silent one Posted June 20, 2024 Posted June 20, 2024 Im getting a message from windows defender that there's a malware program called Packunwan affecting DCS World OpenBeta\Mods\aircraft\F-4E\bin\HeatblurJester.dll . I havnt got any mods on DCS other than reshade and Im not sure if somethings wrong or if this is a false positive by windows defender. Any advice appreciated.
BJ55 Posted June 20, 2024 Posted June 20, 2024 False positive, a lot of modules are affected, for some reason, recently, AV's don't like VMProtect ( https://vmpsoft.com/forum/viewtopic.php?t=31505 ). 1 I7-12700F, 64GB DDR4 XMP1 3000MHz, Asus Z670M, MSI RTX 3070 2560x1440 60Hz, TIR 5, TM WH VPC base, TM rudder, Win10 Pro
silent one Posted June 20, 2024 Author Posted June 20, 2024 14 minutes ago, BJ55 said: False positive, a lot of modules are affected, for some reason, recently, AV's don't like VMProtect ( https://vmpsoft.com/forum/viewtopic.php?t=31505 ). Thats reassuring. Strange that it didnt do this last week and now it does. My comp did do a big windows update a couple of days ago. I wonder if thats triggered this?
BJ55 Posted June 20, 2024 Posted June 20, 2024 AV's prefer to be cautious since threat actors are using VMprotect to obfuscate their malware. For professional reasons I have a strong protection and strict configuration, until now I didn't noticed any unwanted behaviour of ED's dlls, probably the detection is only due to expired/stolen certificates. 1 I7-12700F, 64GB DDR4 XMP1 3000MHz, Asus Z670M, MSI RTX 3070 2560x1440 60Hz, TIR 5, TM WH VPC base, TM rudder, Win10 Pro
Ryansw Posted June 20, 2024 Posted June 20, 2024 (edited) My Computer has started to show the very same condition after updating DCS this evening. file: D:\Steam\steamapps\downloading\223750\Mods\aircraft\M-2000C\bin\M2KC_CPT.dll - PUA:Win32/GameHack 19/06/2024 22:30 (Active) file: D:\Steam\steamapps\downloading\223750\Mods\aircraft\F-4E\bin\HeatblurJester.dll - PUA:Win32/Packunwan 19/06/2024 22:30 (Active) Edited June 20, 2024 by Ryansw additional information added
silent one Posted June 21, 2024 Author Posted June 21, 2024 thats identical to what I am getting . 14 hours ago, Ryansw said: My Computer has started to show the very same condition after updating DCS this evening. file: D:\Steam\steamapps\downloading\223750\Mods\aircraft\M-2000C\bin\M2KC_CPT.dll - PUA:Win32/GameHack 19/06/2024 22:30 (Active) file: D:\Steam\steamapps\downloading\223750\Mods\aircraft\F-4E\bin\HeatblurJester.dll - PUA:Win32/Packunwan 19/06/2024 22:30 (Active)
MurrayCod Posted July 10, 2024 Posted July 10, 2024 What is the fix / workaround for this issue please? I'm using Norton AV software. I've been using the Phantom without a problem since its release, but when I fired up DCS last night for the first time in a week it would not authorise the Phantom module and consequently disabled it. I'm struggling to figure out how to get Norton AV to accept the HeatbluJester.dll file as non-threatening.
BJ55 Posted July 10, 2024 Posted July 10, 2024 (edited) Read here: Edited July 10, 2024 by BJ55 I7-12700F, 64GB DDR4 XMP1 3000MHz, Asus Z670M, MSI RTX 3070 2560x1440 60Hz, TIR 5, TM WH VPC base, TM rudder, Win10 Pro
Cobra847 Posted July 14, 2024 Posted July 14, 2024 Apologies for this; as noted above though it's a false positive. 1 Nicholas Dackard Founder & Lead Artist Heatblur Simulations https://www.facebook.com/heatblur/
Waxer Posted August 24, 2024 Posted August 24, 2024 (edited) @Cobra847 Can anything be done between Heatblur and Mircosoft to get correct certificates for your software to prevent this "false positive"? To people (like me) that don't have degrees in software engineering it can be very worrying. Even though I know that I haven't done stupid stuff on my PC, it is still a concern. Edited August 24, 2024 by Waxer [sIGPIC][/sIGPIC]
Zabuzard Posted September 2, 2024 Posted September 2, 2024 (edited) On 8/24/2024 at 10:32 PM, Waxer said: @Cobra847 Can anything be done between Heatblur and Mircosoft to get correct certificates for your software to prevent this "false positive"? To people (like me) that don't have degrees in software engineering it can be very worrying. Even though I know that I haven't done stupid stuff on my PC, it is still a concern. Unfortunately, there is not too much that can be done. The process is to hand in the files to Microsoft & Co for explicit whitelisting. Which we (and ED) did right when it started to happen. Seems it takes some time until they update their products. Sadly, whenever the files are just slightly changed in a DCS update, this process needs to be repeated. We are looking with ED for an alternative solution to hopefully get this sorted out long term. After all, it is not just our files that are affected, but also other thirdparties. Fingers crossed Edited September 2, 2024 by Zabuzard 2
Waxer Posted September 2, 2024 Posted September 2, 2024 Alright: thank you for getting back to me. And I am glad to know that you are working on a solution. 1 [sIGPIC][/sIGPIC]
stag1978 Posted September 8, 2024 Posted September 8, 2024 Dear All, this has started again, but now with HeatblurUiLif.dll. Can you also check this, please Heatblur/ED?
draconus Posted September 9, 2024 Posted September 9, 2024 12 hours ago, stag1978 said: this has started again It does and it will untill they change the process. Resolution is still the same. 1 Win10 i7-10700KF 32GB RTX4070S Quest 3 T16000M VPC CDT-VMAX TFRP FC3 F-14A/B F-15E CA SC NTTR PG Syria
MAXsenna Posted September 12, 2024 Posted September 12, 2024 On 8/24/2024 at 10:32 PM, Waxer said: @Cobra847 Can anything be done between Heatblur and Mircosoft to get correct certificates for your software to prevent this "false positive"? To people (like me) that don't have degrees in software engineering it can be very worrying. Even though I know that I haven't done stupid stuff on my PC, it is still a concern. It's a fair question. If ED and 3rd parties started signing their files, and every user started using Windows Defender... But that's not going to happen. https://security.stackexchange.com/questions/75996/av-detection-of-signed-malware?newreg=b5fc4b210d1642cebc948c255b9bac0d
Recommended Posts