Dedicated Server Errors

[JABowders]

After Dedicated Server Update"DCS 2.9.17.11733" Windows defender claims "Flight.dll", "Scripting.dll" and "Worldgeneral.dll" is infected with Trojan Win32/Sabsik.FLA!ml

Prevents me from running the server 

Edited June 19 by JABowders

[silverdevil]

27 minutes ago, JABowders said:

After Dedicated Server Update"DCS 2.9.17.11733" Windows defender claims "Flight.dll", "Scripting.dll" and "Worldgeneral.dll" is infected with Trojan Win32/Sabsik.FLA!ml

Prevents me from running the server 

hello. add exclusions in Defender.

 

Edited June 19 by silverdevil

[USAF-Falcon87]

Bypassing security to fix a bug is not an acceptable solution. 

[PSYKOnz]

1 hour ago, USAF-Falcon87 said:

Bypassing security to fix a bug is not an acceptable solution. 

Correct, fix your product or dont release it, next youll be telling us to forward all ports and turn off our firewall to fix a small connection problem

Im getting the same issue with

edterrain4.dll - trojan:win32/savsik.fla!ml

Worldgeneral.dll - same as above

Flight.dll - program:win32/wacapew.c!ml

 

This is not the first time these types of issues have cropped up and altho its just a false positive and the others have been too, ED should be trying to make sure there code is not being detected as a false positive, like the past few years where theres been no issues

At the end of the day if we keep allowing these through what happens when an actual virus hits? There are plenty of instances of games being attack vectors out there

Edited June 19 by PSYKOnz

[DragonSoulkin]

1 hour ago, PSYKOnz said:

Correct, fix your product or dont release it, next youll be telling us to forward all ports and turn off our firewall to fix a small connection problem

Im getting the same issue with

edterrain4.dll - trojan:win32/savsik.fla!ml

Worldgeneral.dll - same as above

Flight.dll - program:win32/wacapew.c!ml

 

This is not the first time these types of issues have cropped up and altho its just a false positive and the others have been too, ED should be trying to make sure there code is not being detected as a false positive, like the past few years where theres been no issues

At the end of the day if we keep allowing these through what happens when an actual virus hits? There are plenty of instances of games being attack vectors out there

I'm currently trying to resolve this as well, so far adding the exceptions isn't working.

Edit: Eventually got it working. Had to run a repair after adding the exceptions to re-install the missing files.

Edited June 20 by DragonSoulkin

[Clawhammer]

I can confirm that on my windows server 2022. Iam on the newest av files from windows defender. i Guess ED still need to whitelist them or the whitelist process is not done yet.

Edited June 20 by Clawhammer

[silverdevil]

nearly every patch that comes out, there is a new DLL being blocked. and then the discussion drags on that ED needs to fix. AV does not work that way. the user that gets the error must report these blocks as false positives. wouldn't be inane for a developer to add their own exclusions? these DLLs are encrypted and usually cannot be scanned. the AV software errs on the side of caution. it is more effective to allow folders than specific files. you will be chasing the pink elephant. there are many DCS users that exclude these folders and world has not yet ended.

[Maverick87Shaka]

14 minutes ago, silverdevil said:

nearly every patch that comes out, there is a new DLL being blocked. and then the discussion drags on that ED needs to fix. AV does not work that way. the user that gets the error must report these blocks as false positives. wouldn't be inane for a developer to add their own exclusions? these DLLs are encrypted and usually cannot be scanned. the AV software errs on the side of caution. it is more effective to allow folders than specific files. you will be chasing the pink elephant. there are many DCS users that exclude these folders and world has not yet ended.

It is part of the responsibility of a software house to verify a proper installation/upgrade process before an official release, and now we are talking that there is only the stable version, we are no longer talking about closed beta or anything else.

This is the official server release.

I can understand if the problem had been encountered on an occasional AV software used by 10 people around the world, but here we are talking about the default Windows AV, which, like it or not, is enabled by default on any system, including the server edition used by large companies.

So it is an ED mistake if it was found during internal testing and ignored instead of being submitted to Microsoft to correct the false positive, and it is even more serious if no one noticed it.

[PSYKOnz]

Id also add to this that this is the only game (and also server) that requires me to add an exception to windows defender in order to play and now even install an update for it

[DragonSoulkin]

14 minutes ago, PSYKOnz said:

Id also add to this that this is the only game (and also server) that requires me to add an exception to windows defender in order to play and now even install an update for it

I was just thinking this.

[Woody01]

This has put our dedicated server out of action also.

[Benom8]

+1  For now, I'm holding out on updating a server until this is fixed or at least there are official instructions on a workaround. 

[PSYKOnz]

Thats the problem, the official work around is to ignore detections from the dcs folder, i wouldent hold your breath on a real solution 

[JABowders]

One of the points I failed to make in my original post is that until this particular UPDATE I have never had any issues like this, I have never had to do Exclusions or anything, it just worked. So, when the Errors started popping up, I got concerned.

Yea, I'm not holding my breath on a real resolution to this coming out, but just think of the users standing up the Dedicated Server for the first time ... 

[PSYKOnz]

Yea its not great, especially given the nature of what a server is too

Its a shame that ed have got to this point too

[silverdevil]

home users, enterprise users, and developers (hint hint ED) can submit files for analysis. afterwards, MS will give the files a check and then mark good files for exclusions.

https://www.microsoft.com/en-us/wdsi/filesubmission

give it a try and make the world a better place. the rest of us will watch.

[Maverick87Shaka]

20 hours ago, silverdevil said:

home users, enterprise users, and developers (hint hint ED) can submit files for analysis. afterwards, MS will give the files a check and then mark good files for exclusions.

https://www.microsoft.com/en-us/wdsi/filesubmission

give it a try and make the world a better place. the rest of us will watch.

I've already done as normal user, but since it's an official stable release, it's expected that the developer parts was already done, or at least in progress, instead completely ignore the problem and ask to exclude game folder from AV analysis. 

That's the point.



https://www.virustotal.com/gui/file/2ab19378e1ec9f9e4e4109ac461f3c991db5cf4436e15b9fba506dc393556693/detection

[PSYKOnz]

Oh great, so its our job now? 

[BIGNEWY]

Just now, Maverick87Shaka said:

I've already done as normal user, but since it's an official stable release, it's expected that the developer parts was already done, or at least in progress, instead completely ignore the problem and ask to exclude game folder from AV analysis. 

That's the point.



https://www.virustotal.com/gui/file/2ab19378e1ec9f9e4e4109ac461f3c991db5cf4436e15b9fba506dc393556693/detection

Even if we submit files to all the different AV providers they would not keep up with our update cycle.

The files are safe, it is a false positive, it happens a lot due to the way the files are protected. 

If the AV can not read it they will throw a warning to the end user. 

 

[Maverick87Shaka]

Just now, BIGNEWY said:

Even if we submit files to all the different AV providers they would not keep up with our update cycle.

Can you provide the actual status of submitted files and/or the report number? Or since they will not keep up you've skipped completely this part?
 

Just now, BIGNEWY said:

The files are safe, it is a false positive, it happens a lot due to the way the files are protected. 

it's literally the first time that is happening on DCS core files, in the past there was just a problem of .DLL signature, mostly coming from 3rd parties.
I do really hope it will not be the "normal behavior" of all new release to be honest.

[PSYKOnz]

"Trust us bro"

 

A question i have is what happens if we download a mod for dcs and install it into the folder we have exempted and then it runs, granted that downloading and installing the mod would be on the user for downloading it but if we didnt have the exemption in our AV we could have been protected, just a thought 

 

 

Ultimately this will go nowhere and well all just end up creating an exception for it

Edited June 23 by PSYKOnz

[BIGNEWY]

6 minutes ago, Maverick87Shaka said:

Can you provide the actual status of submitted files and/or the report number? Or since they will not keep up you've skipped completely this part?
 

it's literally the first time that is happening on DCS core files, in the past there was just a problem of .DLL signature, mostly coming from 3rd parties.
I do really hope it will not be the "normal behavior" of all new release to be honest.

Its happened before on core files, you are only noticing it because its the dedicated server that is throwing the false positive. 

8 minutes ago, Maverick87Shaka said:

Can you provide the actual status of submitted files and/or the report number? Or since they will not keep up you've skipped completely this part?

No, I wont be sharing internal data. 

[SteelPig]

The software not working as intended is the Windows-Defender. Cause that's the one triggering the false positive. So if you search for a tree to bark on, call Redmond. 

[BIGNEWY]

I've given the team the feedback here and they are going to look into other possibilities to help prevent the false positives. 

[Actium]

3 hours ago, BIGNEWY said:

I've given the team the feedback here and they are going to look into other possibilities to help prevent the false positives.

Assuming your development team relies on a CI/CD pipeline, it should be fairly straightforward to utilize the virustotal API to check for false positives automatically. Use of their public API should be free of charge for your use case (I'm a software developer, not a lawyer, so take my interpretation with a grain of salt). Postpone the release of an update if there are too many false positives.