Ithronwise Posted May 9, 2024 Posted May 9, 2024 (edited) Hi folks, after the latest DCS update the Windows Defender reports DCS World\Mods\aircraft\M-2000C\bin\M2KC_FM.dll is a PUA:Win32/Packunwan. Timestamp of the file has changed with the update and also its size but there is no patch note about the Mirage 2000C in the release notes. Edit: VirusTotal Scan added Edited May 9, 2024 by Ithronwise 2 ASUS ROG Strix B450-F Gaming, AMD Ryzen 5800X, 64 GB Corsair Vengeance LPX DDR4-3000, ASUS TUF Gaming Radeon RX 6800 XT, Samsung 970 EVO M.2 NVMe 250 GB (OS), Corsair MP600 PRO LPX M.2 NVMe 2 TB (DCS World), Gigabyte G27QC Gaming Monitor, DelanClip Gamer, WINWING F-16EX Metal Flightstick with Orion2 Joystick Base, WINWING F-15EX II Metal Throttle with Orion2 Throttle Base, WINWING PTO 2 Take Off Panel, VIRPIL Controls Ace Flight Pedals, Buddy-Fox A-10C UFC, Thrustmaster MFD Cougar Pack, Windows 10 Pro
Rudel_chw Posted May 9, 2024 Posted May 9, 2024 Most likely a false positive ... if it were a real virus the Forum would be all over with virus alerts from other users which updated as soon as the DCS patch released. 2 For work: iMac mid-2010 of 27" - Core i7 870 - 6 GB DDR3 1333 MHz - ATI HD5670 - SSD 256 GB - HDD 2 TB - macOS High Sierra For Gaming: 34" Monitor - Ryzen 3600 - 32 GB DDR4 2400 - nVidia RTX2080 - SSD 1.25 TB - HDD 10 TB - Win10 Pro - TM HOTAS Cougar Mobile: iPad Pro 12.9" of 256 GB
Athlonic Posted May 9, 2024 Posted May 9, 2024 Same issue here. Happened just after I updated to last version. 1 HW : 4790K @4.6 / GTX 1080ti 11GB / 16 GB / Asus ROG Formula VI / Acer Predator 32" 4K Gsync / X-55 Rhino / Oculus Rift-S / TrackIR Combined Arms/Supercarrier/Nevada TTR/Persian Gulf/Normandy F-16C/FA-18C/AV-8B Harrier/F5-TigerII/SA342-Gazelle/M2000-C/L-39 Albatros/C-101/MiG-21/F-86F Sabre/Mi-8MTV2/UH-1H Huey/A-10C Warthog/Black Shark 2/Flaming Cliff 3/Hawk T1A(RIP) WWII : Spitfire/Bf-109 Kurfurst/Fw-190 Dora/P-51D Mustang
Rudel_chw Posted May 9, 2024 Posted May 9, 2024 (edited) 3 minutes ago, Athlonic said: Same issue here. Happened just after I updated to last version. I also employ MS Defender, but I have excluded the DCS folder from the AV action, as since DCS started to encrypt its content, the amount of False AV reports increased so much that it got kind of annoying. Edited May 9, 2024 by Rudel_chw 2 For work: iMac mid-2010 of 27" - Core i7 870 - 6 GB DDR3 1333 MHz - ATI HD5670 - SSD 256 GB - HDD 2 TB - macOS High Sierra For Gaming: 34" Monitor - Ryzen 3600 - 32 GB DDR4 2400 - nVidia RTX2080 - SSD 1.25 TB - HDD 10 TB - Win10 Pro - TM HOTAS Cougar Mobile: iPad Pro 12.9" of 256 GB
Ithronwise Posted May 9, 2024 Author Posted May 9, 2024 1 hour ago, Rudel_chw said: Most likely a false positive ... if it were a real virus the Forum would be all over with virus alerts from other users which updated as soon as the DCS patch released. Probably, but because of my job I am highly alerted if I get such a report, especially if more than one or two scanners on VirusTotal report an issue. The file has been changed by the update but there is no information about any M-2000C patches in the release notes. That triggers my professional paranoia. I have uninstalled the Mirage 2000C module until further notice. 2 ASUS ROG Strix B450-F Gaming, AMD Ryzen 5800X, 64 GB Corsair Vengeance LPX DDR4-3000, ASUS TUF Gaming Radeon RX 6800 XT, Samsung 970 EVO M.2 NVMe 250 GB (OS), Corsair MP600 PRO LPX M.2 NVMe 2 TB (DCS World), Gigabyte G27QC Gaming Monitor, DelanClip Gamer, WINWING F-16EX Metal Flightstick with Orion2 Joystick Base, WINWING F-15EX II Metal Throttle with Orion2 Throttle Base, WINWING PTO 2 Take Off Panel, VIRPIL Controls Ace Flight Pedals, Buddy-Fox A-10C UFC, Thrustmaster MFD Cougar Pack, Windows 10 Pro
Rudel_chw Posted May 9, 2024 Posted May 9, 2024 58 minutes ago, Ithronwise said: I have uninstalled the Mirage 2000C module until further notice. wow, just wow, I have no words … on my case, I employ my PC just for gaming, so the damage that an eventual virus or malware can do is very limited, my e-mail and web browsing and purchasing is done on my other computer (an iMac) or on my iPad, the PC is strictly for playing. 1 For work: iMac mid-2010 of 27" - Core i7 870 - 6 GB DDR3 1333 MHz - ATI HD5670 - SSD 256 GB - HDD 2 TB - macOS High Sierra For Gaming: 34" Monitor - Ryzen 3600 - 32 GB DDR4 2400 - nVidia RTX2080 - SSD 1.25 TB - HDD 10 TB - Win10 Pro - TM HOTAS Cougar Mobile: iPad Pro 12.9" of 256 GB
Fulcrumkiller31 Posted May 9, 2024 Posted May 9, 2024 (edited) Same for me. Uninstalling M2k. Cant seem to remove it which is very suspicious Edited May 9, 2024 by Fulcrumkiller31 Computer: I7 12700K OC 5.0 All Cores, EVGA 3070TI FTW 3, MSI Tomahawk Z690 DDR4 WIFI, 64 GB Corsair DDR4 3600 MHz, M.2 NVME 3TB Gear: Virpil T-50CM2 Mongoose Stick, CM3 Base, CM3 Throttle, Logitech Pedals, HP Reverb G2 Modules: F-15E, F-18C, F-16C, F-14, A-10C II, AV-8B, M-2000C, Mirage F1, F-5, AH-64D, MI-24, KA-50, Nevada TTR, Syria, Persian Gulf, Falklands, Sinai, Afghanistan
maxTRX Posted May 9, 2024 Posted May 9, 2024 1 hour ago, Ithronwise said: Probably, but because of my job I am highly alerted if I get such a report, especially if more than one or two scanners on VirusTotal report an issue. The file has been changed by the update but there is no information about any M-2000C patches in the release notes. That triggers my professional paranoia. I have uninstalled the Mirage 2000C module until further notice. I don't blame you... files that changed didn't trigger alerts, file that wasn't supposed to be changed did. I'm not a professional but I'm up to my ears into this stuff... sort of fascinating I'm on a stricktly gaming rig so... I can drop my firewall, let my pass-through cam in VR and sound feed straight to zuckerberg so he can see my secret moves and tactics.
Ithronwise Posted May 10, 2024 Author Posted May 10, 2024 (edited) 12 hours ago, oldcrusty said: 14 hours ago, Ithronwise said: Probably, but because of my job I am highly alerted if I get such a report, especially if more than one or two scanners on VirusTotal report an issue. The file has been changed by the update but there is no information about any M-2000C patches in the release notes. That triggers my professional paranoia. I have uninstalled the Mirage 2000C module until further notice. Expand I don't blame you... files that changed didn't trigger alerts, file that wasn't supposed to be changed did. I'm not a professional but I'm up to my ears into this stuff... sort of fascinating Not sure what do you want to say. The alert pops up, when dcs starts. Didn't happen before the update. So, some function within the dll has changed and triggers the Windows defender now as soon as it is read by the dcs.exe. The different file size and timestamp shows the file was changed by the update. Edited May 10, 2024 by Ithronwise 1 ASUS ROG Strix B450-F Gaming, AMD Ryzen 5800X, 64 GB Corsair Vengeance LPX DDR4-3000, ASUS TUF Gaming Radeon RX 6800 XT, Samsung 970 EVO M.2 NVMe 250 GB (OS), Corsair MP600 PRO LPX M.2 NVMe 2 TB (DCS World), Gigabyte G27QC Gaming Monitor, DelanClip Gamer, WINWING F-16EX Metal Flightstick with Orion2 Joystick Base, WINWING F-15EX II Metal Throttle with Orion2 Throttle Base, WINWING PTO 2 Take Off Panel, VIRPIL Controls Ace Flight Pedals, Buddy-Fox A-10C UFC, Thrustmaster MFD Cougar Pack, Windows 10 Pro
Ithronwise Posted May 10, 2024 Author Posted May 10, 2024 14 hours ago, Rudel_chw said: wow, just wow, I have no words … on my case, I employ my PC just for gaming, so the damage that an eventual virus or malware can do is very limited, my e-mail and web browsing and purchasing is done on my other computer (an iMac) or on my iPad, the PC is strictly for playing. I guess, your gaming pc is connected to your home network? So, in this case if you catch a malware (a backdoor for example) on this pc you have good chances that your other devices within this network will be compromised, too. As soon as someone has access to one device within your network you are lost. ASUS ROG Strix B450-F Gaming, AMD Ryzen 5800X, 64 GB Corsair Vengeance LPX DDR4-3000, ASUS TUF Gaming Radeon RX 6800 XT, Samsung 970 EVO M.2 NVMe 250 GB (OS), Corsair MP600 PRO LPX M.2 NVMe 2 TB (DCS World), Gigabyte G27QC Gaming Monitor, DelanClip Gamer, WINWING F-16EX Metal Flightstick with Orion2 Joystick Base, WINWING F-15EX II Metal Throttle with Orion2 Throttle Base, WINWING PTO 2 Take Off Panel, VIRPIL Controls Ace Flight Pedals, Buddy-Fox A-10C UFC, Thrustmaster MFD Cougar Pack, Windows 10 Pro
cfrag Posted May 10, 2024 Posted May 10, 2024 14 hours ago, Rudel_chw said: wow, just wow, I have no words TBH, one immediately came to my mind: "good!" The facts are that OP downloaded some data from a source of unknown repute (a.k.a ED's servers in Russia). If that trips a major Malware detector, that calls for immediate action: OP should scratch the offending bits, and ED should respond quickly to prevent a small glitch turn into a conflagration (reputation-wise; I also suspect that this is a false positive. If not, they must already be at an all-hands-on-deck status). I'm a bit surprised that we do not have some official word on this from ED, and I hope we will soon. 1
silverdevil Posted May 10, 2024 Posted May 10, 2024 17 hours ago, Ithronwise said: Hi folks, after the latest DCS update the Windows Defender reports DCS World\Mods\aircraft\M-2000C\bin\M2KC_FM.dll is a PUA:Win32/Packunwan. Timestamp of the file has changed with the update and also its size but there is no patch note about the Mirage 2000C in the release notes. Edit: VirusTotal Scan added to help others and yourself, you should submit the offending files to Microsoft. false positives do happen. you being a professional should always do this. ED is merely going to tell you there is no worry. this in itself should not alleviate your worries. https://www.microsoft.com/en-us/wdsi/filesubmission by the way AV software slows loading times significantly. AKA_SilverDevil Join AKA Wardogs Email Address My YouTube “The MIGS came up, the MIGS were aggressive, we tangled, they lost.” - Robin Olds - An American fighter pilot. He was a triple ace. The only man to ever record a confirmed kill while in glide mode.
Ithronwise Posted May 10, 2024 Author Posted May 10, 2024 (edited) 1 hour ago, silverdevil said: to help others and yourself, you should submit the offending files to Microsoft. false positives do happen. you being a professional should always do this. ED is merely going to tell you there is no worry. this in itself should not alleviate your worries. You are right, but these dll's are encrypted. So Microsoft will not be able to check if there is a potentially harmful function in it or not. These files are only decrypted during their runtime by the dcs.exe and that's the moment where the Windows Defender can check the functions in it that are loaded into the RAM. Edited May 10, 2024 by Ithronwise 1 ASUS ROG Strix B450-F Gaming, AMD Ryzen 5800X, 64 GB Corsair Vengeance LPX DDR4-3000, ASUS TUF Gaming Radeon RX 6800 XT, Samsung 970 EVO M.2 NVMe 250 GB (OS), Corsair MP600 PRO LPX M.2 NVMe 2 TB (DCS World), Gigabyte G27QC Gaming Monitor, DelanClip Gamer, WINWING F-16EX Metal Flightstick with Orion2 Joystick Base, WINWING F-15EX II Metal Throttle with Orion2 Throttle Base, WINWING PTO 2 Take Off Panel, VIRPIL Controls Ace Flight Pedals, Buddy-Fox A-10C UFC, Thrustmaster MFD Cougar Pack, Windows 10 Pro
maxTRX Posted May 10, 2024 Posted May 10, 2024 6 hours ago, cfrag said: TBH, one immediately came to my mind: "good!" The facts are that OP downloaded some data from a source of unknown repute (a.k.a ED's servers in Russia). If that trips a major Malware detector, that calls for immediate action: OP should scratch the offending bits, and ED should respond quickly to prevent a small glitch turn into a conflagration (reputation-wise; I also suspect that this is a false positive. If not, they must already be at an all-hands-on-deck status). I'm a bit surprised that we do not have some official word on this from ED, and I hope we will soon. Word or no word from ED... we shall continue 'has to be a false positive' approach and keep flying . Who knows how these updates are shlepped together and where. One thing for sure is that they are never thoroughly tested for bugs... Is the whole package ever tested for integrity and where, before it hits the d/l servers? Oh well 1
silverdevil Posted May 10, 2024 Posted May 10, 2024 11 hours ago, Ithronwise said: You are right, but these dll's are encrypted. So Microsoft will not be able to check if there is a potentially harmful function in it or not. These files are only decrypted during their runtime by the dcs.exe and that's the moment where the Windows Defender can check the functions in it that are loaded into the RAM. fair enough. though how does defender know that it is bad if it cannot unencrypt it cannot tell either way? isolate your machine and run wireshark to inspect the packets being sent from your network. its your choice and i respect your choice. AKA_SilverDevil Join AKA Wardogs Email Address My YouTube “The MIGS came up, the MIGS were aggressive, we tangled, they lost.” - Robin Olds - An American fighter pilot. He was a triple ace. The only man to ever record a confirmed kill while in glide mode.
mazex Posted May 11, 2024 Posted May 11, 2024 (edited) Defender on Windows 11 finds the same thing with packunwan in "\Mods\aircraft\M-2000C\bin\M2KC_FM.dll" on my computer after running the update today. Uninstalling the Mirage 2000 immediately. Really sloppy to push ad/spyware in an official release (unless it's a false positive that is on Microsoft) - but I do not take any chances. Does not seem like a virus but does not matter. Edited May 11, 2024 by mazex 1 Ryzen 9800X3D | RTX 5080 GPU | Gigabyte X670 Aorus Elite AX MB | 64GB 6000Mhz DDR5 | Windows 11 Pro x64 | Virpil T-50 Throttle | T50 CM2 Grip + WarBRD | VKB T-rudder MK IV | Asus PG279Q 1440p | Pimax Crystal Light VR | Samsung 980 Pro as system disk and DCS on separate Samsung 990 Pro NVME SSD
fifi49000 Posted May 11, 2024 Posted May 11, 2024 Bonjour à tous même problème ici pour M2000 ! Qui semble être un faux positif , mais un doute reste évidement... J'espère qu'il y aura un correctif prochainement car sur une version officielle ça fait désordre...
Ithronwise Posted May 11, 2024 Author Posted May 11, 2024 (edited) 13 hours ago, silverdevil said: fair enough. though how does defender know that it is bad if it cannot unencrypt it cannot tell either way? isolate your machine and run wireshark to inspect the packets being sent from your network. dcs.exe starts -> loads the dlls into the RAM -> decrypts them there and executes the contained functions -> Windows Defender finds there is something suspicious -> Alert My machine is alright, otherwise I would have the wrong job. The dll is the problem and even if it is a false positive alert it isn't my task to clear this issue with Microsoft, but ED's. Edited May 11, 2024 by Ithronwise ASUS ROG Strix B450-F Gaming, AMD Ryzen 5800X, 64 GB Corsair Vengeance LPX DDR4-3000, ASUS TUF Gaming Radeon RX 6800 XT, Samsung 970 EVO M.2 NVMe 250 GB (OS), Corsair MP600 PRO LPX M.2 NVMe 2 TB (DCS World), Gigabyte G27QC Gaming Monitor, DelanClip Gamer, WINWING F-16EX Metal Flightstick with Orion2 Joystick Base, WINWING F-15EX II Metal Throttle with Orion2 Throttle Base, WINWING PTO 2 Take Off Panel, VIRPIL Controls Ace Flight Pedals, Buddy-Fox A-10C UFC, Thrustmaster MFD Cougar Pack, Windows 10 Pro
draconus Posted May 16, 2024 Posted May 16, 2024 (edited) On 5/9/2024 at 5:37 PM, Ithronwise said: Timestamp of the file has changed with the update and also its size but there is no patch note about the Mirage 2000C in the release notes. Afaik this is normal since the modules need their files updated (1 dll and 1 manifest) to the new DCS version with every update, no matter if there were any additions/updates/fixes to the module itself. Also "potentially unwanted" comes from heuristic engines check. Edited May 16, 2024 by draconus Win10 i7-10700KF 32GB RTX4070S Quest 3 T16000M VPC CDT-VMAX TFRP FC3 F-14A/B F-15E CA SC NTTR PG Syria
Hammer1-1 Posted May 23, 2024 Posted May 23, 2024 I mentioned this issue about 2 weeks ago trying to troubleshoot why DCS kept crashing. This is a well known issue at the moment. Intel 13900k @ 5.8ghz | 64gb GSkill Trident Z | MSI z790 Meg ACE | Zotac RTX4090 | Asus 1000w psu | Slaw RX Viper 2 pedals | VPForce Rhino/VKB MCE Ultimate + STECS Mk2 MAX / Virpil MongoosT50+ MongoosT50CM | Virpil TCS+/ AH64D grip/custom AH64D TEDAC | Samsung Odyssey G9 + Odyssey Ark | Next Level Racing Flight Seat Pro | WinWing F-18 MIPS | No more VR for this pilot. My wallpaper and skins On today's episode of "Did You Know", Cessna Skyhawk crashes into cemetery; over 800 found dead as workers keep digging.
BJ55 Posted May 23, 2024 Posted May 23, 2024 (edited) Probably the digital signature has become invalid/outdated and the M2000 dll's are considered unsafe. Edited May 23, 2024 by BJ55 I7-12700F, 64GB DDR4 XMP1 3000MHz, Asus Z670M, MSI RTX 3070 2560x1440 60Hz, TIR 5, TM WH VPC base, TM rudder, Win10 Pro
AJaromir Posted June 3, 2024 Posted June 3, 2024 (edited) It's blocked by reputation-based protection. I have this report for Harrier. What is sus that yesterday there had been no report. Edited June 3, 2024 by AJaromir 1
Recommended Posts