Open Beta, CombinedArms.dll = ESET threat

[ADHS]

On 3/18/2023 at 9:21 AM, Bagpipe said:

try a different AV program if all else fails

It's a personal choice of which one you trust.

I've switched from NORTON to ESET since 1997 and i've never had any problem.

On 3/18/2023 at 1:25 PM, steffj said:

I will close my AV before re installation of my program and keep it off.(AV)

It's up to you, but i would be more careful to turn off my internet protection without having an official assurance that it is indeed a false alert.

Edited March 19, 2023 by ADHS

[Wing]

Same issue here. My ESET NOD32 is finding 2 separate files from Combined Arms as threats since last update. 

[ADHS]

https://www.virusradar.com/en/Win64_Packed.VMProtect.L/description

It is a TROJAN.

The problem continues after the last update 17-Mar-23 also, but is worst.
No terrains found and some other modules went in OFFLINE mode.
CombinedArms.dll was blocked and quarantined by ESET during update.
I had to UNINSTALL Combined Arms module and then run REPAIR.
No threats found in DCS World OpenBeta DCS Saved Games folders after scan.

Edited March 20, 2023 by ADHS

[Wing]

These are the files that were detected btw.

[ADHS]

26 minutes ago, Wing said:

These are the files that were detected btw.

It's the same file. ESET quarantines every threat, every time as a single individual event.
So don't worry for multi threats.
The last one (top) is after you decided to ignore the threat and allowed it to be installed.
The others (till 12:19:39 PM) are the attempts that you decided the threat to be clean.

They all quarantined, none managed to pass through, but this affects DCS to act differently as it misses files to run properly.

 

Edited March 20, 2023 by ADHS

[ADHS]

On 3/16/2023 at 8:54 PM, BIGNEWY said:

Its best to submit the file to your provider for analysis. Probably a false positive 

File submitted for analysis. It is a TROJAN. https://www.virusradar.com/en/Win64_Packed.VMProtect.L/description

Edited March 20, 2023 by ADHS

[Dangerzone]

9 minutes ago, ADHS said:

File submitted for analysis. It is a TROJAN. https://www.virusradar.com/en/Win64_Packed.VMProtect.L/description

 

Can you please clarify: Are you saying that the file is definitely infected with a trojan, or just that it's detecting it as being infected but could still be a false positive?

[ADHS]

2 hours ago, Dangerzone said:

Are you saying that the file is definitely infected with a trojan

ESET is analyzing every file:
or during download
or before direct execution
or before a call to be execute
or to be read.
This one is a .dll. Means that it will be called to be used/read later on.
But it is infected with this trojan.

ESET checking every file for possible infection and only if finds an infected one,
is blocking the file from be executed/read and then moves it to the quarantine.

Edited March 20, 2023 by ADHS

[Dangerzone]

40 minutes ago, ADHS said:

ESET is analyzing every file:
or during download
or before direct execution
or before a call to be execute
or to be read.
This one is a .dll. Means that it will be called to be used/read later on.
But it is infected with this trojan.

ESET checking every file for possible infection and only if finds an infected one,
is blocking the file from be executed/read and then moves it to the quarantine.

 

Thanks for clarifying. So to confirm - there's no evidence that it's definitely infected - you're just trusting your antivirus software is correct & assuming that because ESET & AVG is detecting correctly and that every file it detects as being infected is 100% infected.  (AKA - ESET haven't responded to your submission and confirmed 100% that it is infected)?

Because there are such things as 'false positives'. These are when antivirus software running certain algorithms detect a file as being infected when it is not infected - just that it has similar patterns to an infection. I've build applications myself in the past that have flagged as being infected when they have not been - just that something in the compiled code is seen a certain way by antivirus software. 

So when you say "it is infected with this trojan", that may not be the case. It 'appears to be infected' would be more correct. I'm strongly suspicious that this is a 'false positive'. That it's not truly infected with a virus, but just flagging as being. Of course - I can't say 100% for sure, but from what I've witnessed in the past - that's probably more likely than not.

It would be helpful if we could get the MD5 hash for this file off ED so we can compare what we have with the version they're creating to know that the file hasn't been altered in any way for more clarity. 

About all we can do is submit the file for analysis to ESET & AVG and for them to determine if it is or isn't truly infected, and update their database & algorithms accordingly and wait for that update, or if the file is truly infected (and not just a false positive)- for ED to replace it on their update server.

Edited March 20, 2023 by Dangerzone

[ADHS]

I understand what you mean as i did compile some code that it's
behavior taken as a trojan.
Indeed i fully trust ESET and it's decision to quarantine this file
and as the link shows, this trojan is active till 2018 so there was
no something new after i send the file for analysis. As i've mentioned
before there was similar trojan problem with Gazelle module that was
fixed by ED update later on.
It will be good if ED will take a look at it also, so to save us
long assumptions, but (personally) i don't rely in such actions.

Edited March 20, 2023 by ADHS

[draconus]

1 hour ago, ADHS said:

Indeed i fully trust ESET and it's decision to quarantine this file

Dude, it's automated, not man decision. But you're free to think whatever you want about it. Just don't spread tin foil hat stories.

[ADHS]

22 minutes ago, draconus said:

Dude, it's automated, not man decision.

Are you sure ?!
You don't know that there is "interactive mode" also ?

22 minutes ago, draconus said:

Just don't spread tin foil hat stories.

Show some RESPECT to all Members that have the same problem here,
this that you call "tin foil hat stories".

Are you a Moderator or ED Team member or Support Team member ?

Edited March 20, 2023 by ADHS

[Dangerzone]

I think there may be some misunderstanding / maybe language barriers? 

Interactive in ESET does not mean that a person is manually verifying files/viruses at ESET's end - it means that it's interactive (and not automated) at the users end (you choose, not ESET).  The detection of possible threats is automated through software alone - how ESET responds to it can be automatic (quarantine) or interactive (prompt user). 

You're well within your rights to trust ESET. Being cautious is certainly a prudent thing to do, especially in this day and age of electronic sabotage, and I don't blame you for that or discourage you. Unless Combined Arms is essential over the next few weeks, leaving it disabled is a conservative move. 

However in the same token, I think people might be getting upset because of the way you're phrasing certain statements, such as:

20 hours ago, ADHS said:

File submitted for analysis. It is a TROJAN. https://www.virusradar.com/en/Win64_Packed.VMProtect.L/description

and

Quote

But it is infected with this trojan.

It comes across as accusing this file of definitively being infected, and it's 100% ED's problem - instead of a possibility. That may not have been your intention, but that's how it came across to me when I've ready your posts(which is why I asked for clarification). 

When also considering that only 2 antivirus software's have flagged this as infected, and the detection if flagging for a 5 year old virus - (I would expect more to do so by now), it does hint towards this being a false positive and not a true risk.

I don't fully trust ESET. To me it's a tool - and like all tools, I see it as a fallible one. (No software is perfect) So, I don't trust it 100% which means I don't trust it to pick up all viruses, and thus I have extra precautions in place on top of ESET incase ESET misses something. (ie, I won't double-click unknown attachments even if ESET doesn't flag it). Likewise, in the same manner I don't trust it's detections 100% - but will use it as a flag and use other means to consider fully whether it's an issue or not. (I'll take into account the apparent age of the flagged detection (5 year old trojan) and the lack of other software flagging it, etc).

If I may, my suggestion for times as this is to be careful about how things are phrased to make sure what's going on is clear (detection, vs actual infection), and to use all options at our disposal instead of trusting a single source to come to the best conclusion for each of us - and in the end, that choice may be different for one person to the next. I'm not trying to change your mind on how you personally handle the file or risk- just respectfully asking you to reconsider the way that you phrase certain statements. 

To get back to the file in question:

The MD5 hash of the flagged file my end (CombinedArms.dll)
b8388020a02c7916c953c0b9969b4727

I'd be grateful if ED could confirm if this is the correct MD5 hash we should be having for the latest Open Beta?

[ADHS]

Dangerzone

We can't know if there is a threat or not by our own. This is why
we are using internet security software, to do this instead of us.
This is why i've expressed my opinion, while this is an identified
trojan threat, found in official DCS update, to me and to others.
And from the time that there is problem, we have to solve it and is
not a matter NOT TO from reputation point of view. All do mistakes.
So:
This is supposed a forum to discuss problems for Combined Arms.
But there is no OFFICIAL answer or comment from any OFFICIALS.
Means that this problem hasn't be REPORTED to be checked by ED yet.
This is why we all are just filling up a thread with personal
ASSUMPTIONS of any kind that in the final they don't give a
secure answer to anyone what or not to do.

How many times we all somehow search for a solution in a problem
and we've follow total wrong advises ? that lead us to danger and
security risks or nonsense such as reinstall software and windows
again, format your hard drives, buy a new PC or better buy a car ?
So if someone read here and follow to allow/ignore this threat to
be installed and latter on will regret it ? Better to be warned.

Thank you.

PS:
I fully agree with your points and i fully respect your way to
express them. Forums need persons like you to keep the balance.
I have already uninstall the module and i will try reinstall it
after next update, till there will be no warning.

[draconus]

4 hours ago, ADHS said:

But there is no OFFICIAL answer or comment from any OFFICIALS.

 

[ADHS]

draconus

ESET didn't replied anything as false alert.

Did this has been tested by ED Team ?

BIGNEWY said: "Personally not seeing a problem" and i still got problem with it.

[BIGNEWY]

Hi, 

no one in our team including beta testers are getting any hits on this dll 

we would always advise you to check with your antivirus provider if you are seeing issues, but as far as we can tell it is a false positive. 

We have had issues with ESET in the past, but it is usually blocking connections as can be seen here 

[ADHS]

BIGNEWY

Thank you very much

Once there is official answer from ED
i will recontact ESET to double check
with them and i will let you all know.

Edited March 21, 2023 by ADHS

[apmech1]

Just an FYI, I am on windows 11 and windows defender flagged it as a trojan. I had windows remove the file. I then ran repair and DCS re-installed it. Windows defender is no longer flagging that file. I didn't tell defender to ignore the file either. Maybe definitions were updated, or the previous file had a trojan. I don't know. But it's working now. Thanks for all the previous respones!

[Dangerzone]

13 hours ago, apmech1 said:

Just an FYI, I am on windows 11 and windows defender flagged it as a trojan. I had windows remove the file. I then ran repair and DCS re-installed it. Windows defender is no longer flagging that file. I didn't tell defender to ignore the file either. Maybe definitions were updated, or the previous file had a trojan. I don't know. But it's working now. Thanks for all the previous respones!

There was another Open Beta just released recently. Not sure whether that has a change that has fixed it? 

Edit: Apparently not - I'm still getting triggers:

New MD5 has though:  DC428A9012168F0D60FFFEB1B222C75D so I guess something was changed.

Edited March 23, 2023 by Dangerzone

[percivaldanvers]

Not sure if this info is helpful to anyone or not, but I had the same issue just now with Windows Defender. As with Apmech, allowing Defender to delete the file and running a repair seems to have cleared the issue up, but I'd certainly be glad to know any more info as it becomes available. nullnull

[Rhyn0]

I had exact same file/threat flagged as percivaldanvers  above, also with Windows defender. Removimg amd repair seems to fix it. My install is quite new, about a month

Edited March 26, 2023 by Rhyn0

[maximov]

MD5:  dc428a9012168f0d60fffeb1b222c75d
Openbeta is 2.8.3.38090. Kaspersky Internet Security. There is no reaction.

[western_JPN]

Today my Windows (10) Defender behaves the same.

I've not installed any other 3rd party anti-virus.

[dannyq8]

14 hours ago, western_JPN said:

Today my Windows (10) Defender behaves the same.

I've not installed any other 3rd party anti-virus.

Same for me and combined arms is disabled