Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Windows Defender identifies V2.18.2 as a trojan #254

Open
the1glorfindel opened this issue Jan 26, 2021 · 12 comments
Open

Windows Defender identifies V2.18.2 as a trojan #254

the1glorfindel opened this issue Jan 26, 2021 · 12 comments

Comments

@the1glorfindel
Copy link

Screenshot (1)

@theonlypwner
Copy link
Member

I notice that many anti-virus scanners detect the ACR v2.18.2 Windows client executable as a virus. When I download the release, I see Windows Defender detects it as TrojanDropper:Win32/OverJoiner!rfn. It's either a lot of false positives, or GitHub's hosted runner environment was compromised.

Unlike previous releases, where I compiled the binaries manually, the v2.18.2 executables were compiled in GitHub Actions (https://github.com/acreloaded/acr/actions/runs/470292606). GitHub's machines run the workflow file and generate the release.

I have submitted a support request to GitHub about the potential security issue. Until this is resolved, I recommend compiling the source code yourself.

I just compiled my own executable (acr_client.zip), and Windows Defender shows it as clean. It seems like there are some false positives, but not like 50% detecting it as a virus: https://www.virustotal.com/gui/file/225b98ffa65d1387350bc6928db695be05f6e0156a9b3fdcf058e4de84fc8391

@Duckrinium
Copy link

Duckrinium commented Mar 13, 2021

Installed through choco, detected as Trojan but different name.
image

I just compiled my own executable (acr_client.zip), and Windows Defender shows it as clean.

This one detects as Ymacco.AA22, I guess it's GitHub.

@dillfrescott
Copy link

dillfrescott commented Oct 1, 2021

I'm currently running a hybrid analysis on it. Avast blocked it. Firefox blocked it, and nearly half of the virus total results marked it as malicious. Something isn't right here...

I haven't tried to compile it myself though.

@dillfrescott
Copy link

@Manerr
Copy link

Manerr commented Feb 8, 2022

Hello, I donwloaded yesterday ACR, without reading that issue sadly
Defender warned me, ( TrojanDropper:Win32/OverJoiner!rfn ) , and I deleted manually all the files. Do you think I risk something, I'm a bit worried about my PC ... And my internet accounts thus
Any suggestion or help , thanks in advance :/

@theonlypwner
Copy link
Member

As mentioned before, compile ACR yourself if you do not trust the executables created by GitHub's machines.

It is possible that there is something in the ACR code that anti-virus software does not like. For example, bugs that cause memory overreads or corruption would possibly trigger detections. If we can find and fix those issues, it would help to resolve this.

I don't have time to investigate right now, but if someone finds and reports what's causing the detections, I can make the fixes and release a new version.

@kabeeki
Copy link

kabeeki commented Jun 26, 2022

Could this possibly be related to it using registry keys and services for the server?

Hybrid analysis says that it imports suspicious APIs , namely
RegCloseKey
StartServiceCtrlDispatcherA
RegOpenKeyExA
GetDriveTypeW
GetFileAttributesA
UnhandledExceptionFilter
WriteFile
GetModuleFileNameW
IsDebuggerPresent
LoadLibraryExW
CreateThread
ExitThread
TerminateProcess

Some of which I don't see why assualtcube uses, like the registry related ones. Maybe they are for saving the resolution and game settings?

Hope this helps,
Levi

@theonlypwner
Copy link
Member

@kabeeki AssaultCube and AssaultCube Reloaded both read the registry:

https://github.com/acreloaded/acr/blob/v2.18.2/source/src/stream.cpp#L147-L170

https://github.com/assaultcube/AC/blob/v1.3.0.2/source/src/stream.cpp#L151-L174

AC and ACR use the registry to substitute ?MYDOCUMENTS? with the My Documents folder path. Also, ACR uses the registry to read MachineGuid to get a unique machine ID.

@AZeed18
Copy link

AZeed18 commented Sep 3, 2024

After running it, I later received an email from https://haveibeenpwned.com, that my data was exposed in an info stealer combo

These builds are not the only suspect but I thought it is worth mentioning this

@theonlypwner
Copy link
Member

After running it, I later received an email from https://haveibeenpwned.com, that my data was exposed in an info stealer combo

These builds are not the only suspect but I thought it is worth mentioning this

@AZeed18 how much time passed between the time when you ran it and when the data breach was exposed?

The code to produce the builds is all open-source in this repo, available for everyone to inspect, and GitHub runs the code to build ACR. The question becomes whether you trust GitHub. If you don't, compile it by yourself.

@AZeed18
Copy link

AZeed18 commented Sep 4, 2024

Around a week, could it be an attack on GitHub? it might be just a false positive

The game works fine when excluded from AV

Anyways, it is not the only suspect

@theonlypwner
Copy link
Member

@AZeed18 It probably takes more than 1 week for a data breach to be discovered, processed, and posted to haveibeenpwned.com.

An attack on GitHub is possible, but unlikely. A false positive is more likely.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants