deviated trainers marked as suspicious

I am posting this again, for some reason the thread i made got deleted ? removing the link to virustotal in case that was the problem

 

Hi,

I am a game trainer maker at deviated and i have always wanted to bring this to your attention but i didn't know if you guys would care or not but now i am making this thread out of pure desperation.

 

My trainers are marked as trojan/suspicious by F-secure or "Gen:Trojan.Heur.LP.hv4@aukLcubi" to be precise. This virustotal result for example for my new trainer:

In case you don't know a game trainer is a basically a cheat that is made by third parties (other than game developers themselves) through memory modification. I guess this presents a suspicious signature because the trainer is modifying another program's memory (game's) to achieve its effects.

 

But it is really weird, i know what triggers F-secure to generate that false-positive and i can make it not complain anymore but it is at a huge cost to the functionality of my trainers and suffering the user-friendliness of my programs/trainers.

 

My trainer uses dll injection and when you activate a cheat, there is either a beep or a sound (depending on which one i use) played letting the user know that the cheat was activated successfully. There is also built-in hotkeys in the DLL used for activating the trainer. These two functions are what triggers the F-secure to think the trainer is bad, if i remove them BOTH then f-secure is totally okay, removing just one doesn't help. The hotkeys part is what most other antivirus also have a problem with (they think its a keylogger) but using them both somehow creates a weird signature for f-secure ?. These are the APIs
invoke PlaySound, offset off_snd, 0, SND_MEMORY OR SND_ASYNC
or if i am using the beep sound (in my old trainers)
Invoke Beep,900,180

 

xor eax, eax
mov al, byte ptr [CurrentHotkey]
push eax
call GetAsyncKeyState


As you can see removing those functions is a disadvantage to my users because they have no way to know if the cheat is activated and they can't even activate the trainer actually without the hotkeys. There is a workaround however, but it is just a huge inconvenience.

 

Sorry for the long post but i wanted to go in great details so you understood. I will gladly send you the source to both the DLL and trainer if that will help (in private please, my techniques are unique to our site only and not open-source) or any other information you need.

 

Please either let me know what i can do to make it f-secure friendly without losing the core-functionality of trainer or update f-secure to not falsely mark my trainer as bad and scare our users please.

 

Thanks

Comments

  • Ukko
    Ukko Posts: 3,727 Superuser

    Hello,

     

    Probably you should to create a ticket here - https://analysis.f-secure.com/

    Maybe need to create account and already in your "account" - create a ticket with description and upload your trainers (if it's not one); You can also create a "description" for your sample - with your notes about it.

     

    How I know - if "trainer" - safe/clean and without any malicious-points - it will be with safe-status.

    But just because your detection-name about generic-description. It's mean - if current situation false-positive - it also able to dropped that detection for your "trainer" also with same "process";

  • iNVOKE
    iNVOKE Posts: 7

    I don't use F-secure (or any other antivirus actually), can i still create a ticket ?. I am making this because of complaints from my trainer users.

     

    I am sorry but i don't understand the second paragraph in your post ? the trainer is safe you can debug it for yourself and see what its doing. I don't think i can link since my post disappeared that had a link so i can't link to the trainer or the virustotal result.

     

    BTW, my trainers had problems with kaspersky in past and i made a post on their forums, they were very friendly about it and just asked for the trainer and the issue was fixed in next definition update. But another antivirus company (i would rather not mention it) didn't even bother replying to my support ticket (i guess because i didn't have a license to their antivirus) so i don't know if f-secure will ?. Do the f-secure staff visits these forums or its just community members.

     

     

  • Ukko
    Ukko Posts: 3,727 Superuser

    Hello,

     

    I think - doesn't matter.

    You just can to visit F-Secure SAS (previously was link) and "Signup/Register" (need for feature about "descriptions/comments/feedback" with your sample);

    I call that "ticket" - but maybe it's not nice word :)

     

    Because your users meet that with F-Secure - probably it's home versions of program - F-Secure Internet Security or AV (that need or able to choose during creating "sample submission");

     

    My words about "if trainer is safe" was about your dreams about "can be F-Secure more kindly/friendly with trainers";

    And yes - it's possible.... if it's indeed "just trainer"; And it's about traditional points about signatures.

    But, also, F-Secure have behavior/pro-active technologies, which detect suspious or malicious automatically. Some of them - can be a "false-positive" or about "not harmful application" - and that situation can be dropped - when you create a "sample submission" for F-Secure SAS (where it will be with analysis and with checking your addition information, which you want to add);

     

    About virustotal-result.... it's can not be always "nice"; Most "generic/behavior"-detection not visible on virustotal - but it's have during work with user's system. But indeed.... link not visible yet (or already);

     

    About last your question - community/forum/support-places maybe also can to help for you.

    But - I think - more good to use for that F-Secure (SAS) - where your sample... goes to F-Secure specialists and they will think about all your question/description/addition information. And they can to "remove" detection for trainer - if they decide "all OK". For any results.... specialists F-Secure should to "handly" your trainer (and common steps for that - to use F-Secure SAS - link was in first my reply);

     

  • yeoldfart
    yeoldfart Posts: 571 Superuser

    as a user of F-Secure and occasionnally trainers, I noticed some are flagged as suspicious, some not, my source is usually GCW and Megagames, it works the same with other AVs. Some are quarantined immediately after dowload, some are blocked and quarantined when I launch them, this is the case with Vipre, Bitdefender, NIS.

    The only solution is to put them in the "exception" list when I trust the source.

    Some AVs such as Avast don't even react !

    Hope this helps

  • yeoldfart
    yeoldfart Posts: 571 Superuser

    I just went to Megagames and dl your Dark soul trainer dated 25/05: i could uncompress it, when launched it was blocked by F-Secure but the dialog box offers me the opportunity to bypass F-Secure and use it anyway

  • iNVOKE
    iNVOKE Posts: 7

    wow that was fast. I received a response from F-secure saying they acknowledged the file as clean and will fix the false-positive in next definition update. Awesome Heart . I should have done this long ago.

     

    @yeoldfart: The issue was that the trainer would be allowed to run but the injection(activation) of trainer blocked unless the antivirus was uninstalled. Adding to exception or disabling didn't help, i guess because of background protection. F-secure didn't do this just adding to exception was enough for fsecure but it did give that warning you're referring to and most average users don't understand false-positives and this was giving me a bad rep also causing annoyance for most users.

     

    Not a problem with fsecure anymore now they will fix it in their next update Smiley Very Happy . I hope other av companies have this fast support and response team. Lodged a ticket to avira but haven't received any response yet

     

     

    PS: Megagames doesn't have the latest trainer btw, i think they just leech off gcw and don't bother updating anymore as i have updated the trainer several times and that trainer is very old version.

  • iNVOKE
    iNVOKE Posts: 7

    Errr...nvm i updated the trainer with more options/cheats and the detection is back again.

     

    virustotal.com/en/file/6d4ed468270ec9c5a19d1270fbcd76407dae337649addf4d48f4932d4430ce82/analysis/1398705505/

     

    So i have to send each one of the trainer i make and even any bug fixes i might do to it will trigger the detection again even though its false-positive and acknowledged as such. I kinda take what i said back, this is not cool at all. 

     

    Avira is no longer picking up any and they took the longest to respond so it was a good thing!. Another antivirus company btw said this to me

     

    In order to prevent future versions triggered false positive detections, we suggest you

    Sign your files with Class-3 digital certificates (X.509) from a Certificate Authority

     

    Yeah because i can totally pay for that just by releasing free trainers, also since i am no microsoft, my software is automatically bad ?. This is just ridiculous,this is why i hate antivirus companies so much, they make the lives of real software developers hell and kill their reputation because of their ridiculous heuristics that don't work while the real malware spreads without any trouble heh.

     

    The delusion of security

  • Ukko
    Ukko Posts: 3,727 Superuser

    Hello,

     

    But it's almost logical. :)

    Not about your situation -  just potential - someone take your trainer... and add "malicious feature inside" and give for another one - it will be detected as "malicious" - because it's not your original trainer (which known and detected dropped for your safe-version);

     

    About your situation - you create a new trainer (new version = new trainer) - various hash / various software for "analysis"; It's already another one and it's can be deteceted by "behavior/pro-active technologies" again.

    With "signature-detection" less troubles for you as "trainer-creator"... but you meet "another kind of detection";

     

    And it's indeed.... create situation, when you have to create submission for each one new trainer. Probably it's logical.... and any F-Secure's user be worry.... if it will be another.

     

    About "speedy respond" and "long respond" - maybe it was just weekend like reason for "longest respond".

     

     

    About other: you again can to contact with F-Secure SAS. And talk about all your situation....  I not sure... that it's not possible to improve your situation between F-Secure and your trainers.

     

    But.. about "malware", which can to trick "behavior/pro-active" - it's just mean... "current" malware created with high-code or use.... any tricks - close to vulnerability - into protection-software.

     

    Maybe you can to think.... and try to improve your trainer... in parts... where it's can be trouble-place for behavior-detection.

    You already wrote here your dreams about it... but maybe you able to ask about that F-Secure specialists. Maybe indeed you can not "dropping" any feature... but did that more nice, which do not use any "bad tricks" and can be work with "behavior-analysis";

     

    But anyway... what a really trouble for "creating" sample-submission for each your trainer.

    You can do that.. before situation, when your users start to use your new version. It's mean "new version" waiting "dropped alert" - than goes to your users. Why not?

     

    It's give for you:

     - Users not worry;

     - You have answer and be sure about "detection-dropped" by F-Secure;

     

    It's give for F-Secure:

     - Reasons for look your samples... and maybe it's able to improve checking your situation;

     

    It's give for F-Secure's users:

     - They can be sure.. that F-Secure give certainly protection... and allowed just certainly safe programs;

     - Behavior analysis need for many sides... and it's indeed can to protect against malware (not false-positive);

    And F-Secure have one of nice realization of that technologies;

     

    It's give for your's users:

     - They will be not meet "alerts/prompts" by F-Secure about your samples;

     - They will be sure.. that your application are safe;

     


    But it's just about you / F-Secure / your trainer and your users.

    WIth another companies.. indeed can be trouble.. if it will be "a lot";

    And how already was words....  virustotal can not to show all detections about behavior analysis. You must be ready... that most part of another companies... will be alerted for your trainer too.

    Also... archive-file... one of reason for "behavior-detection".

  • iNVOKE
    iNVOKE Posts: 7

    You may be right, however, Avira and Norton have stopped picking up my trainers as false-positives at all now despite several version changes so if they can do it, i am sure F-secure can as well.

     

    Just whitelisting my trainers on a hash is not at all useful because trainers are very dynamic and in a year more than 30 trainers are released by us with different versions for even the same game so submitting each one to F-secure is just too much if i have to do it each time a byte is changed in the trainer.

     

    Still, i'll send f-secure an email and ask them how they can help. I will gladly change the order of APIs to make the trainer look less suspicious to f-secure.

     

    Thank you for your responses btw, i know you are trying to help but you wouldn't know how frustrating this is if you haven't developed a software and gone through something like this trying to explain to your users why their favorite and the "best" antivirus is picking up your software as suspicious/trojan/malware.

     

    Afterall, a good antivirus wouldn't pick something that is not trojan as bad falsely right ? antivirus only pick up malware right ?. Ha you wish

  • Ukko
    Ukko Posts: 3,727 Superuser

    I can to understand your points about situation. I mean - I can to understand your feeling that situation (which you meet like "developer") (it's also logical thing....).

    It's, of course, not really nice. But for prevent detection (such of - buy/check any certs and etc.) also take time for any other developers. It's mean... that common situation - just totally... require a lot of "steps/actions" for any sides (for prevent false-positive-detection; for creating "protection" against changes by other people; and any other points);

     

    F-Secure one of companies... who worry about "false-positive" - they try to prevent "false-positive"-detections... which can to "confused" users and simply do not give any nice things.

    Because how you note (in other words) - good protection-software it's software... where malicious files are detected.... and safe files are allowed. Less "false-positive"-detections - like one of side.. for that.

     

    About all other - I already create private letter for your (yesterday; here was just my suggestions and it's not mean.. that it's totally like that);

    And also... here... just "behavior-generic"-detection.... which not think about "which file here" (in common means and without any other setting); How it looks... and other - not mainly;

    Detection about actions.... or something another, which can be suspicious (not mean that if you call file "trojan" - it will be "trojan"-detection; But if it's will be suspicious-downloader... can be "trojan-dopper" detection, but can be... and without detection); Also in some situations.. can be related with "rating/popular-status/other".

     

    Current detection on virustotal (I not sure.. but I checked results by hash for your analysis-link)... probably related with archive. Indeed.. I don't know... which files in current archive (if it more than one file) - but you can to try scan each of them.. and looking... which file/resource/library/other reason for detection.

    If it's no one... related with "archive"; And it's probably not related with detection, which users can to meet during launch/using your trainer. But it's just suggestion.

     

    Like also points... that what if any other companies (which you think "totally" dropped detection already) - still be with detection, when users start to use your trainer (it's can be another kind of detection already - multi-layer protection are popular; In some situations.. with some companies.... will be "alert" during each "layer" - because they doesn't work between each other - and it's strange).

  • iNVOKE
    iNVOKE Posts: 7

    So f-secure dropped the detection again though they didn't let me know if it will be for future trainers or not and neither did they tell me what part of my trainer is setting off this heuristics detection. 

     

    I guess i have to buy that digital signature somehow if i want my trainers to not have these annoying false-positives. You were right by the way, Symantec again started the detection WS.Reputation.1 though it took a couple days so i am guessing they do this when the file is used by a few people.

     

    Anyway, thank you for your response they have been very helpful and i didn't actually think of this 

     

    "Like also points... that what if any other companies (which you think "totally" dropped detection already) - still be with detection, when users start to use your trainer (it's can be another kind of detection already - multi-layer protection are popular; In some situations.. with some companies.... will be "alert" during each "layer" - because they doesn't work between each other - and it's strange)."

     

    That has totally happened with my trainers before, there was no detection but still the trainer will be blocked without any sort of notification at all. This was worse than having a detection because the user didn't know their antivirus was blocking the trainer and blamed the trainer to be not working. 

     

    I guess i better start saving for the certificate. I just can't believe it will be so much trouble making your favorite software.

     

    Thank you again for your replies!.

  • Siltanen
    Siltanen Posts: 61 F-Secure Employee

    Hello iNVOKE,

     

    We'll start investigating the issue on our end, however it might take some time before we'll come up with a solution.

     

    Of course both options you mentioned are still available to you;

     

    a) As a workaround you can always submit new binaries to us (I understand it's time consuming to deliver them to us every time you change even a byte of the program.)

     

    b) Signing the software with a certificate.

     

    I can't promise that we'll arrive to a better resolution, but we'll take a look at what we can do in order to fix the situation.

This discussion has been closed.
Feedback on New Design