Installation Failed / avast! false positive (?)

Started by Creat, August 31, 2014, 06:50:58 AM

Creat

Hello,

I wanted to update VoidExpanse today and (once again) the launcher failed to do so. First I was told the 8.4c couldn't be updated (which is fine). It then downloaded the full install, but failes at installing when it gets blocked by my AV (avast). It detects 'Win32:Evo-gen [Susp]' in '50h3pcw4.xmz', located in the folder: ...\AppData\Local\Temp\AtomicTorchLauncher\VoidExpanse_Win_v0.9.9.zip.extract\VoidExpanse_v0.9.9_Win\Server_Mono

Since this file is pulled out from under the launcher, he's understandably upset it's no longer there even though he's just extracted it ;)

I remember there were some troubles with false positives in the past, can I assume this is another one?
What AV-suites do you use on your end to check archives are clean?

Thanks
Creat

FlessenGreendart

Yeah, I've had that same problem a couple of times now (but not every time I update).
Just disable the shields when you're updating, then you're good to go.

ai_enabled

Hello! Thanks for reporting. I'm sure it's false positive. We check all software with the Microsoft Security Essentials and keep very strict policy on the development machines to avoid infection of the game builds.
Usually some security software (<1% from VirusTotal list) seems to have false positive reaction on obfuscation of Mono software. But I checked Mono Server now with VirusTotal and it reports that Mono server is virus free, even by checking with Avast. How it's possible?.. There are also may be chance of infection server files after installation...
Regards!

Creat

I think it was 'caught' by the heuristic, which includes behavior. Meaning the act of downloading, extracting, etc. might well play a role. It could also be the unusual file extension (if it's a normal executable and not a consequence of being bytecode or something) or any combination of those things.

I just tried again by just manually extracting the downloaded archive (of 0.9.9, downloaded by the launcher), and it still stopped on the file: AtomicTorch.SpaceRPG.Server.RuntimeMono.exe with Win32:Evo-gen [Susp]
I have also uploaded it to VirusTotal.com, where it came back clean for every scanner as well (including avast).

Could you, just to make sure it's not on my end, tell me the MD5 of the file so I can double-check that it's in fact the exact same as it is on your end?
I only very rarely get any virus alerts at all (and all of them verified false positives). I'd say about one in six moths or so, hence my heightened concern.

As for scanning only with MS Security Essentials, please note that they don't have the best track record (Source 1 (http://www.av-test.org/en/home/), Source 2 (https://www.virusbtn.com/vb100/latest_comparative/index)). If I was releasing software, I'd probably scan it with at least a few AV products. As a last note, I'm aware that avast is kinda known for it's false positives (http://chart.av-comparatives.org/chart1.php) (at the link, select 'false alarm test' in the drop down), but it would still be nice if this could be solved once and for all :)

Nitro

Good day!

  I have checked the archives of the game and launcher several antivirus and antispyware. Did not find any viruses, rootkits or the like that. Perhaps the problem in the databases of your avast or a problem in the computer and avast already damaged the action of viruses.
  Try Try another antivirus or a special utility that is designed to detect viruses, spyware, trojans, rootkits and other malware, like avz.

ai_enabled

#5
AtomicTorch.SpaceRPG.Server.RuntimeMono.exe SHA256:    83e91c4f3ee789c168cca132bc267f410589a10c4d7ed91a3380ca8bcf729174

We will try to resolve this issue with a future release. I hope a little bit slighter obfuscation can help us avoid the false positive issue with Avast.
Thanks for pointing on need of the multiple AV software checks on the build server. But I think is not a good idea installing them together, and licensing cost may be too high as we need commercial licenses and regular extending. Do you know of any online service like VirusTotal, but with higher file limit and providing the integration API?

Regards!

Creat

#6
(All checksums are SHA256)

I get a different checksum, and always the same no matter where/how I generate it (upload the file to a checksum generator, generate it on my main machine or on my small linux server):
3bf6ea627c3dee69fbced6cedf8bc6862d57939852a8e235b9488bff15e05338  AtomicTorch.SpaceRPG.Server.RuntimeMono.exe

For comparison, here is the checksum of the downloaded archive (it is the same for the one downloaded by the launcher and the one downloaded manually from the website):
67668bc67a75b4184c766f3ce30c98c65c73e25f83254d3a84a6f4bbe36aa6ff  VoidExpanse_v0.9.9_Win.zip

Could someone else please crosscheck as well? This tool (https://github.com/jessek/hashdeep/releases/tag/release-4.4) can generate the checksum on windows (via sha256deep or sha256deep64 for 64bit versions of windows).

Edit: to clarify, I have also redownloaded the archive for creating the checksum on the linux machine, to make sure it didn't pass through my main PC even just in ZIP form.

ai_enabled

#7
Sorry, I've copypasted SHA256 hash of the file from VirusTotal, not sure why it's different and how they generate it...
Now I get the same hash as yours:

Creat

OK good. At least we know there isn't related to some file corruption (or even infection) on my end.