-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Windows Defender identifies V2.18.2 as a trojan #254
Comments
I notice that many anti-virus scanners detect the ACR v2.18.2 Windows client executable as a virus. When I download the release, I see Windows Defender detects it as Unlike previous releases, where I compiled the binaries manually, the v2.18.2 executables were compiled in GitHub Actions (https://github.com/acreloaded/acr/actions/runs/470292606). GitHub's machines run the workflow file and generate the release. I have submitted a support request to GitHub about the potential security issue. Until this is resolved, I recommend compiling the source code yourself. I just compiled my own executable (acr_client.zip), and Windows Defender shows it as clean. It seems like there are some false positives, but not like 50% detecting it as a virus: https://www.virustotal.com/gui/file/225b98ffa65d1387350bc6928db695be05f6e0156a9b3fdcf058e4de84fc8391 |
Installed through choco, detected as Trojan but different name.
This one detects as Ymacco.AA22, I guess it's GitHub. |
I'm currently running a hybrid analysis on it. Avast blocked it. Firefox blocked it, and nearly half of the virus total results marked it as malicious. Something isn't right here... I haven't tried to compile it myself though. |
Here are the results of the Hybrid Analysis: |
Hello, I donwloaded yesterday ACR, without reading that issue sadly |
As mentioned before, compile ACR yourself if you do not trust the executables created by GitHub's machines. It is possible that there is something in the ACR code that anti-virus software does not like. For example, bugs that cause memory overreads or corruption would possibly trigger detections. If we can find and fix those issues, it would help to resolve this. I don't have time to investigate right now, but if someone finds and reports what's causing the detections, I can make the fixes and release a new version. |
Could this possibly be related to it using registry keys and services for the server? Hybrid analysis says that it imports suspicious APIs , namely Some of which I don't see why assualtcube uses, like the registry related ones. Maybe they are for saving the resolution and game settings? Hope this helps, |
@kabeeki AssaultCube and AssaultCube Reloaded both read the registry: https://github.com/acreloaded/acr/blob/v2.18.2/source/src/stream.cpp#L147-L170 https://github.com/assaultcube/AC/blob/v1.3.0.2/source/src/stream.cpp#L151-L174 AC and ACR use the registry to substitute |
After running it, I later received an email from https://haveibeenpwned.com, that my data was exposed in an info stealer combo These builds are not the only suspect but I thought it is worth mentioning this |
@AZeed18 how much time passed between the time when you ran it and when the data breach was exposed? The code to produce the builds is all open-source in this repo, available for everyone to inspect, and GitHub runs the code to build ACR. The question becomes whether you trust GitHub. If you don't, compile it by yourself. |
Around a week, could it be an attack on GitHub? it might be just a false positive The game works fine when excluded from AV Anyways, it is not the only suspect |
@AZeed18 It probably takes more than 1 week for a data breach to be discovered, processed, and posted to haveibeenpwned.com. An attack on GitHub is possible, but unlikely. A false positive is more likely. |
The text was updated successfully, but these errors were encountered: