General fluff => General ENIGMA => Topic started by: Darkstar2 on January 22, 2015, 03:22:28 pm

Title: ENIGMA compiled EXE detected as virus!
Post by: Darkstar2 on January 22, 2015, 03:22:28 pm
I was shocked and surprised to see that ENIGMA compiled EXE get detected as virus !


I used virustotal.com

I used a common project in ENIGMA and GMS 1.4 Pro.

I compiled a simple project, 1 empty room
in both ENIGMA and Windows-YYC, the Windows YYC EXE = 0 detection / 57.  Which surprised me, because I thought it would be detected by many !

When I compiled same project with ENIGMA, it detected 1/57.......  This is classified as MALWARE.

Now before some people go and saying that it must be the embedded code in the EXE tripping the scanner, well.........In YYG's EXE there is similar things happening if not more......yet it's clean.

I recall from past ENIGMA iterations that it was not tripping any detection.

Title: Re: ENIGMA compiled EXE detected as virus!
Post by: Rusky on January 22, 2015, 05:11:41 pm
Old GM EXEs were sometimes detected as malware because of the runner, which used patterns used in malware, like loading data out of itself and interpreting it. ENIGMA's probably got some library code that was either present in some malware that got picked up by the scanner, or uses a similar pattern. YYC just doesn't happen to generate that code or pattern.
Title: Re: ENIGMA compiled EXE detected as virus!
Post by: Goombert on January 22, 2015, 06:23:47 pm
This isn't new this is exactly what you reported last time and it hasn't changed.

Most reliable source I can find says that it could be related to using AppData, though I didn't think our exe's use that at all, only the compiler.

It could also be some of the extensions because those load DLL's, one of the reasons the old GM games still get flagged is because of DirectPlay, which is obsolete. Studio also does not handle resources the way the old GM did, its executables are essentially self-extracting 7zips, you can actually use 7zip to extract the audio from any standalone exe made with Studio, just extract it like a 7zip, though I haven't tested on the standalone installer. This is what my attempted decompiler originally did besides scanning for png and bmp files.

I'll run the test myself before and after disabling some extensions. Either way I am not really concerned with what some silly virus scanner on the internet says, we know for a fact it's not a virus.

Edit: Oddly enough switching off all systems and disabling every extension except paths gets it flagged by a different scanner, but still 1/57
Qihoo-360    Malware.QVM20.Gen    20150123

Using only Direct3D9 the same way but instead of OpenGL with no extensions flags it twice.
CMC    Packed.Win32.Katusha.1!O    20150120
McAfee-GW-Edition    BehavesLike.Win32.PWSZbot.ch    20150122

For why you shouldn't care what this scanner thinks either, read the following:
Title: Re: ENIGMA compiled EXE detected as virus!
Post by: Darkstar2 on January 22, 2015, 06:47:03 pm
Yes Robert I forgot to mention I disabled all extensions.

BTW I am doing some tests to compare YYC and ENIGMA, I've starting getting my feet wet again :D

The smallest file size ENIGMA I produced was 310K compressed......  The smallest empty project compressed YYC 1.9MB...... EMpty project compiled in YYC over 2MB !  Empty project ENIGMA compile twice smaller file size.

Interesting to note that McCaffee SHIT is the one detecting the alleged malware,

Problem is giving your compiled EXE to someone, nothing worse than receiving angry cunts cussing you out because they found "virusuz" in your EXE, and you try to explain to them that it is a false positive.

Maybe someone should contact McCaffee SHIT and tell those blokes to fix things.   Because GM and many other tools might create executables that include code that have some similar proprieties as malware so it's up to the company to review a sample and remove the false warnings.......
Title: Re: ENIGMA compiled EXE detected as virus!
Post by: TheExDeus on January 23, 2015, 06:41:15 am
Most AV companies have a way to report false positives. Like for kasperskey you send them the exe compressed inside a password protected zip to their e-mail. Then they look at it closer and modify their stuff so it wouldn't trow a false positive. So you should probably try doing that for those two AV's. At least maybe they will say what to change on our side.