Poser 13 - Software-Update blocked because of TR/AD.Amadey.nvgep in sqlite_x64Release.dll

Options
MMike
MMike Posts: 6 Explorer
edited October 2023 in F-Secure Total

Ladies and Gentlemen,

one week ago, I installed the Poser 13-Update (Software from Renderosity) successfully on my Computer and was able to start it and use it. Some days later F-Secure blocked th program with the remark :  "blocked because of TR/AD.Amadey.nvgep in sqlite_x64Release.dll". The dll was sent to the quarentine. I failed to extract the suspicious file with fsdumpqrt.exe, because this app will not run on my Computer, although I tried to start it as administrator in cmd (Win 11 Pro actual update) to send it to analysts.

A new download of the Poser - software did not help to install Poser 13 successfully again.

Is the file dangerous or is there a wrong identification?

Could You please help me?

with thanks in advance and regards

Michael Hold

😒

Tagged:

Accepted Answer

  • Ukko
    Ukko Posts: 3,634 Superuser
    edited April 2023 Answer ✓
    Options

    Hello,

    Sorry for my reply. I am also only an F-Secure user.

    One option is to contact their direct official support channel via that page: Contact support | F-Secure (for example, web-chat widget is in the bottom right corner). Maybe Support Agents with enough tools to safely get quarantined item.

    Poser 13-Update (Software from Renderosity)

    I do not know a lot about this software, but based on Googling..

    So, this is Poser 13 software (application), which is available on their own website too. And Renderosity is another web-resource, where possible to buy or download additions to; or just this software as such.

    Is there any possibility that received copy is altered?

    // by the way, I downloaded Poser 13 installer from the official website (as I think) and managed to reproduce a detection. I will try to play more about it.

    The dll was sent to the quarentine. I failed to extract the suspicious file with fsdumpqrt.exe, because this app will not run on my Computer, although I tried to start it as administrator in cmd (Win 11 Pro actual update) to send it to analysts.

    Is it possible to run it as in Compatibility mode (or something like that) - by right click (then inspect context menu options). Because with Windows 10 - it was possible to run tool. However, what is the failed result of your attempt? Just .zip-file with no content or any 'error'-output?

    Is the file dangerous or is there a wrong identification?

    As I see, Renderosity Community also with a discussion topic about this subject (F-Secure claims Poser 13 contains Trojan - False Positive?). Based on it:

    • "TR/AD.Amadey.nvgep"-detection is released 01.04.2023 (for a certain engine as a part of core using in F-Secure products, currently).
    • Other AVs solutions also with detection about Poser 13 (however, I did not find this).

    There is a way to install Poser 13 by adding folders in Exclusions before that (from where to run and so on). Or to restore quarantined file manually.

    But I will recommend to reach and contact F-Secure Labs before any action about installing or using.

Answers

  • MMike
    MMike Posts: 6 Explorer
    Options

    Hello Ukko,

    thank You for Your extensive answer. I wrote an E-Mail to the F-Secure team. I am curious, what they will say.

    I reported the suspicion to Renderosity support , but the answer did not help.

    But I copied the old sqlite_x64Release.dll from Poser 12 to the Poser 13 directory and Poser 13 is complete functional, without any warning of F-Secure. I think that is remarkable.

    So I wait for the reply of the F-Secure support team.

    with regards

    Mike

  • Firmy
    Firmy Posts: 1,733 Community Manager
    Options

    Hello @MMike

    Thank you for your post.

    We have received your submission. Our Malware Analyst is currently inspecting it, and we'll let you know as soon as we have any updates.

    If you have any other questions or concerns, please don't hesitate to ask. We're here to help!

    Have a great day!

  • Ukko
    Ukko Posts: 3,634 Superuser
    Options

    I think, detection is already gone. False positive, perhaps.

    And, by the way, when you tried to use "fsdumpqrt.exe" - you can send the single file for analysis by using the report feature in the product instead (reference guide: Reporting a quarantined item | Total | Latest | F-Secure User Guides). Of course, if you did not so at the end.

    It was not possible for my check - because installer detected itself and just re-named to be 'safe'. But since your experience was already about certain .dll-item in Quarantine, probably mentioned functionality was a way to report false positive / request re-rating.

    Thanks!

This discussion has been closed.