Virus detection

Guys

I am posting this whilst running a full virus scan to check for further issues.

Earlier tonight I ran DCS and was surprised to get 2 real-time Anti Virus hits from ESET Nod32.

I have attached 2 screen shots, one from the second AV hit, the first cleared before I could react, and the second from the AV logs.

It appears there were viruses in 2 of the DCS files when the were accessed. There was no issue last night and I have used ESET Nod32 alongside all of my Flight Sims for years without issue.

My AV updated it's Virus definitions this afternoon, could this be a new false hit or is there a greater problem here?

I've just noticed that during the scan another DCS file was flagged.

"C:\Eagle Dynamics\DCS World OpenBeta\Mods\aircraft\F-15C\bin\F15.dll - a variant of Win64/Packed.VMProtect.KO trojan - cleaned by deleting [1]" so that is 3 x aircraft .dll files (F15, SA342 and P51B) that have issues, so far. Sac still ongoing.

Is this something ED need to sort with ESET or do I have a real issue?

... do I have a real issue?

No, you dont ... google for "antivirus false positives"

Further to above there was nothing else found on my PC during the scan.

I tried to run a DCS repair and it failed as it couldn't write these files to the drive.

I temporarily disabled real-time scanning of the DCS directory and DCS repaired ok. I then virus scanned again and got the results you can see in the attached screen grab.

So, my conclusion is, since I have not updated DCS in a couple of days and since my latest Virus definitions were applied today and I downloaded fresh copies of these files via a DCS repair which were also flagged as infected, is that there is now a false positive on these 3 files by ESET Nod32.

ED, is this something you need to talk to ESET about?

You should contact ESET yourself: https://support.eset.com/en/kb141-submit-a-virus-website-or-potential-false-positive-sample-to-the-eset-lab

You should contact ESET yourself: https://support.eset.com/en/kb141-submit-a-virus-website-or-potential-false-positive-sample-to-the-eset-lab

I have done.

Evening all.

Came here because I too got what I suspected to be false positives from Eset this evening -- the latest definitions would appear to be the problem. Interesting that mine aren't the same modules... Submitted to Eset for analysis.

Rik.

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
24/04/2020 21:55:36;Real-time file system protection;file;G:\Eagle Dynamics\DCS World.Open_Beta\Mods\aircraft\AJS37\bin\AJS37-Avionics.dll;a variant of Win64/Packed.VMProtect.KO trojan;cleaned by deleting;Event occurred during an attempt to run the file by the application: G:\Eagle Dynamics\DCS World.Open_Beta\bin\DCS.exe 
24/04/2020 21:55:37;Real-time file system protection;file;G:\Eagle Dynamics\DCS World.Open_Beta\Mods\aircraft\C-101\bin\ABase.dll;a variant of Win64/Packed.VMProtect.KO trojan;cleaned by deleting;Event occurred during an attempt to run the file by the application: G:\Eagle Dynamics\DCS World.Open_Beta\bin\DCS.exe
24/04/2020 21:55:56;Real-time file system protection;file;G:\Eagle Dynamics\DCS World.Open_Beta\Mods\aircraft\P-51D\bin\P51B.dll;a variant of Win64/Packed.VMProtect.KO trojan;cleaned by deleting;Event occurred during an attempt to run the file by the application: G:\Eagle Dynamics\DCS World.Open_Beta\bin\DCS.exe

Getting the same as Wikkus plus P51B.dll

Wikkus already reported P-51B. I'm getting it in the modules reported by Wikkus and also on

D:\Program Files\Eagle Dynamics\DCS World OpenBeta\Mods\aircraft\SA342\bin\SA342.dll

D:\Program Files\Eagle Dynamics\DCS World OpenBeta\_downloads\Mods\aircraft\C-101\bin\ABase.dll

Some of the detections occurred first time I ran DCS OB after the last update. Others when I tried to repair.

Is there any word from ESET? I'm still having this problem days after it was reported. And I can't find the reported virus in their threat database.

Getting the same as Wikkus plus P51B.dll

Same here today morning, reported and deleted as trojan: (never had these issues earlier)

Iv tried update and repair many times: dll deleted immediately as downloaded. If I suspend AV check at downloading then AV delete these files when I run DCSW.

ABase.dll (in C-101 module)

P51B.dll

SA342.dll

AJS37-Avionics.dll

MiG29.dll

FC3.dll

This happened when 2.5.6 came out, with quite a few AV programs, and appears to be connected to the changes that ED have made to the access control for a number of modules.

You should probably report them as potential false positives to your AV program developer and possibly add the flagged files to the exclusion list, but only if you totally trust that they are false positives.

If it's any help, I have McAfee, which was flagging a couple of files, which i did report, but then added them to the exclusions list, pending McAfee sorting out the issue. Suffice it to say, my exclusion list is now empty again.

Thank You, however when I put those 6 dll files into an exception list the ABase.dll doesn't go throught the AV check when I try to update or repair. AV delete ABase.dll immediately :(

We have had many false positives recently.

 

Best thing to do is submit the files to your AV provider, they can check and add the exception to the database.

 

thanks

Unfortunately there are problems with DCSW also.

The bin files on the right place now with today date but some module does not work: those name are not yellow in the ME aircraft/chopper list:

Can't control them: 2*P-51D, 2*Spitfire, 2*C-101, 4*SA342, Mi-8MTV2

With repair Iv got the same messages/delete as earlier,but those DLLs what seems ok do not start the corresponding modules: for example the Mi-8MTV2

Unfortunately there are problems with DCSW also.

The bin files on the right place now with today date but some module does not work: those name are not yellow in the ME aircraft/chopper list:

 

Can't control them: 2*P-51D, 2*Spitfire, 2*C-101, 4*SA342, Mi-8MTV2

 

With repair Iv got the same messages/delete as earlier,but those DLLs what seems ok do not start the corresponding modules: for example the Mi-8MTV2

So....I updated today openbeta from 47224 to 47404 but beside the DLL problems look like updater did not update (correctly?) manifest files in the NTTR-F-15-RF campaign, Fw-190D9, Spitfire and in Mods/aircraft/Mi-8 folders.

Moreover the repair (what i run plenty of times) also did not recognize and updated those manifest files so when i opened the log file (finally) see these problems:

2020-04-25 15:32:35.853 ALERT SECURITYCONTROL: Manifest 'mods/aircraft/fw-190d9/dcs_manifest.x86_64' is from a different build.

2020-04-25 15:32:36.273 ALERT SECURITYCONTROL: Manifest 'mods/aircraft/mi-8mtv2/dcs_manifest.x86_64' is from a different build.

2020-04-25 15:32:36.600 ALERT SECURITYCONTROL: Manifest 'mods/aircraft/spitfirelfmkix/dcs_manifest.x86_64' is from a different build.

2020-04-25 15:32:38.353 ALERT SECURITYCONTROL: Manifest 'mods/campaigns/dcs nttr f-15c red flag campaign/dcs_manifest.x86_64' is from a different build.

I had to manually delete those wrong previous-version-manifest files before i run a repair. - what downloaded the up-to-date manifest files at last.

So now all modules ok EXCEPT C-101, P-51 and SA342...AV-updater (after every update) catch and delete those DLL files, so those module those not work since last update:

DLLs: SA342.dll, ABase.dll, P51B.dll

and seems like updater has malfunctions: does not update/repair earlier-version manifest files automatically

never had these problems earlier

BTW: before my updated anti-virus deleted SA342.dll again - i was able to run (fly) the SA342 choppers, however the cyclic did not work by keyboard (pedals and collective/throttle were ok by keys)

Put the AV to sleep, update DCS, add entire DCSW (and everything that comes along with it) in the exception list and wake up your AV again.

If that doesn't cut it, kill your current AV and go Windows Defender.

(just an idea)

I'm having the same issue but with different files from different modules. Mine are the Gazelle's single dll, the Viggen's instruments dll and the Mig-29's main dll. I sent all of these to ESET so lets hope for a fix... I've never once gotten an email back saying that they've fixed something or found something wrong however.

Same for me with Gazelle and Viggen avionics dlls. I sent the files to ESET for evaluation. Waiting for reply. Keep you noted

Same, trying to get a pure client I got ABASE.dll, deleted by eset IS

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here

24/04/2020 23:24:32;Real-time file system protection;file;F:\Program Files\Eagle Dynamics\DCS World OpenBeta\Mods\aircraft\C-101\bin\ABase.dll;a variant of Win64/Packed.VMProtect.KO trojan;cleaned by deleting;XXXXXX\XXXXXX;Event occurred during an attempt to run the file by the application: F:\Program Files\Eagle Dynamics\DCS World OpenBeta\bin\DCS.exe (E00AB1BE07B7D07AB35ED4A212A8E27C9BACA7E8).;76F5082445F113D39D41F9BE3BBC5E399391C607;23/04/2020 1:05:48

Same problem with the dlls for mustang, C-101 and Gazzele.

Using ESET. I never had a problem at all so far with this antivirus.

Now, of course, the integrity check fails.

Thank you guys for the info.

Same here, but it only occurs on Open Beta, release version is no problem.

I'm also using ESET.

I've just opted to uninstall the beta and remain on release version. I believe ED are aware of the issue, hopefully they are submitting the file for analysis. I won't be switching off my AV or making allowances. If ESET are happy with the file, they'll let it through. Until that time, no open beta for me.

Hey again,

Has anybody had a response from ESET on this issue?

Same here

https://forums.eagle.ru/showthread.php?p=4309723

Seeing this thread (and a couple of related ones) blow up in the last week or so.

When I originally posted my reply about ESET, I tested one of the "infected" files online using VirusTotal.com's multi-engine scanner. Only ESET and a couple of others (WinDefender being one) detected it as a threat. Fast forward to today with a bunch more folks reporting issues and I tried another online analysis.

Now we've got 12 (of 71) engines detecting it, although WinDefender is no longer one of them. This suggests to me that it really is a false positive and that some vendors are more agile in their response to reporting it than others.

For what it is worth I had an email from ESET today saying they acknowledge that it is a false positive and it would be resolved in the next update to the detection engine.