Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Always get reconized as a Virus #20

Open
Panics11 opened this issue Apr 9, 2019 · 31 comments

Comments

Projects
None yet
@Panics11
Copy link

commented Apr 9, 2019

Hello at everyone.
The ModInstaller gets reconized as an Trojan from Kaspersky Security Suite eevry time i try to strat it.
I won´t disable my anti virus for this so is there anything i could do against this?

@Assistant

This comment has been minimized.

Copy link
Collaborator

commented Apr 9, 2019

You could use a different AV. Kaspersky is extremely hypersensitive.

@megalon

This comment has been minimized.

Copy link
Member

commented Apr 9, 2019

Fefeland was having the same issue with this version, and I believe it might be because I'm bundling the new MaterialSkin.dll into the BeatSaberModManager.exe with ILMerge.
I'm doing this to keep the release as a single .exe file, instead of releasing a zip file with multiple files in it.
I suppose I could release both the single .exe file and a zip file as well.

Here is the exact same release, but with the BeatSaberModManager.exe and MaterialSkin.dll as separate files. Does this also trigger your antivirus?
Release.zip

For reference here is the MaterialSkin package I'm using. I've verified the MaterialSkin.dll it downloads from the package manager is safe
https://www.nuget.org/packages/MaterialSkin/

And here is the version of ILMerge that I'm using as well. Straight from Microsoft's own website
https://www.microsoft.com/en-us/download/details.aspx?id=17630

@Panics11

This comment has been minimized.

Copy link
Author

commented Apr 9, 2019

The files from this Zip doesn´t trigger the scanner..

@megalon

This comment has been minimized.

Copy link
Member

commented Apr 9, 2019

Yeah, like I said, I suspect it's triggering the antivirus because it somehow detects that the BeatSaberModManager.exe has had an external DLL bundled into it.

I might start making releases as zip files from now on, but I was trying to stay with the previous convention of having a single .exe file.

@Assistant

This comment has been minimized.

Copy link
Collaborator

commented Apr 9, 2019

ILMerge is something that would definitely trigger Kaspersky from my previous experience.

Being a single .exe is one of the biggest features of the Mod Manager, though, I don't think we want to get rid of it.

@Panics11

This comment has been minimized.

Copy link
Author

commented Apr 9, 2019

Maybe release both..?
Or like an installer?

@Assistant

This comment has been minimized.

Copy link
Collaborator

commented Apr 9, 2019

Releasing both would be a good solution, I think

@megalon

This comment has been minimized.

Copy link
Member

commented Apr 9, 2019

I've updated the release with zip file to the unbundled version.
The auto-updater will grab both files, but it'll only attempt to run the exe, so anyone with this issue will currently have to run the exe included in the zip manually.

@Skattered

This comment has been minimized.

Copy link

commented Apr 10, 2019

AutoUpdater.Net Could be used to update for the people who choose to use the zip file. This would basically require a one time unzip and then the program would check for and install updates on launch.

It requires an xml and zip file that the program can access on a server (you can grab them straight from the github repo). This works great other than the fact that it doesn't really have a great way for initial install. If we found a good way to unzip the files the first time and create a desktop shortcut I think this would work great. Otherwise it does still work well, but it does break away from having the single exe launch.

I have a POC here, it has some changes that wouldn't carry over to the final but I didn't feel like making em better in case you guys didn't wanna go that route (I deleted the install button just to make an obvious change when you run the updater)

@hayarobys

This comment has been minimized.

Copy link

commented Apr 10, 2019

In Bitdefender, BeatSaberModInstaller is detected as a virus that "Gen: Heur.Zatk.Jn0@buS!".
bitdefender

@hayarobys

This comment has been minimized.

Copy link

commented Apr 10, 2019

But when I execute the file that separates MaterialSkin.dll separately, Window10 warning window appears once, but it is no longer detected as a virus. Thank you.
windows

@brfrankl

This comment has been minimized.

Copy link

commented Apr 10, 2019

Windows "built-in" virus/trojan detector
tojan
also sees it as a Trojan. split one works fine...

@megalon

This comment has been minimized.

Copy link
Member

commented Apr 10, 2019

Yeah, as far as I'm aware it's just detecting that an additional file (the MaterialSkin.dll) has been added into the .exe after it was built. ILMerge probably leaves a signature of some sort, which is triggering the antivirus.
I'm doing this because when you try to launch the BeatSaberModManager.exe without the MaterialSkin.dll present, it simply doesn't open. This would happen if the user moved the BeatSaberModManager.exe away from the MaterialSkin.dll, or if the MaterialSkin.dll was deleted. I figured it would make the most sense to just bundle the two files together.

Here is the post build event that I'm using to create the release, if anyone is interested.

D:\Programs\ILMerge\ILMerge.exe /target:winexe /targetplatform:"v4,C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.5" /out:$(ProjectDir)bin\ReleasePacked\BeatSaberModManager.exe $(TargetPath) $(TargetDir)MaterialSkin.dll

Moon has suggested I try https://github.com/Fody/Costura to merge the two files, and I might give that a shot. I'm also considering just moving to zip file releases instead, but I'd have to change the updater logic.

If anyone has any other suggestions for getting these two files into a single exe without it getting flagged by AV software, let me know.

@megalon

This comment has been minimized.

Copy link
Member

commented Apr 11, 2019

Could someone having this issue please test this build?
It is the current Master branch, but I used the Costura add-on with Fody to generate the single executable file.
BeatSaberModManager.zip

@DirtMann

This comment has been minimized.

Copy link

commented Apr 11, 2019

Could someone having this issue please test this build?
It is the current Master branch, but I used the Costura add-on with Fody to generate the single executable file.
BeatSaberModManager.zip

Hey, megalon I was having the issue of windows anti-virus "recognizing" a trojan virus, I gave your build you just posted and it worked fine, windows warning me about it still came up but did not stop it so this build you wanted tested works fine.

@megalon megalon closed this in #27 Apr 11, 2019

@Assistant Assistant reopened this Apr 12, 2019

@MartijnTim

This comment has been minimized.

Copy link

commented Apr 12, 2019

For me it's not just recognized as a trojan but a full blown swedish ransomware by G DATA referred to as Trojan.GenericKD.3016333 (google it and see) which to me is very worrying

@harleyknd1

This comment has been minimized.

Copy link

commented Apr 12, 2019

So, looking into the source code myself, I'm raising quite a few red flags here.
Like, why does this installer have a reg editor inside of it?
(RegHelper.cs)
Why is there an encryption module build in?
and a couple of other things that I'm putting question marks behind...

I was planning on writing my own version anyway, but I strongly suggest that there'll be a good look at the dependencies used, and why they're even there in the first place.

Additionally, if multiple anti-virus solutions are flagging this with a trojan warning, I'd rather trust those than ignore them, since its highly alarming in the first place. And simply bundeling materialskin.dll with the exe, doesn't cause this, as the exe itself is flagged even when not bundled.

@megalon

This comment has been minimized.

Copy link
Member

commented Apr 12, 2019

What are you using to decompile it? Where are you seeing the RegHelper.cs? Where are you seeing this encryption module?

Were you able to build from source and get a drastically different executable than the one I've released?

The previous version (v0.3.1) was made using ILMerge, because it was simply the first working solution I found to bundle the MaterialSkin.dll in with the BeatSaberModManager.exe. I decided to bundle the two together because if you tried launching the executable without the MaterialSkin.dll present, it simply wouldn't launch.
It seems that using ILMerge flagged nearly every piece of AV software under the sun, so with this latest release I used Fody/Costura to combine the MaterialSkin.dll into the BeatSaberModManager.exe. This has fixed the issue for several people, but it seems that some AV software is still flagging it, possibly because they had flagged the previous version as well, I don't know.

All of the external resources used are taken from the NuGet package manager within Visual Studio, if you're interested in taking a look
https://www.nuget.org/packages/MaterialSkin/
https://www.nuget.org/packages/Fody/
https://www.nuget.org/packages/Costura.Fody/

I'm considering releasing a "classic" version of the Mod Manager with the Material Skin removed, because there are many people unable to use it.

@megalon

This comment has been minimized.

Copy link
Member

commented Apr 12, 2019

Also, Beat Drop 2 has soft launched, and now has the ability to download and install mods
If you are unable to use the Mod Manager, I'd suggest giving it a look
https://bsaber.com/beatdrop/

It is also open source now
https://github.com/StarGazer1258/BeatDrop

@harleyknd1

This comment has been minimized.

Copy link

commented Apr 12, 2019

What are you using to decompile it? Where are you seeing the RegHelper.cs? Where are you seeing this encryption module?

Were you able to build from source and get a drastically different executable than the one I've released?

The previous version (v0.3.1) was made using ILMerge, because it was simply the first working solution I found to bundle the MaterialSkin.dll in with the BeatSaberModManager.exe. I decided to bundle the two together because if you tried launching the executable without the MaterialSkin.dll present, it simply wouldn't launch.
It seems that using ILMerge flagged nearly every piece of AV software under the sun, so with this latest release I used Fody/Costura to combine the MaterialSkin.dll into the BeatSaberModManager.exe. This has fixed the issue for several people, but it seems that some AV software is still flagging it, possibly because they had flagged the previous version as well, I don't know.

All of the external resources used are taken from the NuGet package manager within Visual Studio, if you're interested in taking a look
https://www.nuget.org/packages/MaterialSkin/
https://www.nuget.org/packages/Fody/
https://www.nuget.org/packages/Costura.Fody/

I'm considering releasing a "classic" version of the Mod Manager with the Material Skin removed, because there are many people unable to use it.

I'm not decompiling anything, I'm just opening the .sln and taking a look at the "dependencies" folder which contains RegHelper, which, to my eye looks into the registry.

As well as ICSharpCode.SharpZipLib, which, I'm assuming is used for extracting zip files, but has an odd encryption module

image

Also, I was talking about the exe still being flagged as maleware even when using the unbundled version, which is most likely due to it having weird dependencies.

Like I said, just looking at the code from the https://github.com/beat-saber-modding-group/BeatSaberModInstaller.git download, shows me there's a lot that is just bad practice.

And as I noted before, take a good look at everything and consider starting over from square one.
Maybe try using WPF with Metro instead and less copy/paste work.

This isn't a personal attack by the way. It's just me looking at the code and going "why is this even here?..." Just poking around I can see quite a few things that would trigger normal AV solutions since they're not required to be there.

@megalon

This comment has been minimized.

Copy link
Member

commented Apr 12, 2019

Looks like RegHelper.cs was added back on Aug 1st last year when Umbranox rewrote the Mod Manager for ModSaber support.
https://github.com/beat-saber-modding-group/BeatSaberModInstaller/commits/master/BeatSaberModManager/Dependencies/RegHelper.cs

It actually looks like it's not being used for anything. I'm not able to find references to any of the functions outside of the class itself. He likely added it while working on Steam and Oculus path detection path detection, which uses registry keys.
https://github.com/beat-saber-modding-group/BeatSaberModInstaller/blob/master/BeatSaberModManager/Core/PathLogic.cs

The ICSharpCode.SharpZipLib dependency is used for unzipping the files downloaded from BeatMods (and previously ModSaber).

public static void UnzipFile(byte[] data, string directory)

The encryption functionalities of that lib are just a part of that library, but they aren't used in this project as far as I can tell.

@Assistant

This comment has been minimized.

Copy link
Collaborator

commented Apr 12, 2019

I imagine the encryption functions are for working with encrypted zips

@jfchevrette

This comment has been minimized.

Copy link

commented Apr 13, 2019

Malwarebytes is also detecting the latest version (3.2.0) as malware (Generic.Malware/Suspicious)

@Assistant

This comment has been minimized.

Copy link
Collaborator

commented Apr 14, 2019

We did some tests using builds without the originally offending code, rebuilding old versions that were scanned as clean previously, etc, and they are all getting hits on VirusTotal now. We believe that AVs added the program to their databases and see our attempts to clean up the offending code as trying to bypass their detection.

@markisaa

This comment has been minimized.

Copy link

commented Apr 15, 2019

The newest release of this didn't provide the courtesy release with the dll separated and that again flamed this fire. Can we either give up on including the skin or include it as a separate file? If people move the exe away from the dll, that's a problem of their own making, whereas bundling them together inside the exe is a problem forced upon folks by design.

@Assistant

This comment has been minimized.

Copy link
Collaborator

commented Apr 15, 2019

AVs are detecting it even without the dll now, since it seems they added the program to their databases.
Doing that wouldn't solve any issues.

@megalon

This comment has been minimized.

Copy link
Member

commented Apr 16, 2019

I've added an unbundled zip to the release
https://github.com/beat-saber-modding-group/BeatSaberModInstaller/releases/download/v3.3.0/BeatSaberModManager-Unbundled.zip

However, I ran that exe through VirusTotal and got similar results to the bundled version.
https://www.virustotal.com/#/file/4abc6acd81058721cf91a8b60dd206833a0ba453f3ec1dbefe3645f4c6611a9e/detection

As Assistant said, it seems that BitDefender and others have add the app to their database and it doesn't care anymore if it's bundled or not.

If you'd like to try yourself, download the source, build a new release, upload it to VirusTotal, and see if it flags it.

I'm going to try and remove some of the unused "red flags" that harleyknd1 pointed out, but we may need to just start over with a new application, considering that it's flagging new builds of old (previously "clean") releases.

If you are still experiencing this issue and don't want to disable your AV, I'd again suggest you use Beat Drop instead.

@megalon

This comment has been minimized.

Copy link
Member

commented Apr 16, 2019

To anyone still having this issue, I've release a "Classic" edition of the Mod Manager that does not include the MaterialSkin.dll, and a few other tweaks as well.
https://github.com/beat-saber-modding-group/BeatSaberModInstaller/releases/download/v3.3.0/BeatSaberModManagerClassic.exe

See the branch here
https://github.com/beat-saber-modding-group/BeatSaberModInstaller/tree/classic

@raftario

This comment has been minimized.

Copy link

commented Apr 19, 2019

To be honest the best thing to do would probably be to start from scratch with coding and documentation guidelines.
That would probably end up in a better codebase, no more AV flags and everyone would know what does what and why it's needed.
If a couple people started working on it, it wouldn't be that long to do.

@Assistant

This comment has been minimized.

Copy link
Collaborator

commented Apr 19, 2019

I am working on something

@astrocatfreitag

This comment has been minimized.

Copy link

commented Apr 20, 2019

I checked the current BeatSaberModManager.exe release against a bunch of AVs here's what will trigger on it: https://www.virustotal.com/#/file/649bf85c5dcca8835da5b10cf0abe9cc3c44f219206dd72291ab2276966dbd04/detection

The unbundled release was actually worse somehow although it didn't trigger on mine (I use Microsoft): https://www.virustotal.com/#/file/f6e2965b212195e03c08f41a773512ce76309dc55e89f04e571eaf55fd658ad1/detection

And just for fun I ran it against the MaterialSkin.0.2.1.nupkg: https://www.virustotal.com/#/file/645b07cbb68999a40bb147663d7a11787e9581cffceb702755e329cf9b892052/detection

And against the unbundled EXE which was somehow worse than the bundled EXE: https://www.virustotal.com/#/file/287e5dec2034aa72c3b40c1452f3ec3ba74fe0a3f1f3a81870e90f31d69a2e18/detection

VirusTotal is a great tool. Highly recommend uploading releases to it to see what the potential for triggering peoples AV solutions is.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.