deviated trainers marked as suspicious

Aspirant

deviated trainers marked as suspicious

I am posting this again, for some reason the thread i made got deleted ? removing the link to virustotal in case that was the problem

 

Hi,

I am a game trainer maker at deviated and i have always wanted to bring this to your attention but i didn't know if you guys would care or not but now i am making this thread out of pure desperation.

 

My trainers are marked as trojan/suspicious by F-secure or "Gen:Trojan.Heur.LP.hv4@aukLcubi" to be precise. This virustotal result for example for my new trainer:

In case you don't know a game trainer is a basically a cheat that is made by third parties (other than game developers themselves) through memory modification. I guess this presents a suspicious signature because the trainer is modifying another program's memory (game's) to achieve its effects.

 

But it is really weird, i know what triggers F-secure to generate that false-positive and i can make it not complain anymore but it is at a huge cost to the functionality of my trainers and suffering the user-friendliness of my programs/trainers.

 

My trainer uses dll injection and when you activate a cheat, there is either a beep or a sound (depending on which one i use) played letting the user know that the cheat was activated successfully. There is also built-in hotkeys in the DLL used for activating the trainer. These two functions are what triggers the F-secure to think the trainer is bad, if i remove them BOTH then f-secure is totally okay, removing just one doesn't help. The hotkeys part is what most other antivirus also have a problem with (they think its a keylogger) but using them both somehow creates a weird signature for f-secure ?. These are the APIs
invoke PlaySound, offset off_snd, 0, SND_MEMORY OR SND_ASYNC
or if i am using the beep sound (in my old trainers)
Invoke Beep,900,180

 

xor eax, eax
mov al, byte ptr [CurrentHotkey]
push eax
call GetAsyncKeyState


As you can see removing those functions is a disadvantage to my users because they have no way to know if the cheat is activated and they can't even activate the trainer actually without the hotkeys. There is a workaround however, but it is just a huge inconvenience.

 

Sorry for the long post but i wanted to go in great details so you understood. I will gladly send you the source to both the DLL and trainer if that will help (in private please, my techniques are unique to our site only and not open-source) or any other information you need.

 

Please either let me know what i can do to make it f-secure friendly without losing the core-functionality of trainer or update f-secure to not falsely mark my trainer as bad and scare our users please.

 

Thanks

12 REPLIES 12
Superuser

Re: deviated trainers marked as suspicious

Hello,

 

Probably you should to create a ticket here - https://analysis.f-secure.com/

Maybe need to create account and already in your "account" - create a ticket with description and upload your trainers (if it's not one); You can also create a "description" for your sample - with your notes about it.

 

How I know - if "trainer" - safe/clean and without any malicious-points - it will be with safe-status.

But just because your detection-name about generic-description. It's mean - if current situation false-positive - it also able to dropped that detection for your "trainer" also with same "process";

Aspirant

Re: deviated trainers marked as suspicious

I don't use F-secure (or any other antivirus actually), can i still create a ticket ?. I am making this because of complaints from my trainer users.

 

I am sorry but i don't understand the second paragraph in your post ? the trainer is safe you can debug it for yourself and see what its doing. I don't think i can link since my post disappeared that had a link so i can't link to the trainer or the virustotal result.

 

BTW, my trainers had problems with kaspersky in past and i made a post on their forums, they were very friendly about it and just asked for the trainer and the issue was fixed in next definition update. But another antivirus company (i would rather not mention it) didn't even bother replying to my support ticket (i guess because i didn't have a license to their antivirus) so i don't know if f-secure will ?. Do the f-secure staff visits these forums or its just community members.

 

 

Superuser

Re: deviated trainers marked as suspicious

Hello,

 

I think - doesn't matter.

You just can to visit F-Secure SAS (previously was link) and "Signup/Register" (need for feature about "descriptions/comments/feedback" with your sample);

I call that "ticket" - but maybe it's not nice word :)

 

Because your users meet that with F-Secure - probably it's home versions of program - F-Secure Internet Security or AV (that need or able to choose during creating "sample submission");

 

My words about "if trainer is safe" was about your dreams about "can be F-Secure more kindly/friendly with trainers";

And yes - it's possible.... if it's indeed "just trainer"; And it's about traditional points about signatures.

But, also, F-Secure have behavior/pro-active technologies, which detect suspious or malicious automatically. Some of them - can be a "false-positive" or about "not harmful application" - and that situation can be dropped - when you create a "sample submission" for F-Secure SAS (where it will be with analysis and with checking your addition information, which you want to add);

 

About virustotal-result.... it's can not be always "nice"; Most "generic/behavior"-detection not visible on virustotal - but it's have during work with user's system. But indeed.... link not visible yet (or already);

 

About last your question - community/forum/support-places maybe also can to help for you.

But - I think - more good to use for that F-Secure (SAS) - where your sample... goes to F-Secure specialists and they will think about all your question/description/addition information. And they can to "remove" detection for trainer - if they decide "all OK". For any results.... specialists F-Secure should to "handly" your trainer (and common steps for that - to use F-Secure SAS - link was in first my reply);

 

Superuser

Re: deviated trainers marked as suspicious

as a user of F-Secure and occasionnally trainers, I noticed some are flagged as suspicious, some not, my source is usually GCW and Megagames, it works the same with other AVs. Some are quarantined immediately after dowload, some are blocked and quarantined when I launch them, this is the case with Vipre, Bitdefender, NIS.

The only solution is to put them in the "exception" list when I trust the source.

Some AVs such as Avast don't even react !

Hope this helps

Superuser

Re: deviated trainers marked as suspicious

I just went to Megagames and dl your Dark soul trainer dated 25/05: i could uncompress it, when launched it was blocked by F-Secure but the dialog box offers me the opportunity to bypass F-Secure and use it anyway

Aspirant

Re: deviated trainers marked as suspicious

wow that was fast. I received a response from F-secure saying they acknowledged the file as clean and will fix the false-positive in next definition update. Awesome Heart . I should have done this long ago.

 

@yeoldfart: The issue was that the trainer would be allowed to run but the injection(activation) of trainer blocked unless the antivirus was uninstalled. Adding to exception or disabling didn't help, i guess because of background protection. F-secure didn't do this just adding to exception was enough for fsecure but it did give that warning you're referring to and most average users don't understand false-positives and this was giving me a bad rep also causing annoyance for most users.

 

Not a problem with fsecure anymore now they will fix it in their next update Smiley Very Happy . I hope other av companies have this fast support and response team. Lodged a ticket to avira but haven't received any response yet

 

 

PS: Megagames doesn't have the latest trainer btw, i think they just leech off gcw and don't bother updating anymore as i have updated the trainer several times and that trainer is very old version.

Aspirant

Re: deviated trainers marked as suspicious

Errr...nvm i updated the trainer with more options/cheats and the detection is back again.

 

virustotal.com/en/file/6d4ed468270ec9c5a19d1270fbcd76407dae337649addf4d48f4932d4430ce82/analysis/1398705505/

 

So i have to send each one of the trainer i make and even any bug fixes i might do to it will trigger the detection again even though its false-positive and acknowledged as such. I kinda take what i said back, this is not cool at all. 

 

Avira is no longer picking up any and they took the longest to respond so it was a good thing!. Another antivirus company btw said this to me

 

In order to prevent future versions triggered false positive detections, we suggest you

Sign your files with Class-3 digital certificates (X.509) from a Certificate Authority

 

Yeah because i can totally pay for that just by releasing free trainers, also since i am no microsoft, my software is automatically bad ?. This is just ridiculous,this is why i hate antivirus companies so much, they make the lives of real software developers hell and kill their reputation because of their ridiculous heuristics that don't work while the real malware spreads without any trouble heh.

 

The delusion of security

Superuser

Re: deviated trainers marked as suspicious

Hello,

 

But it's almost logical. :)

Not about your situation -  just potential - someone take your trainer... and add "malicious feature inside" and give for another one - it will be detected as "malicious" - because it's not your original trainer (which known and detected dropped for your safe-version);

 

About your situation - you create a new trainer (new version = new trainer) - various hash / various software for "analysis"; It's already another one and it's can be deteceted by "behavior/pro-active technologies" again.

With "signature-detection" less troubles for you as "trainer-creator"... but you meet "another kind of detection";

 

And it's indeed.... create situation, when you have to create submission for each one new trainer. Probably it's logical.... and any F-Secure's user be worry.... if it will be another.

 

About "speedy respond" and "long respond" - maybe it was just weekend like reason for "longest respond".

 

 

About other: you again can to contact with F-Secure SAS. And talk about all your situation....  I not sure... that it's not possible to improve your situation between F-Secure and your trainers.

 

But.. about "malware", which can to trick "behavior/pro-active" - it's just mean... "current" malware created with high-code or use.... any tricks - close to vulnerability - into protection-software.

 

Maybe you can to think.... and try to improve your trainer... in parts... where it's can be trouble-place for behavior-detection.

You already wrote here your dreams about it... but maybe you able to ask about that F-Secure specialists. Maybe indeed you can not "dropping" any feature... but did that more nice, which do not use any "bad tricks" and can be work with "behavior-analysis";

 

But anyway... what a really trouble for "creating" sample-submission for each your trainer.

You can do that.. before situation, when your users start to use your new version. It's mean "new version" waiting "dropped alert" - than goes to your users. Why not?

 

It's give for you:

 - Users not worry;

 - You have answer and be sure about "detection-dropped" by F-Secure;

 

It's give for F-Secure:

 - Reasons for look your samples... and maybe it's able to improve checking your situation;

 

It's give for F-Secure's users:

 - They can be sure.. that F-Secure give certainly protection... and allowed just certainly safe programs;

 - Behavior analysis need for many sides... and it's indeed can to protect against malware (not false-positive);

And F-Secure have one of nice realization of that technologies;

 

It's give for your's users:

 - They will be not meet "alerts/prompts" by F-Secure about your samples;

 - They will be sure.. that your application are safe;

 


But it's just about you / F-Secure / your trainer and your users.

WIth another companies.. indeed can be trouble.. if it will be "a lot";

And how already was words....  virustotal can not to show all detections about behavior analysis. You must be ready... that most part of another companies... will be alerted for your trainer too.

Also... archive-file... one of reason for "behavior-detection".

Aspirant

Re: deviated trainers marked as suspicious

You may be right, however, Avira and Norton have stopped picking up my trainers as false-positives at all now despite several version changes so if they can do it, i am sure F-secure can as well.

 

Just whitelisting my trainers on a hash is not at all useful because trainers are very dynamic and in a year more than 30 trainers are released by us with different versions for even the same game so submitting each one to F-secure is just too much if i have to do it each time a byte is changed in the trainer.

 

Still, i'll send f-secure an email and ask them how they can help. I will gladly change the order of APIs to make the trainer look less suspicious to f-secure.

 

Thank you for your responses btw, i know you are trying to help but you wouldn't know how frustrating this is if you haven't developed a software and gone through something like this trying to explain to your users why their favorite and the "best" antivirus is picking up your software as suspicious/trojan/malware.

 

Afterall, a good antivirus wouldn't pick something that is not trojan as bad falsely right ? antivirus only pick up malware right ?. Ha you wish