Jump to content
  • Advertisement
suliman

Malware is compiled into my exe... (but only for one project)

Recommended Posts

This may be drastical advise, but if you're not 100% sure about the integrity of your development platform there's no other way than to clean it out completely. There's nothing more devastating to your reputation as distributing an infected executable.

If you have previously recovered from an actual malware infection that's enough reason to never trust the system again.

Share this post


Link to post
Share on other sites
Advertisement

IF you had an actual malware (and not some weird clean-up-your-pc-now-because-9999-problems-were-found scanner) then it might be real but I doubt it, especially the part about infecting a newly made exe, that's too targeted/advanced (unless you have thousands of customers and someone knows and targeted you to infect them via your program?). This is like those stories of people targeting tax handlers to get all their clients tax details for fraud and such, not like a random malware. But IF you had a real virus you should of course be less skeptical of most AVs than I am here.

You should try make sure you're not doing something unusual or that someone might consider strange, like accessing the clipboard, calling some weird WinAPI functions, using libraries many viruses use (like curl maybe? its author Daniel Stenberg once said its used in many proof of concepts and viruses and when he was denied entry to USA once or twice with no reason given he was guessing that might be the reason, I'm not sure if that was cleared up), etc.

Or you can try set up on another machine and see if your compiled exe (copy only the textual code you have and no binaries) triggers the AV there too.

False positives happen a lot and for really silly things, e.g. some AV consider things like exe stored in a zip, UPX compressed exe, gdb files, debug enabled exes, etc. to be sketchy on their own. 8-10 years ago when I was using VS 2008 or 2010 Avast! would delete or sandbox or (over many seconds) first scan my freshly made Debug exes with reason being 'never seen before file' (although that's true AND better pop up than the idiotic 'generic trojan!!' labels some use).

I've also seen a (totally innocent demo of a library) program that accesses the clipboard be flagged 'generic malware' and such. Probably because many viruses steal credentials from the clipboard. But it was a clean exe, and results around it were so silly it's hard to take many of those AV seriously: appending a single random byte to end of an exe (which changes nothing about how it works) made some new AV flag the file (and some of the AV that flagged the original file unflagged it!), putting the exe in a zip made a few of them miss it (it's really hard to trust 'heuristics' of an AV that won't even try to open/scan an ordinary non-bomb zip file or even label the zip as virus free on Virus Total because they didn't even look or something!).

I even have an exe of a C program that opens your disks for direct read to get read their NTFS headers and is compiled with a niche compiler (Pelles C) - 0/69 on virus total despite these two facts. Niche compilers are fine, and to access raw disk you need to be ran as administrator and I use read-only access (to not accidentally destroy my NTFS) but still - two very unusual facts + exe that I made so no AV ever seen it before... zero tags (but the exe of a GUI program that touches the clipboard - that's the criminal, 20x 'generic trojan malware'). If I compress my C exe with UPX - instantly 2/69 because 'heuristics' or 'ML' (machine learning?). :P

Edited by FRex

Share this post


Link to post
Share on other sites

So i cleaned my entire system with 4 different AVs and they find nothing.

Still that single exe is flagged as containing a "general malware" when I recompile it... I now think it really IS a false positive.

So how do i change the signature of that exe file so it's not flagged as malware? Any way to do that?

All other projects exe files are not flagged, but i cannot change everything to match those projects, then I loose my game as both would be identical...

Share this post


Link to post
Share on other sites

There's no possible way for you to know. You can fiddle with stuff until you crack it focussing on bit twiddling and file access stuuf, or you can try and pursuade the AV makers it's not a virus, or you can submit as a false positive and wait and hope they sort of out.

Sorry I can't be more helpful but, for what I hope are obvious reasons, AV companies don't explain to us how to avoid hits.

Share this post


Link to post
Share on other sites

Yeah i understand that.

But my project it kind of blocked now, which is frustrating...

Share this post


Link to post
Share on other sites

Do you mean blocked to develop? Or blocked to release? If the former, add your game development directory to your AV's exclusion list. If the latter contact the AV companies directly: they don't want their software blocking legitimate software. That kind of thing goes down poorly with their customers.

Share this post


Link to post
Share on other sites
On 1/22/2019 at 5:34 PM, suliman said:

Uploaded it to virustotal and the file seems to have something in it.

BUT: if i recompile it in debug mode it's clean. Below is the result for the file in release mode.

Can there be something on my harddrive (hidden, i've cleaned all disks) that the AV app cannot find, but its built into the release builder somehow so it gets injected into the exe when it builds it? Or is this many false positives?

Best regards
Erik

image.png.75da0a0476bf70bb4dc5c857e1046e50.png

IT security is my bag, and my "thing" outside of gamedev. It would be safe to assume you're not going to encounter these antivirus programs in the wild (eScan? GData? Cybereason? really?) and that these are false positives detecting your program heuristically.

The only two of these i'd concern myself with are F-Secure and BitDefender, If you want to be really sure about how to prevent false positives in these more recognised AV products, digitally sign your executables. These days it can be done for free if you find the right SSL provider. I wrote an article on it some time ago, this should help with the basic "how"s and "why"s.

Share this post


Link to post
Share on other sites

Be careful. I only learnt that virus are much smarter than in the 90 when I had my second last.

About 3 months ago I was hit by a latest UEFI virus which survives bios flash, hd low level format and secure boot.

They only get AV detected if they want so and one of their goals is to infect as many pc as possible. So a exe is definitely a prime target.

 

Share this post


Link to post
Share on other sites

I don’t know, maybe I’m just lucky, but I haven’t detected viruses on my computer for 4 years already. I am constantly updating the anti-virus database. I liked avast premium review and I installed it by the way. But I can not say anything about the quality of protection of free antiviruses.

Share this post


Link to post
Share on other sites

Recompile on a different computer with carefully copied source files and enviroment software. It could have infected your MSVS, but that unlikely since you compile the rest of projects uninfected (but really?). It still can be some smart virus.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

GameDev.net is your game development community. Create an account for your GameDev Portfolio and participate in the largest developer community in the games industry.

Sign me up!