ESET reporting malware in latest OB update to I-16 module

[sthompson]

The title says it all. ESET is unhappy with today's OB update: DCS 2.7.9.17830. The file that triggers an issue is as follows:

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
12/23/2021 7:31:18 PM;Real-time file system protection;file;D:\Program Files\Eagle Dynamics\DCS World OpenBeta\_downloads\Mods\aircraft\I-16\bin\I16FM.dll;a variant of Win64/Packed.VMProtect.J suspicious application;cleaned by deleting;CEZANNE\Maintenance;Event occurred on a new file created by the application: D:\Program Files\Eagle Dynamics\DCS World OpenBeta\bin\DCS_updater.exe (F0D2D7558B79F120183DDCF675D1164694DDB7FE).;90B70EDD562AEF2ECECD2F6839C60C3E6060D1CF;11/18/2021 6:28:33 PM

The real-time deletion of this file causes the updater to quit with an error message, so I assume I have a non-functional installation now.

[Rudel_chw]

I exclude the dcs program folder from the antivirus reach, to prevent that a wrong false-positive from the AV affects my DCS.

[Taslehoff]

3 hours ago, Rudel_chw said:

I exclude the dcs program folder from the antivirus reach, to prevent that a wrong false-positive from the AV affects my DCS.

Nice one. I was going around in circles.

[maximov]

You will have to make a choice who you trust more: ESET or ED.
Seriously, from time to time any antivirus responds falsepositive to the DCS protection files. Therefore, the best option is the above advice.

[surfcandy]

You shouldn't have to exclude any DCS folder from the leading Anti-Virus programs especially if they have worked without issues for years. If it suddenly happened after the new beta build it's probably the build that's causing the problem.

[Rudel_chw]

47 minutes ago, surfcandy said:

You shouldn't have to exclude any DCS folder from the leading Anti-Virus programs

 

So, are you saying that false-positives do not happen if your AV is from a "leading" brand? 

... on my experience, ANY antivirus is susceptible to wrongly flag files as infected. 

[silverdevil]

our corporate AV reported false positives on a Dell utility today installed on our laptops. i have been IT for 30+ years and AV most definitely alerts to false positives. ESET especially. years ago ESET had a knack for quarantining Exchange server files and it would not work until the files were excluded.

[surfcandy]

 

On 12/27/2021 at 4:44 PM, Rudel_chw said:

 

So, are you saying that false-positives do not happen if your AV is from a "leading" brand? 

... on my experience, ANY antivirus is susceptible to wrongly flag files as infected. 

What I am saying is my friends and I have owned ESET for almost 20 yrs. It has almost never excluded a file like the aircraft I-16 in DCS EVER. That's a fact. Since the evidence seems to point to the latest beta build I'd say it may be the developers fault and not ESET. Hopefully the problem will be solved and it'll fix itself in the next patch either through ESET or DCS's updates.

Edited December 29, 2021 by surfcandy

[Rudel_chw]

22 minutes ago, surfcandy said:

Since the evidence seems to point to the latest beta build I'd say it may be the developers fault and not ESET.

Ok, so you really are saying that this is in fact a case of DCS being infected with a virus … wonder why ESET is the only antivirus able to detect it. Well, seems that you will have to stop flying DCS for the time being, at least until ED stops planting viruses on their Sim 

[Flappie]

4 hours ago, surfcandy said:

What I am saying is my friends and I have owned ESET for almost 20 yrs. It has almost never excluded a file like the aircraft I-16 in DCS EVER. That's a fact. Since the evidence seems to point to the latest beta build I'd say it may be the developers fault and not ESET. Hopefully the problem will be solved and it'll fix itself in the next patch either through ESET or DCS's updates.

Antivirus software have at least two means of detection:

• File recognition: Once a virus is known, antivirus know exactly how it works and which files to look for.
• Heuristics: To avoid being infected by a new -unknown- virus, antivirus are on the lookout whenever an executable file is executed. They look for patterns that look like a virus action. Unfortunately for gamers, some game copy protections look like viruses (probably because they defend themselves aginst piracy utilities like viruses would do against antivirus?). That's what seems to be happening with the I-16 protection.

So, as @maximov said, either you trust your favorite sim and send a message to ESET about this false positive, either you trust your favorite antivirus and say goodbye to the the I-16 module.

 

[silverdevil]

being in IT for as long as i have been, i constantly remind myself of this quote 

Quote

"When you have eliminated all which is impossible, then whatever remains, however improbable, must be the truth.” ~ Arthur Conan Doyle, The Case-Book of Sherlock Holmes.

 

Edited December 29, 2021 by silverdevil

[surfcandy]

9 hours ago, Rudel_chw said:

Ok, so you really are saying that this is in fact a case of DCS being infected with a virus … wonder why ESET is the only antivirus able to detect it. Well, seems that you will have to stop flying DCS for the time being, at least until ED stops planting viruses on their Sim 

Really? is that what I said or is that what you want to interpret? Seems very lame response. Anything within for example, DCS that is part of a large download can inadvertently be  "flagged" as a potential threat. I am saying I hope it is fixed in either DCS or ESET's next update.

[Rudel_chw]

2 hours ago, surfcandy said:

Really? is that what I said or is that what you want to interpret? Seems very lame response.

 

It was pretty clear what you said about the DCS developers .. but I see no point on debating this issue with you, so do whatever you want and I will avoid you from now on.

[sthompson]

Well my original post unfortunately seems to have triggered a bit of flaming. Some suggest that I should just exclude DCS from scanning. This seems to be based on an assumption rather than any evidence that any positive reading now or in the future is a false positive. Others have suggested I may just have to give up the module I paid for. Neither option is acceptable. Customers shouldn't be forced to chose between opening up their systems and using DCS. Even on open beta. For me, if forced, that's an easy decision: No way I'm going to just give ED a free pass on every file they send my way.

In my view ED should work it out with ESET so that when the OB goes to stable the installation doesn't fail, as it did for me. The issue isn't just that the file is flagged as a problem, but also that this causes the entire update to fail. That's a bug in my book. Whether it's ESET's fault or ED's doesn't really interest me. They both look bad when there are false positives (as does I-16 developer Octopus). Assuming for the sake of argument that that is what it is. I hope they work it out.

In the meantime I'd like to get some confirmation from ED that the information in the original post is a false positive before I exclude anything from virus scanning, and then I may temporarily exclude the individual file.  @NineLine, @BIGNEWY, are you listening? Or perhaps there is a less risky workaround.

 

[surfcandy]

12 hours ago, sthompson said:

Well my original post unfortunately seems to have triggered a bit of flaming. Some suggest that I should just exclude DCS from scanning. This seems to be based on an assumption rather than any evidence that any positive reading now or in the future is a false positive. Others have suggested I may just have to give up the module I paid for. Neither option is acceptable. Customers shouldn't be forced to chose between opening up their systems and using DCS. Even on open beta. For me, if forced, that's an easy decision: No way I'm going to just give ED a free pass on every file they send my way.

In my view ED should work it out with ESET so that when the OB goes to stable the installation doesn't fail, as it did for me. The issue isn't just that the file is flagged as a problem, but also that this causes the entire update to fail. That's a bug in my book. Whether it's ESET's fault or ED's doesn't really interest me. They both look bad when there are false positives (as does I-16 developer Octopus). Assuming for the sake of argument that that is what it is. I hope they work it out.

In the meantime I'd like to get some confirmation from ED that the information in the original post is a false positive before I exclude anything from virus scanning, and then I may temporarily exclude the individual file.  @NineLine, @BIGNEWY, are you listening? Or perhaps there is a less risky workaround.

 

I am experiencing the same problem as you are. I also get the same message from ESET. I am sure if it exists for us it also exists for others IMO. I agree we should not have to "exclude" any file we paid for especially since I've been using ESET for years and DCS from 2012 without any issues until now and only in the I-16 aircraft which gets flagged.

That being said you can "uncheck" the I-16 to uninstall it restart DCS and the beta should update. Again I don't want to disable an aircraft I paid for and I am sure there are others who are or will be experiencing the same issue. 

Edited December 31, 2021 by surfcandy

[silverdevil]

not that it will be very helpful... maybe post up in the developer for the AC forum? https://forums.eagle.ru/forum/321-dcs-i-16/ and another post from a year or so ago. https://forums.eagle.ru/topic/226077-false-positive-kaspersky-warning-about-trojan-ransomwin32foreigngen-in-worlddll/ also mentions I16 DLL. i am not trying to enable anyone or any company here. it does suck that you paid good money for a module that now does not work. however there has to be some give and take. submit the offending files at https://support.eset.com/en/kb141-submit-a-virus-website-or-potential-false-positive-sample-to-the-eset-lab and see what comes of it. either side pointing fingers at each other without any effort really does not help anything. and yes AVs have to be a little on the unforgiving side to stop day one attacks and sometimes cause collateral damage.

[sthompson]

2 hours ago, silverdevil said:

not that it will be very helpful... maybe post up in the developer for the AC forum? https://forums.eagle.ru/forum/321-dcs-i-16/ and another post from a year or so ago. https://forums.eagle.ru/topic/226077-false-positive-kaspersky-warning-about-trojan-ransomwin32foreigngen-in-worlddll/ also mentions I16 DLL. i am not trying to enable anyone or any company here. it does suck that you paid good money for a module that now does not work. however there has to be some give and take. submit the offending files at https://support.eset.com/en/kb141-submit-a-virus-website-or-potential-false-positive-sample-to-the-eset-lab and see what comes of it. either side pointing fingers at each other without any effort really does not help anything. and yes AVs have to be a little on the unforgiving side to stop day one attacks and sometimes cause collateral damage.

Unfortunately, the ESET software deletes the DLL as soon as it is created so there is nothing to upload for analysis unless you first disable the scanning of that file. It doesn't seem to quarantine this file, and I haven't been able to find an option to ask it to do that.

[silverdevil]

21 minutes ago, sthompson said:

Unfortunately, the ESET software deletes the DLL as soon as it is created so there is nothing to upload for analysis unless you first disable the scanning of that file. It doesn't seem to quarantine this file, and I haven't been able to find an option to ask it to do that.

ah well that is a problem. i did a little looksie for a way to quarantine instead of delete. not finding much. i do see lots of documents explaining quarantine management. so there must be a way somewhere.  i do see where there is an 'advanced setup' one can get to. maybe after enabling that you can see if there is a way? eset internet security right?

[sthompson]

2 hours ago, silverdevil said:

ah well that is a problem. i did a little looksie for a way to quarantine instead of delete. not finding much. i do see lots of documents explaining quarantine management. so there must be a way somewhere.  i do see where there is an 'advanced setup' one can get to. maybe after enabling that you can see if there is a way? eset internet security right?

Yes, ESET Internet Security. I spent an hour going through the advanced setup yesterday and couldn't find a way to force quarantine on files flagged by real time system protection. Looking at files already in quarantine, all I see from past scans are malicious attachments from SPAM emails.

[silverdevil]

maybe you could put in a support ticket? your initial post has exactly the info support needs to check it. i see so many topics about managing quarantine that it has to be somewhere. is there perhaps an updated version? unfortunately i do not own the I-16 so i cannot get the file nor see how my AV would react. i would love to submit it.

[Rudel_chw]

43 minutes ago, silverdevil said:

unfortunately i do not own the I-16 so i cannot get the file nor see how my AV would react.

 

I do have the I-16, but my AV didn't complain, as I have exclusions in place ... because I trust that a company like Eagle Dynamics will not distribute infected files.

[maximov]

On 30.12.2021 at 20:35, sthompson said:

In the meantime I'd like to get some confirmation from ED that the information in the original post is a false positive

I confirm that the DCS files have copy protection (analogous to StarForce serial keys). All known antivirus programs have a false positive response to this protection. If I remove DCS.exe and DCS_updater from the list of exceptions by my Kaspersky Security, then the DCS simply won't start. Your right to trust the antivirus.
The entire staff of our programmers uses only licensed software. Before any module is available for download, these files pass through the computers of hundred of testers. You can create a request to tech support and get exactly the same response (maybe even from me).

[sthompson]

8 minutes ago, maximov said:

I confirm that the DCS files have copy protection (analogous to StarForce serial keys). All known antivirus programs have a false positive response to this protection. If I remove DCS.exe and DCS_updater from the list of exceptions by my Kaspersky Security, then the DCS simply won't start. Your right to trust the antivirus.
The entire staff of our programmers uses only licensed software. Before any module is available for download, these files pass through the computers of hundred of testers. You can create a request to tech support and get exactly the same response (maybe even from me).

I take it you are saying this is confirmed as a false positive. Do you speak for the company? If so I will put in an exception for the file that triggers ESET.

But it's not true that all known antivirus programs have a problem with DCS files. ESET does not normally complain about any other file in the distribution, including the two files you mention, and I've not needed exceptions previously. The OctopusG file is different somehow.

May I suggest that if you have hundreds of testers that at least one might want to use ESET while testing. It's one of the top AV products by market share.

[silverdevil]

@Rudel_chw i do not think you need to have an account. you could post the file for analysis. maybe they will make it an exception on their end. https://support.eset.com/en/kb141-submit-a-virus-website-or-potential-false-positive-sample-to-the-eset-lab i do know that every AV is a little different so one saying it is ok and another not ok is the way of the world unfortunately. if the world was rid of bad actors, we would not have to worry about this sort of thing. 

[maximov]

14 hours ago, sthompson said:

I take it you are saying this is confirmed as a false positive.

Yes.
 

 

14 hours ago, sthompson said:

Do you speak for the company?

Yes.