Windows Defender warning

[Elf1606688794]

I'm getting this warning every time I start up DCS.

Do I need to be worried?

 

[Elf1606688794]

I uninstalled the Harrier, restarted the game and no warning about potentially unwanted software so I reinstalled the Harrier and got the same warning again.

If this is actual malware inserted into a mod...

 

@Nineline, @Bignewy

 

*Edit* I hesitate to upload the offending file in case it really is malware.

Edited June 8, 2024 by Elf1606688794

[Q3ark]

I had the same warning yesterday, it’s probably a false positive but to be safe I uninstalled the harrier and the strike eagle until things are resolved and they start getting updates again. There’s people posting similar reports regarding the mirage 2000. 
 

Also this 

 

 

Edited June 8, 2024 by Q3ark

[diego999]

No. It just raises an alarm because the file is encrypted and Defender doesn't know what's inside. Notice the "potentially unwanted behavior". With a real threat the message would be very different.

Just add DCS folder to ignore list.

[Elf1606688794]

11 minutes ago, diego999 said:

It just raises an alarm because the file is encrypted and Defender doesn't know what's inside.

Others have said in the thread with the Mirage 2000 that Defender doesn't alert until the files are loaded into RAM and unencrypted. If the encryption itself was the issue then we should have been seeing false positives before and since it is ONLY RAZBAM products giving these warnings atm I will be uninstalling all RAZBAM products until @NineLine or @BIGNEWY tell us things are safe.

14 minutes ago, diego999 said:

Just add DCS folder to ignore list.

Absolutely not, at least until ED tells me it's safe. I've gone through the nightmares of trying to rid my rig of malware before and I don't care to do it again.

[Q3ark]

57 minutes ago, diego999 said:

No. It just raises an alarm because the file is encrypted and Defender doesn't know what's inside. Notice the "potentially unwanted behavior". With a real threat the message would be very different.

Just add DCS folder to ignore list.

From what I’ve been able to find .dll files aren’t typically encrypted. Also why hasn’t this been a problem before now? Supposedly razbam aren’t working on these modules so how have these .dll files become encrypted? 

[diego999]

2 hours ago, Q3ark said:

From what I’ve been able to find .dll files aren’t typically encrypted. Also why hasn’t this been a problem before now? Supposedly razbam aren’t working on these modules so how have these .dll files become encrypted? 

 

It's what I read in multiple threads about AV's flagging RAZBAM modules as potential malware. Like this one:

 

 

 

[Major_Mayhem]

Just got these on the F-15e
I have the AV-8B N/A but it's not tossing these yet. It's seems to be just Razbam and the (Mod)_CPT.DLL and the ARF.DLL

[Joe1978]

I had the same problem two days a go with the Harrier and now in the F15 and M2000...

It seems very uncomfortable coincidental to me that they are both from Razbam...

PUA:Win32/GameHack

file: E:\DCS World OpenBeta\Mods\aircraft\F-15E\bin\F15E_CPT.dll

file: E:\DCS World OpenBeta\Mods\aircraft\M-2000C\bin\M2KC_FM.dll

Edited June 10, 2024 by Joe1978

[Rongor]

Scanned particularly my DCS drive yesterday after a friend warned me of this sudden issue and my windows couldn't find any issues after scanning 460400 files.
Yes, I do have the F-15E, M2K and AV-8 installed.

DCS is still on 2.9.5.55300, so the issues might have been imported with the update 55918.
My windows defender antivirus is on 1.413.221.0

Edited June 11, 2024 by Rongor

[Joe1978]

Interesting, Yep I´m using the 55918 ver. with Windowa Defender ver 1.413.234.0

Other:

PUA:Win32/Vigua.A

file: E:\DCS World OpenBeta\Mods\aircraft\F-15E\bin\ARF.dll

file: E:\DCS World OpenBeta\Mods\aircraft\M-2000C\bin\M2KC_CPT.dll

file: E:\DCS World OpenBeta\Mods\aircraft\M-2000C\bin\M2KC_FM.dll

[javelina1]

I've typically kept the DCS install exempted from my Defender scans.  I just removed the exemption, scanned, and came up with the M2000 .dll    I own the Harrier and M2000, but haven't flown either in a few years.  So I just removed them, and will go back and put in place my DCS exemption. 

[Tone71]

I'm getting this too from Bitdefender, wouldnt't mind confirmation that it is indeed a false positive.

Infected file detected

Antivirus

The file S:\Program Files\Eagle Dynamics\DCS World\Mods\aircraft\AV8BNA\bin\AV8B_CPT.dll is infected with Gen:Variant.Lazy.551852 and was moved to quarantine. It is recommended that you run a System Scan to make sure your system is clean.

[Wiesel02]

I have the same issue "...\bin\AV8B_CPT.dll is infected with Gen:Variant.Lazy.551852". Appears since last update 2.9.5.55918. Is this under examination?

Restored the file from quarantine and scanned the drive. Again it is detected as a threat. Removed it for now, then scanned again, no more threats found.

Edited June 23, 2024 by Wiesel02

[ppistolb]

I get the Windows Defender warning for the F-15E and Jester.dll for the F4E.

[TIGEREAGLE]

I have the same problem with my virus scanner from GData, I can't fly the Harrier!

Who wants to get their hands on our data again?

[BIGNEWY]

Sadly some antivirus have been detecting false positives, due to the protection used in the modules. 

you can submit the file for checking with your provider 

if you are happy you can create an exception for DCS and run a repair of DCS.

This is a personal choice to make obviously. 

We have let the teams know about the antivirus hits to see if there is anything we can do to mitigate the problem. 

thank you 

[lennycutler]

Yes this started happening to me yesterday.  I was able isolate the file and move it from quarentine to its correct folder manually.

Ran a full scan, with nothing detected....using BitDefender.

The culprit is AV8B_CPT.dll...so I am for now assuming that BitDefender is in error....and that just recently an updated virus signature file had this false positive in it.

I assume this will be impacting other DCS users, who at least are using BitDefender.

 

[Wiesel02]

On 6/23/2024 at 1:21 PM, Wiesel02 said:

I have the same issue "...\bin\AV8B_CPT.dll is infected with Gen:Variant.Lazy.551852". Appears since last update 2.9.5.55918. Is this under examination?

Restored the file from quarantine and scanned the drive. Again it is detected as a threat. Removed it for now, then scanned again, no more threats found.

 

Hi,

I have quoted my own post from above just to get the context right...

An hour ago there was an automatic update to my BitDefender anti virus. I let it install and thought I could give it a try again. I ran a DCS repair on stable and open beta installs (I have both) and then restarted the PC. Then, up again, I started both versions of DCS and there was no anti virus hit. The Harrier module was available again with no issues in both versions of DCS.

Just wanted to let you know.....because I think that sometimes issues like this could be caused by the anti virus software rather than by modules files in your installation directories. I conclude this because since the issue came up and what happened today, there were no changes/updates introduced by EagleDynamics/RAZBAM, it is still version 2.9.5.55918.