-
-
Notifications
You must be signed in to change notification settings - Fork 169
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Won't Download. Defender thinks this is a Wacatak.B!ml Trojan virus. #79
Comments
Similar with BitDefender "UEVR.zip tried to load a malicious resource detected as Gen:Variant.Midie.141938 and was blocked. Your device is safe." Seems its also Kaspersky, check #17 (comment) |
Having same ish message aswell as chrome is blocking it. We blocked this dangerous page for your protection: |
Same problem on my side of things. |
Idem avec l'antivirus Microsoft ... Que faire ? |
Same issue. Windows Defender sent file UEVRBackend.dll to quarantine. |
Downloaded & extracted 1.3 today without issues from Bitdefender. Can others try? |
Yep all working now for me. |
I did, everything is much better now |
I cant download it. Not working here. |
same here :( |
Same over here. |
Same experience as above. Tried to download just now, but the uevr.zip gets flagged and blocked by Windows Defender (Win11), also Chrome and Edge browsers refuse to download/save it on disc. Defender says it contains Trojan:Win32/Malagent!MSR |
Try the Nightly builds. These are picked up by some vendors but not as many as the main build (yet). It might change as more runtime analysis is performed on them. |
Unfortunately, also the nightly build uevr.zip gets flagged. Now the zip download succeeded, but unzipping it causes a Windows Defender warning about Trojan:Win32/Wacatac.H!ml in uevrinjector.exe and the .exe is removed from the unzipped folder. |
1.3 of UEVR? The latest is beta 1.03 |
I meant 1.03. |
I downloaded it to my Macbook Pro and unzip. |
dont work |
I also experience the same download and unzipping problems with W11 fully updated PC |
Do we know that this is in fact a false alarm? |
so every vendor detects something different. Surprised there's room for any functionality at all in the mod, given how many trojans it's packaged with. It's not hard to build from source if these false positives are unsettling |
sus |
Well again (virustotal), and no I dont wanna blame anyone I just have concerns and really appreciate the great work on this tool I mean it is extremly great to see things like this are possible! Maybe it would be possible to get in contact with some of the AV companies to get a detailed test or better exclusion on their side. This would be just a few E-Mails, so not as hard as build the source... |
It's smaller because it was an automated build not done by my PC like the last one. It will be this way going forward. |
same here my microsoft edge blocks the download |
Similar issues here. Brave browser tried to block the zip file. When I said "Keep Dangerous File" anyway, Windows Defender then claimed it contained a Trojan and deleted the downloaded file. This is really not very confidence building... I'm not turning all my antivirus off just to play Abzu in VR. can this be fixed? |
For 4 months now this application is reported to have a TROJAN onboard by various anti-virus programs. And the developer isnt doing anything to improve on that with new releases? 100% sus - very high probability of being an ACTUAL trojan in there and not just a false positive. Who ever downloads this and turns off their anti virus - is a fool. |
You are free to compile it yourself. I've tried multiple things at this point. The next things I can try are removing PDBs from releases (unfortunate) and spending ridiculous amounts of money on a code signing certificate, which I am not going to do. |
Why don't you petreon this? I would love to use this and even pay, but the trojan alert I keeping me away from now. I don't know code good enough to help in any other way than with money. |
The other issue with signing this is that some anti cheats might allow this to be injected. That would be bad with the user generated content that can be made with this. A lot of stuff might have to be removed from signed builds (plugin loading, the 6dof system aka UObjectHook), kind of like how ReShade does it. |
How about Sigstore for free (it looks like) open source signing? |
Well from what I have read (and I don't understand this stuff) it looks
like if you can just get the exe and dlls onto your Windows host (by some
kind of end run like DLing on a Mac and transporting by sneakernet) you can
then instruct the antivirus to make a specific exception for this folder
only.
I may try this just to see if it works. But I agree that just turning off
active antivirus for DLs sounds suicidal given the amount of malware out
there for WIndows.
@praydog I feel your pain. certs are stupid expensive. I wonder though if
the community would pony up for it to solve this problem. a gofundme? a
patreon? you have a LOT of users and a lot of fans.
…On Tue, Apr 9, 2024 at 8:30 AM them4ko ***@***.***> wrote:
For 4 months now this application is reported to have a TROJAN onboard by
various anti-virus programs. And the developer isnt doing anything to
improve on that with new releases?
100% sus - very high probability of being an ACTUAL trojan in there and
not just a false positive.
Who ever downloads this and turns off their anti virus - is a fool.
—
Reply to this email directly, view it on GitHub
<#79 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AECEIQY4XMJTHMCGHNUFAADY4QCRFAVCNFSM6AAAAABBPUM2VGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANBVGQ4DQMBSGY>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Bitdefender still detecting virus for me. Threat name: Gen:Variant.Lazy.492372. |
So, I use Windows Defender on Windows 11 as an antivirus, I first tried downloading it on Microsoft Edge, every time it would download, windows defender would give me a notification, different than chrome, every time it would detect it, i would click ok the notification, click the bad files, and say allow anyway, now, just apply the changes, I had to repeat this process a couple of times, but it worked out, just wanted to try to help while .net was installing :) Edit: A virus injects its code into other programs, exactly what the UEVR injector does, so, it would not be wrong if an antivirus said it was a virus, as, technically, it is, just using its power when the user tells it to. |
Same here, I don't see anything in the source code that seems suspicious... however, how do we know the compiled binaries offered for download is really what's in the source code? |
@praydog can you explain what the issue is with the "signing"? I can't figure out what actually needs to be signed to not be recognized as a malicious application. Doesn't seem to make sense to me. |
Probably, it's just the injector code that matches some pattern, but it's worth checking.... Has anybody else done a clean build to check if praydog somehow has a compromised PC? I suppose, in theory, some virus could be poisoning his builds. 🤷 |
Real example: I suggested UEVR to people on YT to experience a new high quality Titanic 3D model ("Demo401") in VR. Example of a reply (and this happend several times): Honestly, I'm thinking about stopping recommending it to people because at some point they'll think I want to spread malware or something. @praydog I think this really holds back the use of the mod. But we don't realize that because we live in our bubble. Is there nothing you can do about it? |
i have not been able to successfully build and install, perhaps i'm doing something wrong, but i have installed all the requirements and followed the guide to the letter... I've done the UE registration, etc. Anyone else had success in building it? |
I successfully built v1.04 using the included compiling instructions and a fresh copy of Visual Studio 2022 Community Edition (installed with the "Desktop development with C++" and "Game development with C++" workloads). I then analyzed the resulting In contrast, analyzing the precompiled I am not a software expert, but this difference is a bit concerning to me. Please let me know if I complied it incorrectly or misinterpreted the result in any way. |
Interesting information. Praydog should really say something about this. Perhaps software components on his machine are indeed compromised/infected or something like that... |
1.04 wasn't even compiled on my PC - it was compiled on GitHub's servers, so not sure what you want me to say. Nothing will change. You'll get the same result after thousands of people start using the DLL you compiled due to behavioral analysis. The nightly builds exhibit the same behavior, small amounts of vendors flag anything. That changes once more and more people start using it. As of 1.04 I only upload the nightly builds onto the stable releases which are not even compiled on my PC. |
OK, thanks for the clarification. But it's weird how the versions differ depending on the PC they were compiled on. "That changes once more and more people start using it. " |
You've misread what I said. The detections go up once people actually start using it, not in an isolated environment on a developer's computer. It's also not weird at all for differences, there's different compiler versions and configurations, Debug, Release, RelWithDebInfo, etc... I'm locking this conversation as nothing useful is coming out of this. |
Here are the details when the file is autodeleted as it is being downloaded. I've tried adding an exception for the URVR.zip file which doesn't seem to work.
\Downloads\UEVR.zip|https://objects.githubusercontent.com/github-production-release-asset-2e65be/531307134/ace918d1-d42a-4f21-b28c-c4b4a5fdb8c7?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240106%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240106T154456Z&X-Amz-Expires=300&X-Amz-Signature=cada4e6b52ee7139bbf44ae3330e23045c155be0cdbdb6c0c4992e9d5141eb2d&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=531307134&response-content-disposition=attachment%3B%20filename%3DUEVR.zip&response-content-type=application%2Foctet-stream|pid:3428,ProcessStart:133490294986615592
The text was updated successfully, but these errors were encountered: