Author Topic: Antivirus alert when accessing download page  (Read 379 times)

Offline pokoy

  • Member
  • *
  • Posts: 253
    • mswee.net
Antivirus alert when accessing download page
« on: February 21, 2019, 04:09:11 PM »
So my ESET antivirus blocks access to the download of the latest TG version saying that it's found a threat - Generik.FZPEWRG - whatever that means. I remember there was another thread about the site being not accessible, so maybe it was the same issue for the other user.

The page's link is:
http://planetside.co.uk/downloads/permanent/update-from/tg/40000/43-landing-release-pro.php?fromVersion=4032200
and the download gets blocked when I try to d/l the Windows installer.

That's the first time this happens, I've downloaded from there many times without a problem.

Offline Oshyan

  • Planetside Staff
  • *
  • Posts: 13028
  • Holy snagging ducks!
Re: Antivirus alert when accessing download page
« Reply #1 on: February 22, 2019, 05:45:05 AM »
This is almost certainly a false positive, and it seems to occur with various AV vendors from time to time. It's usually fixed fairly quickly. If you can get it to make an exception and then download the file, submitting a false positive report is helpful for us.

In this case it looks like ESET is the sole one reporting this, so definitely false positive:
https://www.virustotal.com/#/file/ae5a1177e3f113ebf4aa18bdd1f40c8732c9d9ea247a4dd3d2e7f092aef25262/detection

- Oshyan

Offline pokoy

  • Member
  • *
  • Posts: 253
    • mswee.net
Re: Antivirus alert when accessing download page
« Reply #2 on: February 22, 2019, 08:47:16 AM »
Yes, thought so.

I need to disable ESET to download the file, however once ESET is active again it'll delete the installer.
Here's what it says after scanning the file, don't know if anything of this is useful:

Version of virus database: 18916 (20190222)
...
Terragen_4_Win64_43230.msi - contains a variant of Generik.FZPEWRG trojan virus
...
Notes:
[1] File deleted. It contained exclusively virus code.

Original log was in German, I translated it and removed some unnecessary stuff.

Offline Oshyan

  • Planetside Staff
  • *
  • Posts: 13028
  • Holy snagging ducks!
Re: Antivirus alert when accessing download page
« Reply #3 on: February 27, 2019, 06:02:05 PM »
Is there no way to approve the download or choose a different action besides delete when it identifies an issue?

- Oshyan

Offline pokoy

  • Member
  • *
  • Posts: 253
    • mswee.net
Re: Antivirus alert when accessing download page
« Reply #4 on: February 27, 2019, 07:02:56 PM »
Is there no way to approve the download or choose a different action besides delete when it identifies an issue?

- Oshyan

There probably is, but I haven't looked into whether per-file controls are available.
But it's not a big problem anyway, I can just disable the antivir app for a few minutes, install TG and enable it again.
It's strange it's the only antivir app out of 20+ freaking out on this file... Then again, for some reason it's only this one TG install file, all the older ones don't trigger it so curious what it might be.

Offline Oshyan

  • Planetside Staff
  • *
  • Posts: 13028
  • Holy snagging ducks!
Re: Antivirus alert when accessing download page
« Reply #5 on: February 27, 2019, 07:13:38 PM »
Yeah, strange indeed. In an effort to keep ahead of new viruses, most modern antivirus software have predictive heuristics that look for "virus-like" behavior or code and then guess that it might be hostile and will quarantine it. This is generally what creates false positives.

I have emailed NOD32 about it and hopefully they'll address it soon. I think it is helpful if more people submit the false positive too, especially those who are customers of NOD, they have more "standing". You can get instructions for that here: https://support.eset.com/kb141/?locale=en_US&viewlocale=en_US

- Oshyan

Offline pokoy

  • Member
  • *
  • Posts: 253
    • mswee.net
Re: Antivirus alert when accessing download page
« Reply #6 on: March 01, 2019, 01:10:02 PM »
I was about to report to them but it looks like they already made sure it doesn't happen. I can download the installer and execute it without any issues, works fine now.
Thank you, Oshyan!

Offline Oshyan

  • Planetside Staff
  • *
  • Posts: 13028
  • Holy snagging ducks!
Re: Antivirus alert when accessing download page
« Reply #7 on: March 01, 2019, 09:29:40 PM »
Yes, I hassled them directly until they fixed it. :D

- Oshyan

Offline pokoy

  • Member
  • *
  • Posts: 253
    • mswee.net
Re: Antivirus alert when accessing download page
« Reply #8 on: March 04, 2019, 12:33:06 PM »
Thank you, I owe you one  ;)

Offline WASasquatch

  • Member
  • *
  • Posts: 3136
  • The Homeless Landscape Artist
Re: Antivirus alert when accessing download page
« Reply #9 on: March 20, 2019, 08:36:54 PM »
The false positive is in relation to detecting "possible" remote connection technology within the installer. Very common with installers that haven't ever been encountered and have any internet features (like DLLs accidentally bundled).

In ESET, and a lot of antivirus, generic detection is something that could be used maliciously. Very common with indie stuff.

Additionally, not being a HTTPS secured serve, it is at risk of third party meddling without the host administrator, or datacenters knowledge.
« Last Edit: March 20, 2019, 08:43:06 PM by WASasquatch »
Art can be a window into the soul

Offline Oshyan

  • Planetside Staff
  • *
  • Posts: 13028
  • Holy snagging ducks!
Re: Antivirus alert when accessing download page
« Reply #10 on: March 25, 2019, 07:26:20 PM »
We do use HTTPS on the website. I'm not certain the Terragen network functionality does, but it's available on the server in any case. I'll see if I can find out...

- Oshyan