Jump to content

[FALSE POSITIVE] Kaspersky warning about Trojan-Ransom.Win32.Foreign.gen in world.dll


BaD CrC

Recommended Posts

From the first 2.5.6 update, my antivirus software's (Bit Defender) log is turning into a Christmas tree with warnings at every patch (well the last two ones). This never happened before. Several dll or exe were blocked, either to be written or move into the game directory, halting the update process. Yesterday, the only way I found to finish the update was too completely remove the antivirus (suspending it didn't work) then re installing it after the update.

This is not something I felt good about. I ran a full scan afterwards and Bit Defender found nothing but this is still disturbing and I am wondering how much scanning and checking ED is performing on their files before releasing an update? It's kinda easy to catch and spread a virus these days.

Link to comment
Share on other sites

Latest Update: Kaspersky warning about Trojan-Ransom.Win32.Foreign.gen in world.dll

 

After the latest update (dcs hotfix), kaspersky recognized the Trojan-Ransom.Win32.Foreign.gen inside the world.dll.

 

 

Anybody else got this warning?

________________________ ________ ______ ___ __ _

Win10 64 Pro, i7-6800K 3.4Ghz, 32 GB (DDR4), Asus Aorus 1080 TI WF, TrackIR 5 / RIFT, Thrustmaster Warthog, Fanatec Pedals, 55" oled 4k TV, Modules:A10C, KA-50, Huey, AV-8B, FA-18, F-16, NTTR, Persian Gulf

_ __ ___ ____ _____ ______ _______ ____________



Link to comment
Share on other sites

Yes, dozens of people as you can easily find around here. Turn off your AV when playing DCS. Write to the AV telling them to whitelist it. Problem solved

 

 

 

 

Uhh no, this is on ED to not be sending this sort of stuff out in the first place, it's not on the consumer to explain to AV companies why ED is sending out bad EXE's that exhibit the same behavoir as trojans.

Link to comment
Share on other sites

Yes, dozens of people as you can easily find around here. Turn off your AV when playing DCS. Write to the AV telling them to whitelist it. Problem solved

 

 

Absolutely not - I don't know the software and what it contains. Why should I trust it and put it on a whitelist, if an AV systems detects something wrong. That's the way trojans can easily spread.

________________________ ________ ______ ___ __ _

Win10 64 Pro, i7-6800K 3.4Ghz, 32 GB (DDR4), Asus Aorus 1080 TI WF, TrackIR 5 / RIFT, Thrustmaster Warthog, Fanatec Pedals, 55" oled 4k TV, Modules:A10C, KA-50, Huey, AV-8B, FA-18, F-16, NTTR, Persian Gulf

_ __ ___ ____ _____ ______ _______ ____________



Link to comment
Share on other sites

Yes, dozens of people as you can easily find around here. Turn off your AV when playing DCS. Write to the AV telling them to whitelist it. Problem solved

 

Kaspersky must have a translation issue lol

 

Norton flagged a DCS .exe for me. Excluding it quickly solved the issue.

You really think ED is sliding in Trojans? :doh:

  • Like 1

 

Cooler Master HAF XB EVO , ASUS P8Z77-V, i7-3770K @ 4.6GHz, Noctua AC, 32GB Corsair Vengeance Pro, EVGA 1080TI 11GB, 2 Samsung 840 Pro 540GB SSDs Raid 0, 1TB HDD, EVGA SuperNOVA 1300W PS, G930 Wireless SS Headset, TrackIR5/Wireless Proclip, TM Warthog, Saitek Pro Combat Pedals, 75" Samsung 4K QLED, HP Reverb G2, Win 10

Link to comment
Share on other sites

How safe is torrent download? I haven't had issues so far, just curious. I'm slightly behind the curve on these matters:noexpression:

I'm not too concerned about my flt sim rig but it would be a pisser if I had to zero the drives and re-install everything in case someone "discovers" something:smilewink:

Link to comment
Share on other sites

I never considered this before but if you are downloading it via a torrent you are not getting the files straight from ED but from an unknown source.

 

You could try rolling it back, check that you are good and no flags go up. Then move back to open beta (I am assuming your on beta) but make sure you cancel the bittorrent and move to the download from ED.

 

Or maybe better try running the updater from a dos prompt and see if it will redownload the offending files directly from Ed.

 

https://www.digitalcombatsimulator.com/en/support/faq/709/

Link to comment
Share on other sites

It's always possible that something might manage to sneak by and make it into a release (I'd bet big money against it ever happening, but there is no such thing as ZERO risk). Having said that, over the years I've seen too many different games where Kapersky (and a couple of other AV's) have thrown a fit over an update for me to get concerned that a reputable company like ED missed something (especially after having so many false negatives on the recent update).

And I am in the camp that the AV's hold the responsibility here. I'm not sure it would be possible for ED to a) check every release against every possible AV or b) be on top of exactly what change in their detection algorithms that might suddenly cause DCS to flag (I doubt the AV's would even share that info or the virus makers would use that info to get around it).

Link to comment
Share on other sites

IIRC there was an incident that one of dev comp got infected by a virus and unknownly slipped into the update. I'm not saying this is the same case but it could be, who knows ? I have not updated my DCS to the latest patch. But my ESET didnt give any warning to 2.5.6 that some people reported having virus/trojan.

 

I suggest upload it to virustotal.com to scan over there if you're not sure.

Mastering others is strength. Mastering yourself is true power. - Lao Tze

Link to comment
Share on other sites

Absolutely not - I don't know the software and what it contains. Why should I trust it and put it on a whitelist, if an AV systems detects something wrong. That's the way trojans can easily spread.

 

 

What? You DO know what software it is, it's a video game you're trying to play and you are getting a false positive after a major patch. Are you so new at the internet you've never heard of such a thing? It's extremely common. This isn't some random shareware you downloaded off a sketchy site, ffs. A little common sense goes a long way @@

 

After someone else's observation, due to torrenting it is technically possible, although very unlikely, to be infected. So I will retract some of my irritation. That said, my point stands. False positives are far from unknown, especially with a lot of the crappier AVs out there.


Edited by zhukov032186

Де вороги, знайдуться козаки їх перемогти.

5800x3d * 3090 * 64gb * Reverb G2

Link to comment
Share on other sites

I never considered this before but if you are downloading it via a torrent you are not getting the files straight from ED but from an unknown source.

 

You could try rolling it back, check that you are good and no flags go up. Then move back to open beta (I am assuming your on beta) but make sure you cancel the bittorrent and move to the download from ED.

 

Or maybe better try running the updater from a dos prompt and see if it will redownload the offending files directly from Ed.

 

https://www.digitalcombatsimulator.com/en/support/faq/709/

 

Hmm, that's actually a valid point. Still seems doubtful it.s anything but a false positive, but worth considering

 

Is it affecting Steam users, too, or only Torrenters? Cause if Steam, too, then it's just a false positive and we are wasting time


Edited by zhukov032186

Де вороги, знайдуться козаки їх перемогти.

5800x3d * 3090 * 64gb * Reverb G2

Link to comment
Share on other sites

There are a few threads already about people having, I hope, false positives from the same couple of dll: Trojan-Ransom.Win32.Foreign.gen inside the world.dll spotted by Kapersky and Worldgeneral.dll infected with Gen:Suspicious.Cloud4.@J8@aSO4W3ki by Bit defender.

 

Good point about the torrent. Absolutely no guaranty that the files integrity is maintained I think.

Link to comment
Share on other sites

No offence, ED, but we all know you don't have the kind of security that, say, Equifax or Amazon or Facebook or....

 

I worked for one of those on your list in one of the data production departments. Let's just say I was not shocked by the hack. It was just a matter of time.

 

I've been convinced by this thread not to update to 2.5.6 for a while...

DCSF-14AOK3A.jpg

DCSF14AOK3B.png

Link to comment
Share on other sites

It has happened before on updates (last was several months ago) and has been false positives which is almost certainly the case this time. All these products now scan for zero day attacks (i.e. a new attack never before seen) by looking for items showing certain types of behaviour - these are often not malicious and the AV companies then tune their databases to account for this.

 

I have had this happen with other downloads from known vendors in the past and it has always been a false positive

 

You can always submit the file to your AV provider for analysis if really not sure

 

Sent from my SM-T835 using Tapatalk

Windows 11 Home ¦ Z790 AORUS Elite AX motherboard ¦ i7-13700K ¦ 64GB Corsair Vengeance DDR5 memory @ 5600MHz ¦ Samsung 990 Pro 1TB SSD for OS, Samsung 980 Pro 2TB SSD for DCS ¦ MSI GeForce RTX 4090 Gaming X Trio 24GB ¦ Virpil WarBRD base with VFX grip, Thrustmaster A10c and F/A-18 grips ¦ VKB Gunfighter Mk4 and MCG Pro ¦ Thrustmaster Warthog Throttle ¦ VKB STECS Throttle ¦ Virpil TCS rotor base with Shark and AH-64D  grips ¦ MFG Crosswinds ¦ Total Controls Multi-Function Button Box ¦ Pimax Crystal

Link to comment
Share on other sites

For what it's worth, i ran World.dll and WorldGeneral.dll through the Kaspersky online virus checker. Both came up green.

Did the same on VirusTotal where resp. 5 and 4 out of 68 scanners detected them as malware (BitDefender and Kaspersky came both up green).

If you then look into details, there is not much going on beside that the files are not signed.

Win11 Pro 64-bit, Ryzen 5800X3D, Corsair H115i, Gigabyte X570S UD, EVGA 3080Ti XC3 Ultra 12GB, 64 GB DDR4 G.Skill 3600. Monitors: LG 27GL850-B27 2560x1440 + Samsung SyncMaster 2443 1920x1200, HOTAS: Warthog with Virpil WarBRD base, MFG Crosswind combat pedals, TrackIR4, Rift-S.

Personal Wish List: A6 Intruder, Vietnam theater, decent ATC module, better VR performance!

Link to comment
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...