Back to General and Gameplay Programming

Malware is compiled into my exe... (but only for one project)

General and Gameplay Programming Programming

Started by suliman January 20, 2019 08:04 PM

17 comments, last by JohnnyCode 5 years, 2 months ago

suliman

1,720

Author

January 20, 2019 08:04 PM

Hi!

Using visual studio c++ 2017 for my games. I found a malware in one of my projects. Cleaned it. The folder has no malware, but when I recompile the game the new exe-file has the malware again!

I have cleaned all my harddrives from the malware (it was found on some places) but it still reappears when I recompile that project.

NOTE: I can recompile any other project, those exe files doesnt contain any malwere. It's only this one project...

For reference I found it with EMSISOFT and it calls it "Gen:Variant.Razy.441994 (B).

Im using win 10.

Thanks for any help on this strange issue!
Erik

Septopus

480

January 20, 2019 09:13 PM

Here's a couple of things to look into that may lead you to an answer.

1) Your antivirus software may have generated a new virus definition based on the previously infected executable. Even though it's clean now, this exe still has the signature it associated with that virus. You may be able to mark this as a false positive somehow and move on.

2) there's still something that your AV didn't clean.. Try another AV software?

If other AV softwares give you a clean bill of health, then it's probably a false positive.

Current WIP: https://www.gamedev.net/projects/1006-sling-bot-boarding/

Play it here(Chrome or FF): https://www.kongregate.com/games/WilliamOlyOlson/slingbot-boarding

Rutin

1,701

January 20, 2019 09:40 PM

Yep, false positives happen a lot. You can contact the AV and submit your exe as many of these companies have submission sites for this very purpose.

Example: https://submit.symantec.com/false_positive/

Programmer and 3D Artist

suliman

1,720

Author

January 21, 2019 09:39 AM

Good ideas. I will try another software to start with.

But shouldnt the same signature be built into other project that also build (similar exe) files though? (that would mean the other files should be marked as (false) positive as well...)

Adam_42

3,664

January 21, 2019 09:07 PM

You can check against a wide range of virus scanners by uploading the suspect file to VirusTotal.com. In general a false positive is more likely to be identified as different things by different scanners, and also be marked as clean by most of them.

Assuming it is a false positive you have a few options:

1. Consider changing to a different anti virus program, especially if you're not distributing your software to other people yet. I've never had any troubles with the free one that's built into newer versions of Windows.

2. Submit a false positive report to all of the places that detect it as a virus.

3. Try to make changes to stop it from being detected. For example, switching to a different installer may help.

suliman

1,720

Author

January 22, 2019 05:34 PM

Uploaded it to virustotal and the file seems to have something in it.

BUT: if i recompile it in debug mode it's clean. Below is the result for the file in release mode.

Can there be something on my harddrive (hidden, i've cleaned all disks) that the AV app cannot find, but its built into the release builder somehow so it gets injected into the exe when it builds it? Or is this many false positives?

Best regards
Erik

image.png.75da0a0476bf70bb4dc5c857e1046e50.png

CrazyCdn

1,442

January 22, 2019 05:59 PM

There are several possibilities:

1) Your cleanup was unsuccessful or it's a very resistant little bugger. You might have to do a clean install to be completely safe

2) False positives, but if you found and cleaned up the same malware I some how do not think this is the situation.

3) It is weird that it's not compiled into other projects though, which is a bit puzzling. You sure they're in release mode also when you tested them?

"Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety." --Benjamin Franklin

suliman

1,720

Author

January 22, 2019 06:03 PM

Yes other projects' exe-files are clean even in release mode.

Septopus

480

January 22, 2019 06:39 PM

It's also possible that all of those virus scanning software providers that are flagging your .exe subscribe to a shared virus definition database somewhere, which your signature has been uploaded to. In which case you would need to find the false-positive reporting mechanism for that, or rely on your AV provider to propagate the change upstream like they did the false-positive in the first place.

It's also theoretically possible that you could make a few changes to the code here or there that would alter the final signature of your executable enough that it no longer matches the definition on file.. It seems as though debug mode is doing this for you.

Current WIP: https://www.gamedev.net/projects/1006-sling-bot-boarding/

Play it here(Chrome or FF): https://www.kongregate.com/games/WilliamOlyOlson/slingbot-boarding

Irusan, son of Arusan

January 22, 2019 08:16 PM

It's most likely to be a false positive, caused by some part of your code that is somewhat similar to some part of the virus signature. This is quite common, especially if you're doing some clever bit-twiddling and the like in your code. I've had major problems with some bioinformatics software I wrote before for similar reasons. All you can do is whitelist it for now on your computer, and report it to the virus protection vendors as a false positive.

Malware is compiled into my exe... (but only for one project)

This topic is closed to new replies.

Popular Topics

Recommended Tutorials

Malware is compiled into my exe... (but only for one project)

This topic is closed to new replies.

Popular Topics

Recommended Tutorials

Reticulating splines