Print

Add to Reputation:  

What do you think of this post?

I agree I disagree  
Comment:

[IsMal?]

So, first I'll explain how I came across this. I wanted to download Golden Eye: Source on my main home PC. I think that its really amazing that its just a mod, its really incredible. But like anything I download on to my PC, I decided to look into it before downloading. I did the normal googling too see how credible it is. For this part it came up clean and I was going to download it today. While downloading the installer( from Moddb ) I decided to run Golden Eye's site though VirusTotal to see what came up. The clean links I sent were: "https://geshl2.com/" and "geshl2.com/" respectfully. Then I found that they are both lead me to "www.geshl2.com/". This lead to an automated report of all the files downloaded from "www.geshl2.com/". 5 files were listed, one of them being "GoldenEye_Source_5.0.0_to_5.0.6_patch.exe". Getting a detection ratio of 4/67. I decided to download the file from both Moddb and GameStand. Both gave the same results.
The AV Engines that detected it were:

• Antiy-AVL: Trojan[Exploit]/EXE.CVE-2016-0099.Generic
• Bkav: HW32.Packed.969A
• Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9751
• McAfee-GW-Edition: BehavesLike.Win32.Vopak.tc

I looked up each one of the basic diagnosis given to it. I was relieved to find out that they were all associated with false positives. I decided to go back and look at the community score for it and saw that there was one post by a HybridAnalysis. I looked though there report of it and it shed a lot more light on the issue.

We will now be looking at the HybridAnalysis report filed August 28th 2017. The link to the Hybrid report will be give below, along with the virustotal links. Please check then out for your self.
The report begins with a Risk Assessment. Stating:

• Spyware: Accesses potentially sensitive information from local browsers
• Persistence: Writes data to a remote process
• Fingerprint: Reads the active computer name, Reads the cryptographic machine GUID, and Reads the windows installation date

Interpret that as what you will. It then moves on to the more detail matters of Malicious Indicators, on which there was 4. It goes on to say that it had a 9% detection rate, which as of writing this has gone down to 5%. The main thing I want to focus on is that it says that a .dll file was found in the installer. That .dll being UAC.dll, which on doing some quick research found a lot of malware reports. It also lists two other malicious indicators but I didn't think I needed to list all of them. Then it goes onto Suspicious Indicators. There were 20 Suspicious Indicators, you can go and read about them as for the sake of time will not be listing them. Another thing that worried me was it making changes to internet explorer. Here one example: "%LOCALAPPDATA%\Microsoft\Internet Explorer\Recovery\High\Active\{F5857E24-8B77-11E7-ACF3-0A00270556D5}.dat".

Now your probably wondering why I care if the patch has malware? I'm looking to install Golden Eye: Source, not the patch. I trust The GoldenEye: Source team, but I feel that this issue lies with the installer. The patch installer and the Mod installer share the same installer. And I feel like this is a problem with the installer. Though that is my theory.

To end this off I decided to submit my patch installer and see a new report. So far Malicious Indicators when down to 1. Still the UAC.dll.

I really would like an explanation. And if this is a problem with the installer could the devs fix it?

VirusTotal Site Report: https://www.virustotal.com/gui/file/2e500e0d1b5be7572ac3d5fa9a4f80b62c8eac081ac26ba63ae8c2ebe1633084/detection

Hybrid-Analysis: https://www.hybrid-analysis.com/sample/2e500e0d1b5be7572ac3d5fa9a4f80b62c8eac081ac26ba63ae8c2ebe1633084?environmentId=100

My Hybrid-Analysis: https://www.hybrid-analysis.com/sample/2e500e0d1b5be7572ac3d5fa9a4f80b62c8eac081ac26ba63ae8c2ebe1633084

[soupcan]

These are false positives... reading the Hybrid Analysis reports makes that fairly obvious. For instance, it flags things like "http://nsis.sf.net/NSIS_Error" which is common to all NSIS installers.

A bunch of antimalware products flagged the files as malicious at launch based on heuristics, those that we've been able to submit for reviews have since whitelisted the files. Certain DLLs you see flagged, are flagged because many programs use them, malicious or not.

We'll try to mitigate this in the future by minimizing the use of certain frequently-flagged NSIS plugins, signing the installer, etc. In the end it's hard to release a program that does as much as our installer does (reading / writing various files and registry keys, downloading files, etc) without upsetting some antivirus product, but we're actively looking at ways to mitigate it.

In the end as long as you're downloading the file from a legit source you should be OK.

[IsMal?]

While now I believe that most of them are false positives. The UAC.dll I still believe to be malicious. But on further inspection I made a mistake in my original post:

To end this off I decided to submit my patch installer and see a new report. So far Malicious Indicators when down to 1. Still the UAC.dll.

It seems on a second check that I have not see any report of UAC.dll, I could be wrong and its still there. But the most recent Hybrid report doesn't bring it up. Have you removed UAC.dll? If so that kind of wipes away all my worries.

To show I'm not trying to throw a bad name at Golden Eye: Source I feel that the new and most recent ratings are unfair. If you check the most recent Hybrid report( The one I submitted ) still marks it as malicious. This is because VirusTotal marks it as malicious because of past reports and Hybrids past report. Do you see the problem? Even if UAC.dll is gone and its 100% clean, its still gonna get a bad rating because of past reports. Which is obviously unfair.

Anyway is UAC.dll removed? And if its not do you plan on removing it in the future?

[kraid]

Dude, UAC is that windows warning thing that comes up when you try to run an installer.
Ofc. it's part of Windows, so it has to be malicious.

[IsMal?]

I looked on 2 pc running windows and saw no trace of UAC.dll.
I also looked at the NSIS Docs concerning UAC and it said that it wasn’t needed anymore and abandon ware.

The only place in see UAC used was in the installer.

[Entropy-Soldier]

From my understanding, UAC.dll is part of an NSIS plugin used by the installer to elevate to the privileges required for a proper install of the game.  It should exist in the full installer the AV companies have actually investigated and consider safe, so just take that dll out of a vetted installer and the one you consider dangerous and compare the hashes.  If they're the same, I hope that alleviates your concerns.  If not, it's always possible to analyze the program yourself by running it in a VM or using static analysis to see exactly what each windows API call is doing.

AV heuristics is a pretty tough thing to get right and some companies are very zealous about it.  For some companies even the most basic modification of system resources, the entire purpose of an installer, is enough to get flagged.  With something that's been around as long as the 5.0.6 patch installer, it's pretty likely that if it was an actual virus there would be more than heuristic detections popping up by now.


That being said, thank you for your concerns and for bringing this to our attention!  We did indeed have issues during launch with certain AV companies thinking our installer was a virus, which took longer than we'd have liked to have cleared up, so we're working on making false positives a lot less likely come the release of the next version of the game.  As you've pointed out, another reason for this is that being flagged as malicious at any point at all can leave a bad mark on the program even if it's later cleared, which is something I didn't really consider before.  In the meantime hopefully we can get our patch installer vetted by the AV companies, an effort you've been kind to contribute to, and clear its name as best we can.

Thanks again!