ID:2134407
Aug 18 2016, 11:12 pm
|
|||||||||||||
| |||||||||||||
Descriptive Problem Summary:
Windows Defender in Windows 10 is alerting me that both the installer and the .zip build of the 511.1353 release contains a virus. This isn't happening with the previous 511.1352 installer, and has never happened to me before with other BYOND releases. Here is a screenshot of what Window's Defender is showing:  ...And this is the information page for the virus that Windows says is present. | |||||||||||||
|
Aug 19 2016, 12:52 am
|
|
Lavenblade
 |
I messaged Lummox about it earlier. I sent it in to Microsoft as being a false positive.
|
I am also having this issue; would really appreciate some confirmation from Lummox.
| |
Please submit the versions of the file you download to here: https://www.virustotal.com/en/
There is a SMALL likelihood that some virus on another computer in your network is using tricks to intercept your download of byond to infect it. Please submit the files you have in download, don't re-download if you already have it on your computer, as we want the version that triggers the av. if av triggers again, tell it to ignore, you don't have to worry if you don't actually run the program if this is the case. This will let us see if you are getting different files then what is posted on the site. | |
Only Windows Defender is having an issue with this file. This was built the same way I always build releases, and importantly nothing has changed on that system since the previous beta release.
| |
I mean lummox, you don't use https for the download site, so it's wide open for a interceptive infection.
As long as that remains the case, you have zero guarantee that the file people get is the file you put up. There does exist malware that infects popular routers, all too many don't protect against csrf and have default passwords, meaning one shady website visit and javascript installs a new firmware. Let alone any trojan getting on 1 computer, masquerading as some pc fix it software, then infecting the rest of the computers in the network via the many mitm attacks. (or just do the above now that it has local access and doesn't need to csrf the router to get in) The first question you should be asking, is "does the user even have the same file as is on my website" Because right now that is no guarantee. | |
This isn't a question I can answer. You could download via SSL by playing with the URL, but right now the pager can't do that for its updates.
Given the people reporting this, though, I suspect router malware is not high on the probability list. Likewise the fact that downloading an older version doesn't trigger anything. All signs point to Defender having a false positive. Also the upload was done via a secure socket, so it's not at my end. | |
The whole site currently does work via SSL, you just have to use 'secure.byond.com' instead of 'byond.com'; additionally, every link on the page takes you back to non-SSL 'byond.com'. Given 'secure.byond.com' is just a CNAME for 'byond.com', that means there's stuff being done on the server end to differentiate the two, which really shouldn't be the case.
| |
DreamDaemon is the one thats been flagged as virus, and removed by the defender
| |
As of 9/11/2016 Windows Defender is classifying byond 511.1355 as Win32/Detplock.
Additionally, SSL is not setup correctly for the byond.com server. If you don't want to buy a cert, I'd recommend using letsencrypt to register a cert, and setup the apache server to default to SSL. | |
I have to wonder if the 'Any' macro code is triggering this as a keylogger.
| |
Worth looking into.
| |
The first Any implementations should have triggered it if so, but this didn't become an issue until a later beta. People simply need to report the false positive.
| |
Lummox JR wrote:
The first Any implementations should have triggered it if so, but this didn't become an issue until a later beta. People simply need to report the false positive. I've been reporting them every time I have an issue. It's just a hassle because I have to temp add exceptions to my downloads folder every time. I also have to have the BYOND folder as a permanent exception until it's taken care of. Lummox, will we be required to report every new beta build, or will they eventually allow all of your changes through without flagging them? Surely we don't need to report false positives on a regular basis now indefinitely? =/ | |
Lavenblade wrote:
Lummox, will we be required to report every new beta build, or will they eventually allow all of your changes through without flagging them? Surely we don't need to report false positives on a regular basis now indefinitely? =/ That's a question only Microsoft can answer. My hope is that once they have enough false positives across enough versions, they can refine whatever signature they're using so that it stops freaking out. | |
Looter222 wrote:
Additionally, SSL is not setup correctly for the byond.com server. If you don't want to buy a cert, I'd recommend using letsencrypt to register a cert, and setup the apache server to default to SSL. The server does have SSL setup; I don't know what you mean when you say it's not setup correctly. The site does not default to using SSL, but that's for some partial legacy reasons; secure operations like logins, changing your account info, etc. are all through SSL. At some point I'd definitely like to move to an all-SSL direction if feasible. | |
Win32/Detplock is some generic heuristics match, no details are known about what causes it to trigger. google searches returned zero useful results, just forum posts where people make guesses.
They have page for application creators to submit false positive reports. https://www.microsoft.com/en-us/security/portal/developer/ ContactUS.aspx edit: You can also reduce these by signing your executables with a software publisher's certificate. Unsigned programs are treated more harshly by MSE. https://blogs.msdn.microsoft.com/ieinternals/2011/03/22/ everything-you-need-to-know-about-authenticode-code-signing/ https://msdn.microsoft.com/en-us/library/ ms537361(v=vs.85).aspx | |
Gah. Signing programs is such a racket. I hate to go to the extreme trouble and moderate expense of dealing with that BS if it can be avoided.
| |
