the game folder/structure (without uninstalling and reinstalling it). This too was reported as a trojan threat, which it wasn't.)

 

But either way, Sean would need to evaluate the bundle installer to know, and if anyone is worried about that then stick to the multi-part full installer for now. 

[Sean]

When I scan the bundle installer with norton/symantec, it doesn't spot anything.  The bundle installer is clean.  Some of the "AI" features in these av softwares may not like the fact that it downloads files.   

[Gibsonm]

Scanned the entire folder where I have:

1. "server" executable (in *.rar format)

2. "server" executable decompressed as an *.exe

3. Bundle installer

4. 8 component parts (1 x *.exe, 7 x *.rar files) - I tend to grab them as a contingency for it the 'net goes down just as I want to install.

5. Both RN PDFs.

 

Folder is "clean" according to both Malwarebytes Premium and F-Secure SAFE (both with current definition files, etc.).

 

Edited March 25, 2023 by Gibsonm

[Mirzayev]

 

2 hours ago, Sean said:

When I scan the bundle installer with norton/symantec, it doesn't spot anything.  The bundle installer is clean.  Some of the "AI" features in these av softwares may not like the fact that it downloads files.   

 

It is important to note that this was just for the server patch sent out by Nils, NOT the bundle installer. That worked fine. 

[Gibsonm]

3 minutes ago, Mirzayev said:

 

 

It is important to note that this was just for the server patch sent out by Nils, NOT the bundle installer. That worked fine. 

 

Yep understood.

 

That's why I scanned / tested the "server" executable in both decompressed and compressed (*.rar) format. I scanned the entire folder just for completeness.

 

No doubt different AV products use different engines / methodologies / algorithms / Heuristics, hence varying outcomes.

 

[Ssnake]

4 hours ago, Mirzayev said:

It is important to note that this was just for the server patch sent out by Nils, NOT the bundle installer. That worked fine. 

Given that both came from the same source, it was prudent to check everything else.

But, now that probably every scanner there is has been used to scan everything related to 4.379, I guess it's a reasonable assumption that it was a false-positive, or a local issue on one computer.