Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Won't Download. Defender thinks this is a Wacatak.B!ml Trojan virus. #79

Open
ArtisanDejure opened this issue Jan 6, 2024 · 51 comments

Comments

@JRDevo
Copy link

JRDevo commented Jan 6, 2024

Similar with BitDefender "UEVR.zip tried to load a malicious resource detected as Gen:Variant.Midie.141938 and was blocked. Your device is safe."

Seems its also Kaspersky, check #17 (comment)

@Zeltrax
Copy link

Zeltrax commented Jan 6, 2024

@xcrgames
Copy link

xcrgames commented Jan 8, 2024

Same problem on my side of things.

@SaxoFr
Copy link

SaxoFr commented Jan 8, 2024

Idem avec l'antivirus Microsoft ... Que faire ?

@neovinter
Copy link

neovinter commented Jan 11, 2024

Same issue. Windows Defender sent file UEVRBackend.dll to quarantine.
Virustotal: 12 security vendors and no sandboxes flagged this file as malicious
What is the cause of this issue?

@JRDevo
Copy link

JRDevo commented Jan 16, 2024

Downloaded & extracted 1.3 today without issues from Bitdefender.

Can others try?

@Zeltrax
Copy link

Zeltrax commented Jan 16, 2024

Downloaded & extracted 1.3 today without issues from Bitdefender.

Can others try?

Yep all working now for me.

@neovinter
Copy link

Downloaded & extracted 1.3 today without issues from Bitdefender.

Can others try?

I did, everything is much better now

@Gerion76
Copy link

I cant download it. Not working here.

@lucalemboure1
Copy link

lucalemboure1 commented Jan 26, 2024

same here :(
not working ==> Trojan.GenericKD.7129053

@xNepenthe
Copy link

Same over here.
Using Windows 11; blocked directly by Google Chrome, then when enabling "Insecure origins treated as secure", it downloads but gets flagged right away by Windows Defender: Trojan:Win32/Malagent!MSR

@mikashki
Copy link

mikashki commented Feb 6, 2024

Same experience as above. Tried to download just now, but the uevr.zip gets flagged and blocked by Windows Defender (Win11), also Chrome and Edge browsers refuse to download/save it on disc. Defender says it contains Trojan:Win32/Malagent!MSR

@praydog
Copy link
Owner

praydog commented Feb 6, 2024

Try the Nightly builds. These are picked up by some vendors but not as many as the main build (yet). It might change as more runtime analysis is performed on them.

@mikashki
Copy link

mikashki commented Feb 6, 2024

Try the Nightly builds. These are picked up by some vendors but not as many as the main build (yet). It might change as more runtime analysis is performed on them.

Unfortunately, also the nightly build uevr.zip gets flagged. Now the zip download succeeded, but unzipping it causes a Windows Defender warning about Trojan:Win32/Wacatac.H!ml in uevrinjector.exe and the .exe is removed from the unzipped folder.

@dep
Copy link

dep commented Feb 9, 2024

@JRDevo

Downloaded & extracted 1.3 today without issues from Bitdefender.

1.3 of UEVR? The latest is beta 1.03

@JRDevo
Copy link

JRDevo commented Feb 9, 2024

I meant 1.03.

@hamamichhi
Copy link

I downloaded it to my Macbook Pro and unzip.
then transfer by USB flash memory to a Windows 11 PC.
now I can open UEVR.

@heiblum
Copy link

heiblum commented Feb 12, 2024

I also experience the same download and unzipping problems with W11 fully updated PC

@hectorC
Copy link

hectorC commented Feb 14, 2024

Same problem for me with Windows 11. It gets blocked by Microsoft Defender.
image

This was referenced Feb 18, 2024
@iandanforth
Copy link

Do we know that this is in fact a false alarm?

@mrbelowski
Copy link
Contributor

so every vendor detects something different. Surprised there's room for any functionality at all in the mod, given how many trojans it's packaged with.

It's not hard to build from source if these false positives are unsettling

@sher1ff
Copy link

sher1ff commented Mar 28, 2024

sus

@indiana11011100
Copy link

so every vendor detects something different. Surprised there's room for any functionality at all in the mod, given how many trojans it's packaged with.

It's not hard to build from source if these false positives are unsettling

Well again (virustotal), and no I dont wanna blame anyone I just have concerns and really appreciate the great work on this tool I mean it is extremly great to see things like this are possible!
This time the whole asset got about 10 MB smaller (~21 not ~30) and less detections. Of course UEVR probably can have some strange behaviour for AV scans I guess. It says itself inject to VR, however this is really done and maybe this is suspicious for AV tools.
Anyway, my concern is not about the possible detection by e.g. AI scans, but now it is because there are still detections and the quite big suspect difference in file size (Just an indication or less graphics ... sure). And forgive me, as I still have concerns I would not compile (not as simple as creating a github account) locally to bypass an AV scan.
grafik

Maybe it would be possible to get in contact with some of the AV companies to get a detailed test or better exclusion on their side. This would be just a few E-Mails, so not as hard as build the source...

@praydog
Copy link
Owner

praydog commented Apr 2, 2024

It's smaller because it was an automated build not done by my PC like the last one. It will be this way going forward.

@sean81
Copy link

sean81 commented Apr 5, 2024

same here my microsoft edge blocks the download

@RootlessAgrarian
Copy link

Similar issues here. Brave browser tried to block the zip file. When I said "Keep Dangerous File" anyway, Windows Defender then claimed it contained a Trojan and deleted the downloaded file. This is really not very confidence building... I'm not turning all my antivirus off just to play Abzu in VR. can this be fixed?

@them4ko
Copy link

them4ko commented Apr 9, 2024

For 4 months now this application is reported to have a TROJAN onboard by various anti-virus programs. And the developer isnt doing anything to improve on that with new releases?

100% sus - very high probability of being an ACTUAL trojan in there and not just a false positive.

Who ever downloads this and turns off their anti virus - is a fool.

@praydog
Copy link
Owner

praydog commented Apr 9, 2024

You are free to compile it yourself. I've tried multiple things at this point. The next things I can try are removing PDBs from releases (unfortunate) and spending ridiculous amounts of money on a code signing certificate, which I am not going to do.

@heiblum
Copy link

heiblum commented Apr 9, 2024

Why don't you petreon this? I would love to use this and even pay, but the trojan alert I keeping me away from now.

I don't know code good enough to help in any other way than with money.

@praydog
Copy link
Owner

praydog commented Apr 9, 2024

The other issue with signing this is that some anti cheats might allow this to be injected. That would be bad with the user generated content that can be made with this. A lot of stuff might have to be removed from signed builds (plugin loading, the 6dof system aka UObjectHook), kind of like how ReShade does it.

@dmealo
Copy link

dmealo commented Apr 9, 2024

You are free to compile it yourself. I've tried multiple things at this point. The next things I can try are removing PDBs from releases (unfortunate) and spending ridiculous amounts of money on a code signing certificate, which I am not going to do.

How about Sigstore for free (it looks like) open source signing?

@RootlessAgrarian
Copy link

RootlessAgrarian commented Apr 9, 2024 via email

@kub04
Copy link

kub04 commented Apr 13, 2024

Bitdefender still detecting virus for me. Threat name: Gen:Variant.Lazy.492372.
Can't download at all.

@RoastedGoat
Copy link

RoastedGoat commented Apr 17, 2024

So, I use Windows Defender on Windows 11 as an antivirus, I first tried downloading it on Microsoft Edge, every time it would download, windows defender would give me a notification, different than chrome, every time it would detect it, i would click ok the notification, click the bad files, and say allow anyway, now, just apply the changes, I had to repeat this process a couple of times, but it worked out, just wanted to try to help while .net was installing :)

Edit: A virus injects its code into other programs, exactly what the UEVR injector does, so, it would not be wrong if an antivirus said it was a virus, as, technically, it is, just using its power when the user tells it to.

@y4my4my4m
Copy link

Same here, I don't see anything in the source code that seems suspicious... however, how do we know the compiled binaries offered for download is really what's in the source code?

@GoodMilkMan
Copy link

Virustotal report
image

@y4my4my4m
Copy link

@praydog can you explain what the issue is with the "signing"? I can't figure out what actually needs to be signed to not be recognized as a malicious application. Doesn't seem to make sense to me.

@ams-cs
Copy link

ams-cs commented May 10, 2024

Probably, it's just the injector code that matches some pattern, but it's worth checking....

Has anybody else done a clean build to check if praydog somehow has a compromised PC? I suppose, in theory, some virus could be poisoning his builds. 🤷

@randomVRguy
Copy link

Real example: I suggested UEVR to people on YT to experience a new high quality Titanic 3D model ("Demo401") in VR. Example of a reply (and this happend several times):
"[...] Been reading about that. Windows and all browsers classify UEVR as a virus so I was taking my time to evaluate it. Not keen about designating a directory on my PC where all viruses can easily install."

Honestly, I'm thinking about stopping recommending it to people because at some point they'll think I want to spread malware or something.

@praydog I think this really holds back the use of the mod. But we don't realize that because we live in our bubble. Is there nothing you can do about it?

@y4my4my4m
Copy link

Probably, it's just the injector code that matches some pattern, but it's worth checking....

Has anybody else done a clean build to check if praydog somehow has a compromised PC? I suppose, in theory, some virus could be poisoning his builds. 🤷

i have not been able to successfully build and install, perhaps i'm doing something wrong, but i have installed all the requirements and followed the guide to the letter... I've done the UE registration, etc.

Anyone else had success in building it?

@aurism
Copy link

aurism commented Jun 8, 2024

I successfully built v1.04 using the included compiling instructions and a fresh copy of Visual Studio 2022 Community Edition (installed with the "Desktop development with C++" and "Game development with C++" workloads). I then analyzed the resulting UEVRBackend.dll in VirusTotal. The result shows 2 vendors flagged it as malicious. This file is 5.09 MB in size according to VirusTotal.

In contrast, analyzing the precompiled UEVRBackend.dll file included in the 1.04 release zip file gives this result - 41 vendors flagged it as malicious. This file is 5.12 MB in size according to VirusTotal.

I am not a software expert, but this difference is a bit concerning to me. Please let me know if I complied it incorrectly or misinterpreted the result in any way.

@randomVRguy
Copy link

Interesting information. Praydog should really say something about this. Perhaps software components on his machine are indeed compromised/infected or something like that...

@praydog
Copy link
Owner

praydog commented Jun 8, 2024

1.04 wasn't even compiled on my PC - it was compiled on GitHub's servers, so not sure what you want me to say. Nothing will change. You'll get the same result after thousands of people start using the DLL you compiled due to behavioral analysis.

The nightly builds exhibit the same behavior, small amounts of vendors flag anything. That changes once more and more people start using it. As of 1.04 I only upload the nightly builds onto the stable releases which are not even compiled on my PC.

@randomVRguy
Copy link

OK, thanks for the clarification. But it's weird how the versions differ depending on the PC they were compiled on.
Apart from that, it's for sure that this behavior holds back so many people from using it.

"That changes once more and more people start using it. "
Not sure if that has an impact, as of today, it's still a pain in the ass. If you're using Chrome, the download is still flagged as super high-risky and a normal user doesn't even get the file on the PC. You have to google for a work around. And even if you managed to keep the file on your PC, Windows will go crazy if you dare to extract the .zip. Only some enthusiastic people will come to the point of using it. According to my experience maybe 2 out of 10 who are interested end up using UEVR.

@praydog
Copy link
Owner

praydog commented Jun 9, 2024

You've misread what I said. The detections go up once people actually start using it, not in an isolated environment on a developer's computer. It's also not weird at all for differences, there's different compiler versions and configurations, Debug, Release, RelWithDebInfo, etc...

I'm locking this conversation as nothing useful is coming out of this.

Repository owner locked and limited conversation to collaborators Jun 9, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests