Jump to content
  • Advertisement
suliman

Malware is compiled into my exe... (but only for one project)

Recommended Posts

Hi!

Using visual studio c++ 2017 for my games. I found a malware in one of my projects. Cleaned it. The folder has no malware, but when I recompile the game the new exe-file has the malware again!

I have cleaned all my harddrives from the malware (it was found on some places) but it still reappears when I recompile that project.

NOTE: I can recompile any other project, those exe files doesnt contain any malwere. It's only this one project...

For reference I found it with EMSISOFT and it calls it "Gen:Variant.Razy.441994 (B).

Im using win 10.

Thanks for any help on this strange issue!
Erik

Share this post


Link to post
Share on other sites
Advertisement

Here's a couple of things to look into that may lead you to an answer.

1) Your antivirus software may have generated a new virus definition based on the previously infected executable.  Even though it's clean now, this exe still has the signature it associated with that virus.  You may be able to mark this as a false positive somehow and move on.

2) there's still something that your AV didn't clean..  Try another AV software?

If other AV softwares give you a clean bill of health, then it's probably a false positive.  

Edited by Septopus

Share this post


Link to post
Share on other sites

Good ideas. I will try another software to start with. 

But shouldnt the same signature be built into other project that also build (similar exe) files though? (that would mean the other files should be marked as (false) positive as well...)

Share this post


Link to post
Share on other sites

You can check against a wide range of virus scanners by uploading the suspect file to VirusTotal.com. In general a false positive is more likely to be identified as different things by different scanners, and also be marked as clean by most of them.

 

Assuming it is a false positive you have a few options:

1. Consider changing to a different anti virus program, especially if you're not distributing your software to other people yet. I've never had any troubles with the free one that's built into newer versions of Windows.

2. Submit a false positive report to all of the places that detect it as a virus.

3. Try to make changes to stop it from being detected. For example, switching to a different installer may help.

Share this post


Link to post
Share on other sites

Uploaded it to virustotal and the file seems to have something in it.

BUT: if i recompile it in debug mode it's clean. Below is the result for the file in release mode.

Can there be something on my harddrive (hidden, i've cleaned all disks) that the AV app cannot find, but its built into the release builder somehow so it gets injected into the exe when it builds it? Or is this many false positives?

Best regards
Erik

image.png.75da0a0476bf70bb4dc5c857e1046e50.png

Share this post


Link to post
Share on other sites

There are several possibilities:

1) Your cleanup was unsuccessful or it's a very resistant little bugger.  You might have to do a clean install to be completely safe :(

2) False positives, but if you found and cleaned up the same malware I some how do not think this is the situation.

3) It is weird that it's not compiled into other projects though, which is a bit puzzling.  You sure they're in release mode also when you tested them?

Share this post


Link to post
Share on other sites

It's also possible that all of those virus scanning software providers that are flagging your .exe subscribe to a shared virus definition database somewhere, which your signature has been uploaded to.  In which case you would need to find the false-positive reporting mechanism for that, or rely on your AV provider to propagate the change upstream like they did the false-positive in the first place.

It's also theoretically possible that you could make a few changes to the code here or there that would alter the final signature of your executable enough that it no longer matches the definition on file..  It seems as though debug mode is doing this for you.

Edited by Septopus

Share this post


Link to post
Share on other sites

It's most likely to be a false positive, caused by some part of your code that is somewhat similar to some part of the virus signature. This is quite common, especially if you're doing some clever bit-twiddling and the like in your code. I've had major problems with some bioinformatics software I wrote before for similar reasons. All you can do is whitelist it for now on your computer, and report it to the virus protection vendors as a false positive.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

GameDev.net is your game development community. Create an account for your GameDev Portfolio and participate in the largest developer community in the games industry.

Sign me up!