Planetside Software Forums

Support => Terragen Support => Topic started by: pokoy on February 21, 2019, 12:09:11 pm

Title: Antivirus alert when accessing download page
Post by: pokoy on February 21, 2019, 12:09:11 pm
So my ESET antivirus blocks access to the download of the latest TG version saying that it's found a threat - Generik.FZPEWRG - whatever that means. I remember there was another thread about the site being not accessible, so maybe it was the same issue for the other user.

The page's link is:
http://planetside.co.uk/downloads/permanent/update-from/tg/40000/43-landing-release-pro.php?fromVersion=4032200
and the download gets blocked when I try to d/l the Windows installer.

That's the first time this happens, I've downloaded from there many times without a problem.
Title: Re: Antivirus alert when accessing download page
Post by: Oshyan on February 22, 2019, 01:45:05 am
This is almost certainly a false positive, and it seems to occur with various AV vendors from time to time. It's usually fixed fairly quickly. If you can get it to make an exception and then download the file, submitting a false positive report is helpful for us.

In this case it looks like ESET is the sole one reporting this, so definitely false positive:
https://www.virustotal.com/#/file/ae5a1177e3f113ebf4aa18bdd1f40c8732c9d9ea247a4dd3d2e7f092aef25262/detection

- Oshyan
Title: Re: Antivirus alert when accessing download page
Post by: pokoy on February 22, 2019, 04:47:16 am
Yes, thought so.

I need to disable ESET to download the file, however once ESET is active again it'll delete the installer.
Here's what it says after scanning the file, don't know if anything of this is useful:

Version of virus database: 18916 (20190222)
...
Terragen_4_Win64_43230.msi - contains a variant of Generik.FZPEWRG trojan virus
...
Notes:
[1] File deleted. It contained exclusively virus code.

Original log was in German, I translated it and removed some unnecessary stuff.
Title: Re: Antivirus alert when accessing download page
Post by: Oshyan on February 27, 2019, 02:02:05 pm
Is there no way to approve the download or choose a different action besides delete when it identifies an issue?

- Oshyan
Title: Re: Antivirus alert when accessing download page
Post by: pokoy on February 27, 2019, 03:02:56 pm
Quote from: Oshyan on February 27, 2019, 02:02:05 pm
Is there no way to approve the download or choose a different action besides delete when it identifies an issue?

- Oshyan


There probably is, but I haven't looked into whether per-file controls are available.
But it's not a big problem anyway, I can just disable the antivir app for a few minutes, install TG and enable it again.
It's strange it's the only antivir app out of 20+ freaking out on this file... Then again, for some reason it's only this one TG install file, all the older ones don't trigger it so curious what it might be.
Title: Re: Antivirus alert when accessing download page
Post by: Oshyan on February 27, 2019, 03:13:38 pm
Yeah, strange indeed. In an effort to keep ahead of new viruses, most modern antivirus software have predictive heuristics that look for "virus-like" behavior or code and then guess that it might be hostile and will quarantine it. This is generally what creates false positives.

I have emailed NOD32 about it and hopefully they'll address it soon. I think it is helpful if more people submit the false positive too, especially those who are customers of NOD, they have more "standing". You can get instructions for that here: https://support.eset.com/kb141/?locale=en_US&viewlocale=en_US

- Oshyan
Title: Re: Antivirus alert when accessing download page
Post by: pokoy on March 01, 2019, 09:10:02 am
I was about to report to them but it looks like they already made sure it doesn't happen. I can download the installer and execute it without any issues, works fine now.
Thank you, Oshyan!
Title: Re: Antivirus alert when accessing download page
Post by: Oshyan on March 01, 2019, 05:29:40 pm
Yes, I hassled them directly until they fixed it. :D

- Oshyan
Title: Re: Antivirus alert when accessing download page
Post by: pokoy on March 04, 2019, 08:33:06 am
Thank you, I owe you one  ;)
Title: Re: Antivirus alert when accessing download page
Post by: WAS on March 20, 2019, 04:36:54 pm
The false positive is in relation to detecting "possible" remote connection technology within the installer. Very common with installers that haven't ever been encountered and have any internet features (like DLLs accidentally bundled).

In ESET, and a lot of antivirus, generic detection is something that could be used maliciously. Very common with indie stuff.

Additionally, not being a HTTPS secured serve, it is at risk of third party meddling without the host administrator, or datacenters knowledge.
Title: Re: Antivirus alert when accessing download page
Post by: Oshyan on March 25, 2019, 03:26:20 pm
We do use HTTPS on the website. I'm not certain the Terragen network functionality does, but it's available on the server in any case. I'll see if I can find out...

- Oshyan