Pages: 1
  Print  
Author Topic: ENIGMA compiled EXE detected as virus!  (Read 7898 times)
Offline (Unknown gender) Darkstar2
Posted on: January 22, 2015, 03:22:28 pm
Member
Joined: Jan 2014
Posts: 1238

View Profile Email
I was shocked and surprised to see that ENIGMA compiled EXE get detected as virus !

BehavesLike.Win32.PWSZbot.th
McCaffee

I used virustotal.com

I used a common project in ENIGMA and GMS 1.4 Pro.

I compiled a simple project, 1 empty room
in both ENIGMA and Windows-YYC, the Windows YYC EXE = 0 detection / 57.  Which surprised me, because I thought it would be detected by many !

When I compiled same project with ENIGMA, it detected 1/57.......  This is classified as MALWARE.

Now before some people go and saying that it must be the embedded code in the EXE tripping the scanner, well.........In YYG's EXE there is similar things happening if not more......yet it's clean.

I recall from past ENIGMA iterations that it was not tripping any detection.


Logged
Offline (Male) Rusky
Reply #1 Posted on: January 22, 2015, 05:11:41 pm

Resident Troll
Joined: Feb 2008
Posts: 954
MSN Messenger - rpjohnst@gmail.com
View Profile WWW Email
Old GM EXEs were sometimes detected as malware because of the runner, which used patterns used in malware, like loading data out of itself and interpreting it. ENIGMA's probably got some library code that was either present in some malware that got picked up by the scanner, or uses a similar pattern. YYC just doesn't happen to generate that code or pattern.
Logged
Offline (Male) Goombert
Reply #2 Posted on: January 22, 2015, 06:23:47 pm

Developer
Location: Cappuccino, CA
Joined: Jan 2013
Posts: 2993

View Profile
This isn't new this is exactly what you reported last time and it hasn't changed.

Most reliable source I can find says that it could be related to using AppData, though I didn't think our exe's use that at all, only the compiler.
http://greatis.com/cleanvirus/remove-malware/behaveslike-win32-pwszbot-fh-usubucip-exe.htm

It could also be some of the extensions because those load DLL's, one of the reasons the old GM games still get flagged is because of DirectPlay, which is obsolete. Studio also does not handle resources the way the old GM did, its executables are essentially self-extracting 7zips, you can actually use 7zip to extract the audio from any standalone exe made with Studio, just extract it like a 7zip, though I haven't tested on the standalone installer. This is what my attempted decompiler originally did besides scanning for png and bmp files.

I'll run the test myself before and after disabling some extensions. Either way I am not really concerned with what some silly virus scanner on the internet says, we know for a fact it's not a virus.

Edit: Oddly enough switching off all systems and disabling every extension except paths gets it flagged by a different scanner, but still 1/57
Qihoo-360    Malware.QVM20.Gen    20150123

Using only Direct3D9 the same way but instead of OpenGL with no extensions flags it twice.
CMC    Packed.Win32.Katusha.1!O    20150120
McAfee-GW-Edition    BehavesLike.Win32.PWSZbot.ch    20150122

For why you shouldn't care what this scanner thinks either, read the following:
http://www.cplusplus.com/forum/beginner/67634/
« Last Edit: January 22, 2015, 06:39:20 pm by Robert B Colton » Logged
I think it was Leonardo da Vinci who once said something along the lines of "If you build the robots, they will make games." or something to that effect.

Offline (Unknown gender) Darkstar2
Reply #3 Posted on: January 22, 2015, 06:47:03 pm
Member
Joined: Jan 2014
Posts: 1238

View Profile Email
Yes Robert I forgot to mention I disabled all extensions.

BTW I am doing some tests to compare YYC and ENIGMA, I've starting getting my feet wet again :D

The smallest file size ENIGMA I produced was 310K compressed......  The smallest empty project compressed YYC 1.9MB...... EMpty project compiled in YYC over 2MB !  Empty project ENIGMA compile twice smaller file size.

Interesting to note that McCaffee SHIT is the one detecting the alleged malware,

Problem is giving your compiled EXE to someone, nothing worse than receiving angry cunts cussing you out because they found "virusuz" in your EXE, and you try to explain to them that it is a false positive.

Maybe someone should contact McCaffee SHIT and tell those blokes to fix things.   Because GM and many other tools might create executables that include code that have some similar proprieties as malware so it's up to the company to review a sample and remove the false warnings.......
Logged
Offline (Unknown gender) TheExDeus
Reply #4 Posted on: January 23, 2015, 06:41:15 am

Developer
Joined: Apr 2008
Posts: 1860

View Profile
Most AV companies have a way to report false positives. Like for kasperskey you send them the exe compressed inside a password protected zip to their e-mail. Then they look at it closer and modify their stuff so it wouldn't trow a false positive. So you should probably try doing that for those two AV's. At least maybe they will say what to change on our side.
Logged
Pages: 1
  Print