Windows Defender reports M-2000C\bin\M2KC_FM.dll is a PUA:Win32/Packunwan

[zildac]

It is almost certainly a false positive, the DLL is encrypted and also packed. Packers/Crypters tend to trigger AV/EDR/Malware controls, and rightly so as this is very similar to to the approach that Malware uses, to attempt evasion of these types of controls.

[lvl4f]

The same thing happens to me with the Harrier module, but the worst thing for me is that I uninstall the module and the virus is still active, when I give it the option to remove, Windows Defender does nothing, and when I restart the machine, it comes back When the virus warning appeared, I also tried to eliminate it with Malwarebytes, but nothing, did the same thing happen to anyone else?

[BitMaster]

Any statement from the devs or people who feel otherwise responsible for this encrypted DLL file  ?

 

It's how you handle such incidents, not that they occur per se, it happens to all.

 

Uninstalling is the ONLY safe option because if it really hurts your system it is very likely that anyone held responsible for this to happen will ask you" Why didnt you take action once you got the warning ??"  You will have no correct answer and will be blamed for not taking action while you could.

If you are one foot into this game of security and responsibility, you know that taking immediate action is NOT a fault and follows the "Better safe than Sorry" principle.

Does this hurt the general DCS experience ?  Yes, it does if average Joe is left alone with in-the-depth security concerns.

 

 

Just my 2 cents as someone who gets paid to secure networks and give advice to deciders. 

You never suggest the easy & unsafe way.

 

[BIGNEWY]

Posted in another thread - 

Hi 

many Antivirus / security software do not like Protection which we use as an anti-tampering system, it can produce false positives. 

Personal security is important so if you are not happy you should submit the file for inspection so your provider can add it to their whitelists. 

Often people will add DCS to the exemption lists from scans to mitigate these false positives, once you do running a repair of DCS should allow you to use them again. 

hope that helps 

thanks

[BitMaster]

BigNewy,

 

this is exactly what one should NOT do, add to the exception list !

It is one of those "easy way out" solutions that opens the door for further potential bad things to happen.

 

Whoever created that file should send it to MS, not the end user with limited knowledge. That is, in my personal opinion, the right way of handling this.

If I want my product to be accepted and considered safe I must take care and not leave it alone with the Banana idea " ripes on it's way to the customer".

 

Sorry for not aligning here, I have seen to many bad things happen that wouldnt need to be if things had been taken care of properly first place.

[BIGNEWY]

2 minutes ago, BitMaster said:

BigNewy,

 

this is exactly what one should NOT do, add to the exception list !

It is one of those "easy way out" solutions that opens the door for further potential bad things to happen.

 

Whoever created that file should send it to MS, not the end user with limited knowledge. That is, in my personal opinion, the right way of handling this.

If I want my product to be accepted and considered safe I must take care and not leave it alone with the Banana idea " ripes on it's way to the customer".

 

Sorry for not aligning here, I have seen to many bad things happen that wouldnt need to be if things had been taken care of properly first place.

As mentioned personal security is something you need to decide yourself, if you are not happy its best to submit the file for inspection with your security provider so they can whitelist it. 

[Togg]

Same here today with GDATA. Detected as PUP/junkware

I uninstalled the F15E and the Mirage 2000.

Edited June 11, 2024 by Togg

[KevinAu]

Just saw another update since the one that added the kiowa warrior and updated dcs to 2.9.5.55918. Whenever I start dcs now, windows defender pops up with pua:win32/Vigua.A and pua:win32/GameHack

Anybody else seeing this? Is this a false? What should I do?

[razo+r]

10 minutes ago, KevinAu said:

Just saw another update since the one that added the kiowa warrior and updated dcs to 2.9.5.55918. Whenever I start dcs now, windows defender pops up with pua:win32/Vigua.A and pua:win32/GameHack

Anybody else seeing this? Is this a false? What should I do?

I have never seen these two, and neither have other people reported these two files. Don't think they even belong to DCS. 

[KevinAu]

Well, it started with today’s small update.

[draconus]

31 minutes ago, razo+r said:

I have never seen these two, and neither have other people reported these two files. Don't think they even belong to DCS. 

These are detections, not files, pua as in potentially unwanted app.

[Havremonster]

3 hours ago, KevinAu said:

Just saw another update since the one that added the kiowa warrior and updated dcs to 2.9.5.55918. Whenever I start dcs now, windows defender pops up with pua:win32/Vigua.A and pua:win32/GameHack

Anybody else seeing this? Is this a false? What should I do?

I have exsact same problem and this virus (or "false" virus as someone says), comes from DCS. I managed to delete them today, but as soon as I did run the DCS repair, the virus got back again with the update that followed. If I try to start the game with the F15e and or Mirage 2000c the game wont start unless you hit ok on the warning. I exspect DCS dev to fix this as the bug or virus comes from the updates.

[Rudel_chw]

1 hour ago, Havremonster said:

I exspect DCS dev to fix this as the bug or virus comes from the updates.

 

How exactly do you believe that a DCS developer, can fix the wrong behavior of a piece of software of a different developer?   It is you who should send the file to your AV support channel so they can fix their wrong detection.

[MAXsenna]

I have exsact same problem and this virus (or "false" virus as someone says), comes from DCS. I managed to delete them today, but as soon as I did run the DCS repair, the virus got back again with the update that followed. If I try to start the game with the F15e and or Mirage 2000c the game wont start unless you hit ok on the warning. I exspect DCS dev to fix this as the bug or virus comes from the updates.

It's not a virus and it's not a false virus. It's a false positive because the Anti-Virus incorrectly flags a file as a virus due to the encryption to prevent pirating and theft of IP, in which way pretty much every game dev does.
I'm with you @Rudel_chw there's no point in helping people when they won't be helped.

Sent from my SM-A536B using Tapatalk

[Rudel_chw]

5 minutes ago, MAXsenna said:

I'm with you @Rudel_chw there's no point in helping people when they won't be helped.

 

Hi. I swore to be out of any AV related thread, but this jewel ("I expect DCS dev to fix this") was a bit much to ignore 

[MAXsenna]

 
Hi. I swore to be out of any AV related thread, but this jewel ("I expect DCS dev to fix this") was a bit much to ignore 

Yeah! I'm not at my computer or I would have added a screenshot of how to fix this.

Sent from my SM-A536B using Tapatalk

[Hammer1-1]

am I the only one that finds it odd that this just started happening recently? or is there an explanation to that? almost 9 years since I purchased it, this is the first time Ive ever had a false positive with anything in DCS.

[sthompson]

This showed up on my system today. I notice that all of the affected modules in this thread are from Razbam.

[MAXsenna]

am I the only one that finds it odd that this just started happening recently? or is there an explanation to that? almost 9 years since I purchased it, this is the first time Ive ever had a false positive with anything in DCS.

Not really. Occam's: Seems some updates were done to all the modules even if it wasn't mentioned in the changelog. These modules haven't received updates for a while and probably just now received the latest DRM updates, (or whatever it is called), from ED.

Sent from my SM-A536B using Tapatalk

[draconus]

7 hours ago, Hammer1-1 said:

am I the only one that finds it odd that this just started happening recently? or is there an explanation to that? almost 9 years since I purchased it, this is the first time Ive ever had a false positive with anything in DCS.

I can find such reports as old as 2020 (DCS 2.5).

[silverdevil]

10 hours ago, MAXsenna said:

Yeah! I'm not at my computer or I would have added a screenshot of how to fix this.

this alert is not exactly a virus. its a PUP (potentially unwanted program). these files from ED and other developers are encrypted to keep people from decoding them and manipulating or stealing. so the AV software flags it as a PUP. here are my exclusions in my defender.

null

[Hammer1-1]

2 hours ago, draconus said:

I can find such reports as old as 2020 (DCS 2.5).

If thats true, then ok...but I had these modules in 2020 as well, I never experienced this up until a week or two ago and its like people wont shut up about it now. Hell I stumbled upon my issue, troubleshot it while posting a thread about it, fixed it and then found out from others that its been a big problem lately.

2 hours ago, MAXsenna said:

Not really. Occam's: Seems some updates were done to all the modules even if it wasn't mentioned in the changelog. These modules haven't received updates for a while and probably just now received the latest DRM updates, (or whatever it is called), from ED.

Sent from my SM-A536B using Tapatalk
 

I mentioned something like that not long ago either here or facebook, thats the conclusion I came to.

[cfrag]

12 hours ago, Rudel_chw said:

How exactly do you believe that a DCS developer, can fix the wrong behavior of a piece of software of a different developer?

Well, this is a grey area. On my machine, the Harrier and Mirage2k are affected, and I have quarantines them, currently rendering them inaccessible to me. 

These AV detection programs look for 'fingerprints' of malware in data packages. Since malware authors know this, they try to obfuscate their intents by encrypting their malware, leading to an arms race because AV authors then try to fingerprint those encrypted malware as well. Due to the nature of fingerprinting (which essentially compresses data to a relatively small data block, the fingerprint) false positives are likely. Usually, the developers of affected 'falsely positive identified' software, when notified of a false positive, supply 'discriminators' to the central AV repository so that AV scanners can tell false positives from real threats; there is a good, standardized way to handle these issues. 

Now, all the models that are currently flagged in my case (by Microsoft's built-in scanner) are RAZBAM's models. So there is that. Hopefully this all gets resolved.

[MAXsenna]

I mentioned something like that not long ago either here or facebook, thats the conclusion I came to.

All good. I just saw your other post in another thread.

Sent from my SM-A536B using Tapatalk

[KevinAu]

So…then this is not dcs’ problem and it’s just left up to each of us individually to just tell our microsoft defender or whatever antivirus to ‘ignore’ this find? Is that the consensus? But what happens if we encounter this virus for real from somewhere else? Does it just get through then? And also, I just want to make sure that there was indeed another update since the one posted in the changelog on 6/5/24? That my dcs updater did not somehow get hijacked during the update check into downloading an actual virus from another site mimicking dcs?