Antivirus alert when accessing download page

Started by pokoy, February 21, 2019, 12:09:11 PM

Previous topic - Next topic

pokoy

So my ESET antivirus blocks access to the download of the latest TG version saying that it's found a threat - Generik.FZPEWRG - whatever that means. I remember there was another thread about the site being not accessible, so maybe it was the same issue for the other user.

The page's link is:
http://planetside.co.uk/downloads/permanent/update-from/tg/40000/43-landing-release-pro.php?fromVersion=4032200
and the download gets blocked when I try to d/l the Windows installer.

That's the first time this happens, I've downloaded from there many times without a problem.

Oshyan

This is almost certainly a false positive, and it seems to occur with various AV vendors from time to time. It's usually fixed fairly quickly. If you can get it to make an exception and then download the file, submitting a false positive report is helpful for us.

In this case it looks like ESET is the sole one reporting this, so definitely false positive:
https://www.virustotal.com/#/file/ae5a1177e3f113ebf4aa18bdd1f40c8732c9d9ea247a4dd3d2e7f092aef25262/detection

- Oshyan

pokoy

Yes, thought so.

I need to disable ESET to download the file, however once ESET is active again it'll delete the installer.
Here's what it says after scanning the file, don't know if anything of this is useful:

Version of virus database: 18916 (20190222)
...
Terragen_4_Win64_43230.msi - contains a variant of Generik.FZPEWRG trojan virus
...
Notes:
[1] File deleted. It contained exclusively virus code.

Original log was in German, I translated it and removed some unnecessary stuff.

Oshyan

Is there no way to approve the download or choose a different action besides delete when it identifies an issue?

- Oshyan

pokoy

Quote from: Oshyan on February 27, 2019, 02:02:05 PM
Is there no way to approve the download or choose a different action besides delete when it identifies an issue?

- Oshyan

There probably is, but I haven't looked into whether per-file controls are available.
But it's not a big problem anyway, I can just disable the antivir app for a few minutes, install TG and enable it again.
It's strange it's the only antivir app out of 20+ freaking out on this file... Then again, for some reason it's only this one TG install file, all the older ones don't trigger it so curious what it might be.

Oshyan

Yeah, strange indeed. In an effort to keep ahead of new viruses, most modern antivirus software have predictive heuristics that look for "virus-like" behavior or code and then guess that it might be hostile and will quarantine it. This is generally what creates false positives.

I have emailed NOD32 about it and hopefully they'll address it soon. I think it is helpful if more people submit the false positive too, especially those who are customers of NOD, they have more "standing". You can get instructions for that here: https://support.eset.com/kb141/?locale=en_US&viewlocale=en_US

- Oshyan

pokoy

I was about to report to them but it looks like they already made sure it doesn't happen. I can download the installer and execute it without any issues, works fine now.
Thank you, Oshyan!

Oshyan

Yes, I hassled them directly until they fixed it. :D

- Oshyan

pokoy


WAS

#9
The false positive is in relation to detecting "possible" remote connection technology within the installer. Very common with installers that haven't ever been encountered and have any internet features (like DLLs accidentally bundled).

In ESET, and a lot of antivirus, generic detection is something that could be used maliciously. Very common with indie stuff.

Additionally, not being a HTTPS secured serve, it is at risk of third party meddling without the host administrator, or datacenters knowledge.

Oshyan

We do use HTTPS on the website. I'm not certain the Terragen network functionality does, but it's available on the server in any case. I'll see if I can find out...

- Oshyan