Potentially unwanted app

towsim · June 4, 2024

Since I installed the latest Office 365, which includes the Microsoft Defender, I get a warning from the Virus & Thread Protection, that the
DCS World OpenBeta\Mods\aircraft\AV8BNA\bin\AV8B_CPT.dll
has a potentially unwanted behavior. Does someone observe the same message and has probably an explanation for it?

Specter · June 4, 2024

I don't have Office 365 but Defender has also started flaging this for me.

null

towsim · June 4, 2024

I will quarantine the reported DLL until further notice…

Northstar98 · June 4, 2024

Yep, seeing the same thing, I assume it's a false positive:

Edited June 4, 2024 by Northstar98

silverdevil · June 4, 2024

7 hours ago, towsim said:

Since I installed the latest Office 365, which includes the Microsoft Defender, I get a warning from the Virus & Thread Protection, that the
DCS World OpenBeta\Mods\aircraft\AV8BNA\bin\AV8B_CPT.dll
has a potentially unwanted behavior. Does someone observe the same message and has probably an explanation for it?

no official answer for this but there are many posts about the same thing. if you are comfortable with adding exclusions see below for Defender.

null

towsim · June 5, 2024

Thank you for the reply. I want to make sure, that there is no threat to be expected. I removed the DLL from the folder. DCS runs normal with the exception, that the aircraft cannot be initialized anymore. I hope on an DCS update that makes the aircraft usable again.

Don Rudi · June 5, 2024

4 minutes ago, towsim said:

Thank you for the reply. I want to make sure, that there is no threat to be expected. I removed the DLL from the folder. DCS runs normal with the exception, that the aircraft cannot be initialized anymore. I hope on an DCS update that makes the aircraft usable again.

Depending on the Anti Virus software you use, it will detect several aircraft as false positives. I had the same. Unquarantined the files and excluded the DCS game folder from the search, as generally recommended.

Dangerzone · June 6, 2024

12 hours ago, towsim said:

Thank you for the reply. I want to make sure, that there is no threat to be expected. I removed the DLL from the folder. DCS runs normal with the exception, that the aircraft cannot be initialized anymore. I hope on an DCS update that makes the aircraft usable again.

You may be hoping in vain. This isn't an ED/DCS issue - it's a antivirus false positive issue, and it's a perpetual one. I don't believe DCS isn't the only game that's affected by a false positive for "Win64/Packed.VMProtect.AC" or "PUA:Win32/Packunwan" either (depending on what your A/V titles it as).

If you do nothing, your best 'hope' is that enough people submit the file for analysis with your particular antivirus provider that the AV dictionary gets updated so it's not detected as a false positive. Note however - as soon as a change is made to this file (through another DCS update) - there is a good chance that the file will flag again for a false positive - so this will be a reoccurring battle.

The only solutions I can see at present are:

Wait for the A/V provider to recognise it's not a real virus. (As per above, this comes with a number of drawbacks).
Add the whole DCS folder as an exclusion for virus scanning. (Many people are uncomfortable with this, and understandably so. For 'just' a gaming computer it might not be too bad, but if it's a work machine, or something you do banking on, etc - I would caution against this).
Add the file as an exclusion for the "Win64/Packed.VMProtect.AC" or "PUA:Win32/Packunwan" variant. (If your A/V allows you to exclude to this level). For me, this is a good compromise between the two. You only add the files that are being falsely flagged to the exclusion list, and the exclusion list is only for the "Win64/Packed.VMProtect.AC" or "PUA:Win32/Packunwan" variant. The chances of these particular files (among many thousands) will be the only ones that are infected with a real virus - of a single variant (among many thousands of variants) is remotely small.

The downside to this is that it does require you to do some work, and to have an A/V that allows adding exclusions to this level. Thankfully mine does (ESET).

I personally aren't a fan of just going 'ignore' the whole DCS directory. I get why many do, and it's probably not a problem, but I think it does fall into the danger of "normalization of deviance". It could be argued that (3) may as well, but to a much smaller factor, and one that is managed, instead of a blatant "ignore it all!" for the DCS directory.

towsim · June 7, 2024

Thanks for all the replies.

In the Wednesday update, a new DLL was delivered for the Harrier. With that, the warning by the Microsoft Defender,disappeared.

Clawhammer · June 8, 2024

Now the fun continues with the f15e

Edited June 8, 2024 by Clawhammer

towsim · June 9, 2024

Yes, today I got the same message for the F15. So I tried to solve the problem with Microsoft Defender. After a total offline scan, I got the same message again. There were several possibilities for actions. I selected ‘Quarantine’ .

Results:

· The F15E_CPT.dll was removed from DCS. Obviously moved to a Quarantine Folder.

· On DSC start the message appears, that the F15E cannot be initialized. After that, DCS worked normal with all other aircraft.

· With the latest DCS update, there was a new AV8B_CPT.dll, which does not cause any problem.

This is the prove, that the virus ‘GameHack’ or ‘Packunwan’ was hidden in AV8B_CPT.dll, which was overwritten by a new, uninfected version and is now found in F15E_CPT.dll. A question to Microsoft Copilot, what ‘GameHack’ or ‘Packunwan’ means, returned the answer:

Win32/Packunwan is a generic detection for potentially unwanted programs (PUAs) that use software packing. These applications can range from being merely annoying to posing a severe threat to system safety. Windows Defender often identifies programs bundled with adware or those without a publisher as PUA:Win32/Packunwan. Examples include software like PowerISO, KaOs packs, or cracked applications. Most of these flagged programs are unsafe, and some users have reported data compromise due to them.

Conclusion:

The only solution for the moment seems to be to remove the infected DLLs and to accept, theat the related aircraft is not available for the moment. I did not find the source for the infection. It could probably be another application, which starts the infection procedure. But the Defender did not give any information about this situation. With the experience up to now, I am looking for a possibility to copy an uninfected DLL back to DCS. But I have no idea where to find such a DLL.

Clawhammer · June 9, 2024

I removed all RAZBAM Modules from my installation, thats my current solution.

Edited June 9, 2024 by Clawhammer

BJ55 · June 9, 2024

It's not only RB modules, my AV don't like:

AJS37*.dll                     HB
AV8B*.dll                      RB
F14*.dll                         HB
F15E*.dll                       RB
M2KC*.dll                   RB
MB339A.dll                    IFE
Avionics.dll (Mig-21bis) M3

Often expired certificates lead to this situation, I'm not worried since, until now, I've not noticed any kind of unwanted traffic or activity.

Dragon1-1 · June 9, 2024

DLLs that are involved in authenticating something can be prone to false positives, since they listen to remote servers and do things on local machine based on the answer, and also involve anti-spoofing techniques to make sure you don't fool the authenticator with some simple hack. AVs use a rather convoluted set of criteria, and it's not hard to trip them by accident (particularly if you're connecting to internet), especially when it comes to niche software that isn't always immediately checked by every major AV maker.

mmike87 · June 11, 2024

My company's old Excel add-in used to get flagged as a virus all the time. It was a false positive, I know as I compiled it myself more than once. I seriously doubt all these modules are "infected".

towsim · June 18, 2024

Meanwhile I got a solution. The reason was a malware attack from an unknown source. Windows defender posted a warning only when the infected module was started. This is obviously the case when DCS was started. Since Windows Defender cannot repair the infected modules, I used AVIRA for a total system scan. It took about 6 hours. Overall there where 59 infected modules. AVIRA did not only quarantine the modules, it even repaired the infections. After that, malware warnigs were history. The reported module were still in place and worked normal.

maxTRX · June 19, 2024

3 hours ago, towsim said:

Meanwhile I got a solution. The reason was a malware attack from an unknown source. Windows defender posted a warning only when the infected module was started. This is obviously the case when DCS was started. Since Windows Defender cannot repair the infected modules, I used AVIRA for a total system scan. It took about 6 hours. Overall there where 59 infected modules. AVIRA did not only quarantine the modules, it even repaired the infections. After that, malware warnigs were history. The reported module were still in place and worked normal.

So now you need to show the devs how to do it. They might even have a copy of AVIRA, hehe.

Raisuli · June 19, 2024

On 6/5/2024 at 5:28 AM, Don Rudi said:

Depending on the Anti Virus software you use, it will detect several aircraft as false positives. I had the same. Unquarantined the files and excluded the DCS game folder from the search, as generally recommended.

Supply chain breaches are an urban legend, after all. Just ask Solar Winds.

silverdevil · June 19, 2024

12 hours ago, Raisuli said:

Just ask Solar Winds.

just ask all the idiots that installed Solar Winds and left the default password too.

Sign In

Potentially unwanted app

Recommended Posts

towsim

Specter

towsim

Northstar98

silverdevil

towsim

Don Rudi

Dangerzone

towsim

Clawhammer

towsim

Clawhammer

BJ55

Dragon1-1

mmike87

towsim

maxTRX

Raisuli

silverdevil

Recently Browsing 0 members