Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Trainer Being Flagged For Containing Malware
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Tue Feb 25, 2014 8:51 am    Post subject: Trainer Being Flagged For Containing Malware Reply with quote

For some reason, my latest trainer is being flagged for having Malware. The only thing I've done differently is incorporate an LUA script for buttons/text boxes.

As a test, I've scanned all of my older trainers, my tables and even my entire CE directory - all clean.

Is there any way to fix this? Why is this happening?

Thanks.
Back to top
View user's profile Send private message
mgr.inz.Player
I post too much
Reputation: 218

Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00

PostPosted: Tue Feb 25, 2014 9:05 am    Post subject: Reply with quote

Why? For the same reason CE is flagged as suspicious:
http://forum.cheatengine.org/viewtopic.php?t=24363


Generated EXE trainer is in fact:

- SFX module standalonephase1.dat - https://www.virustotal.com/file/88bb94c3ce727db13b77abdbdb75a4c878e91d651692f3618178dec5bbb7080c/analysis/1393336003/

- decompressor module standalonephase2.dat - https://www.virustotal.com/file/65cbed2e8db313b8966638e40eb27f94156c294eb060b28a02c130d146518c39/analysis/1393336581/


- Archive file which contains:

- main CE executable -
https://www.virustotal.com/file/bf25b6c415673b3797572b7e57688278f72dbd69836aca38dced83b6e3045aae/analysis/1393335936/
- Lua dll file
- dbghelp.dll
- defines.lua


Generated EXE (standalonephase1.dat) will contain other files. It doesn't matter if you used Lua or not.
Every time files will be the same, except Archive file and final EXE (which is standalonephase1 with embedded data)

Anti-virus heuristics can cause false-positive.



Try different compression:


or release it as CETRAINER.





Or, you have infected system.

_________________
Back to top
View user's profile Send private message MSN Messenger
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Tue Feb 25, 2014 9:23 am    Post subject: Reply with quote

Yes, I understand how/why the AV would flag it as a false positive...I was just curious as to why it happened this time and never before. I sent you those tables...if you generate a trainer from that, you will see, I'm sure.

I can only assume that the added LUA caused it. It is rather unfortunate, but nothing to do about it, I suppose.

Thanks.
Back to top
View user's profile Send private message
mgr.inz.Player
I post too much
Reputation: 218

Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00

PostPosted: Tue Feb 25, 2014 9:37 am    Post subject: Reply with quote

"I can only assume that the added LUA caused it"
Probably not. Creating EXE trainer will embed CETRAINER (encrypted). If you use Lua or nor, it doesn't matter. There is always CETRAINER inside cheat engine standalone EXE trainer.


I created EXE trainer based on your CT:
https://www.virustotal.com/file/57e22f3b90335bb179b080c9c15a11ea9701ab49ea85e98efa58fbfecd3c363b/analysis/1393337303/

Agnitum - HackTool.CheatEngine!h2lP7QG9eRI - good,
ESET-NOD32 - a variant of Win32/HackTool.CheatEngine.AF - great

Antiy-AVL - Trojan/Win32.Tgenic - bullshit
Jiangmin - TrojanDropper.Injector.bhlg - bullshit
VBA32 - Hoax.Blocker - bullshit



standalonephase1.exe SFX module works somewhat like UPX. There are many false positive alarms. Even when you write harmless program in C++, if you UPX it, or MPRESS it, some anti-virus will flag it as suspicious software.


EDIT:
The very same CT file used, but this time I used compression method: "fastest"

https://www.virustotal.com/file/927a0ffc23c68076ce97767bea7acf1fe88c1367b61be64eb9052892e95e7268/analysis/

Now "Antiy-AVL" doesn't detect anything.




Conclusion:
1. Some anti-viruses are stupid.
2. you need a place for you generated EXE trainers, or downloaded trainers. That place must be added to exclude list (antivirus advanced settings)
3. download trainer only from trusted sites
4. you want less false positive, report it. like I reported it here:
http://forum.avast.com/index.php?topic=122579.0
(if you are interested only in "how EXE trainers are made", you can read it too)

_________________


Last edited by mgr.inz.Player on Tue Feb 25, 2014 9:56 am; edited 1 time in total
Back to top
View user's profile Send private message MSN Messenger
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Tue Feb 25, 2014 9:52 am    Post subject: Reply with quote

Thanks, mgr.inz.Player.

I agree. It is strange that it would happen this time and never before...however, given the fact that the compression type is producing different results, it is not so surprising.

Good catch.

I am actually in the process now of (trying...really trying) to add it to my exclusions list. If this doesn't work, I will do as you say and report it. Worst case, I'll do as you say and designate a folder for this type of thing...although, if I can't assign a file to the exceptions list, I may not be able to add a directory either.

Thanks, again.
Back to top
View user's profile Send private message
mgr.inz.Player
I post too much
Reputation: 218

Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00

PostPosted: Tue Feb 25, 2014 10:10 am    Post subject: Reply with quote

"given the fact that the compression type is producing different results, it is not so surprising."

Most good anti-viruses have build-in zlib decompression module.

In my case, Avast will grab embedded data (RCData) from trainer main EXE (standalonephase1.dat with RCData):

- DECOMPRESSOR (which in fact is standalonephase2.dat)
After launching trainer, saved in TEMP directory as exe file with the same name as trainer main EXE - Avast analyzes it, nothing found.

- ARCHIVE (it is zlib archive, compression levels: none, fastest, normal, max)
After launching trainer, saved in TEMP directory as CET_Archive.dat - Avast decompress that zlib stream, nothing found


DECOMPRESSOR decompresses ARCHIVE (extraction to another folder in temp). There will be: ce exe file (cheatengine-i386.exe or cheatengine-x86_64.exe) with the same name as decompressor and trainer main EXE; dll files; define.lua file; cetrainer file ( CET_TRAINER.CETRAINER ).

then DECOMPRESSOR will launch ce exe.

ce exe automatically loads CET_TRAINER.CETRAINER and deletes it.






You can use Resource Editor software to see those:

_________________
Back to top
View user's profile Send private message MSN Messenger
Rydian
Grandmaster Cheater Supreme
Reputation: 31

Joined: 17 Sep 2012
Posts: 1358

PostPosted: Wed Feb 26, 2014 12:22 am    Post subject: Reply with quote

I started finalizing trainers with no compression a while ago because some specific AVs just flip their shit.

"I can't see it? IT'S BAD."

Which of course stops users with stuff like Norton from even downloading the trainer.

_________________
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Wed Feb 26, 2014 12:59 am    Post subject: Reply with quote

Yes...I think I will start doing the same.
Back to top
View user's profile Send private message
mgr.inz.Player
I post too much
Reputation: 218

Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00

PostPosted: Wed Feb 26, 2014 9:08 am    Post subject: This post has 1 review(s) Reply with quote

I reported false-positive
http://forum.avast.com/index.php?topic=122579.msg1066556#msg1066556

You can do the same. (for other AV)

_________________
Back to top
View user's profile Send private message MSN Messenger
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Wed Feb 26, 2014 2:04 pm    Post subject: Reply with quote

Thanks. I'm glad you did that, because I was too impatient (too busy) to fill out all of that nonsense. Avast should change their reporting system.

Update:
Avast has updated their database due to mgr.inz.Player's report, removing CE files from their blacklist (for now). Good work!
Back to top
View user's profile Send private message
STN
I post too much
Reputation: 42

Joined: 09 Nov 2005
Posts: 2672

PostPosted: Sat Mar 01, 2014 7:22 am    Post subject: Reply with quote

Its unfortunate. Most antivirus companies release incompetent bull$hit antivirus products that can't detect malware for shit. No actual malware uses those methods commonly in use by trainers to spread crap anymore but AV companies will still mark it as virus without actually looking at the data.

I don't use any AV at all, even have disabled the windows essential thing and i haven't got infected for years now. If you know what you are doing you don't need an AV but even an av can't save you if you are a noobie and clueless to what is a safe source to get things from and what is not.

BTW, reporting to those AV companies is pretty useless as they just add an exclusion to the trainer you sent them, they still detect others as malware.

_________________
Cheat Requests/Tables- Fearless Cheat Engine
https://fearlessrevolution.com
Back to top
View user's profile Send private message
mgr.inz.Player
I post too much
Reputation: 218

Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00

PostPosted: Sat Mar 01, 2014 8:14 am    Post subject: Reply with quote

"BTW, reporting to those AV companies is pretty useless as they just add an exclusion to the trainer you sent them, they still detect others as malware."

In this case, I mean Avast, at least trainers made with CE6.3 will work Very Happy

_________________
Back to top
View user's profile Send private message MSN Messenger
Rydian
Grandmaster Cheater Supreme
Reputation: 31

Joined: 17 Sep 2012
Posts: 1358

PostPosted: Sat Mar 01, 2014 2:18 pm    Post subject: Reply with quote

STN wrote:
Its unfortunate. Most antivirus companies release incompetent bull$hit antivirus products that can't detect malware for shit. No actual malware uses those methods commonly in use by trainers to spread crap anymore
Because we all know that all malware has a built-in method that will totally wipe out their existence after a certain date, so that the only malware that exists is the latest stuff at any given time, right?

Wait...

STN wrote:
I don't use any AV at all, even have disabled the windows essential thing and i haven't got infected for years now.
"I haven't gone to the doctor for years and a doctor hasn't told me I'm sick for years now."

STN wrote:
If you know what you are doing you don't need an AV
That's right, only visit safe sites, like The New York Times.
http://www.businessinsider.com/downed-new-york-times-had-malware-2013-8

Shit wait... at least that was just a recent one-time thing.
http://allthingsd.com/20090913/home-delivery-the-new-york-times-serves-up-some-malware/
Whoops, no it wasn't.

Well that's just one website, at least it's not a trend that's becoming fairly common.
http://en.wikipedia.org/wiki/Malvertising
Oh shit, it is.

Well at least you only have to worry about downloading executables, it's not like malware hides in other files.
http://www.infosecurity-magazine.com/view/37024/zeus-trojan-now-hiding-in-plain-sight--using-pictures/
... goddamnit.

Well at least it's not like you can get infected just by looking at a website, via browser vunlerabilities.
http://www.mozilla.org/security/known-vulnerabilities/firefox.html
Quote:
Impact key:

Critical: Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.

Well shit.

STN wrote:
but even an av can't save you if you are a noobie and clueless to what is a safe source to get things from and what is not.
lolwut

If you do try to download something that's infected, even by being tricked into clicking on a bad site, and the AV picks up on it, it won't let it run (or, depending on the AV and settings, won't even let it finish downloading or unzipped). AVs hook into kernel methods and will even suspend any other IO on the suspected file.

_________________
Back to top
View user's profile Send private message
STN
I post too much
Reputation: 42

Joined: 09 Nov 2005
Posts: 2672

PostPosted: Sat Mar 01, 2014 4:50 pm    Post subject: Reply with quote

Rydian wrote:

STN wrote:
I don't use any AV at all, even have disabled the windows essential thing and i haven't got infected for years now.
"I haven't gone to the doctor for years and a doctor hasn't told me I'm sick for years now."


This is actually a pretty stupid metaphor, so what you're suggesting is i should sit in the doctor office all day or have a doctor sit in my lap all day for the rest of my life so i don't get ill ? lol.

The rest of your post is based on a lot of assumption and basically assuming the user is an idiot and a lot of bad luck. Even steam was hacked at one point and google as well, the only place truly safe is a closet in your room but bad shit might happen there too. AVs just give you a false sense of security, i still have a trojan that is undetected by all AVs that i wrote back in the day when starting out programming and hacked a friend who was using kaspersky. It won't be undetected when it goes public but can your fully updated AV save you ? Nope, you are just as invulnerable as me except my PC resources aren't as hogged up. Same with any smart new malware, its undetected until it goes public and popular but for me to get it as just as unlikely as me winning a million dollar lottery.

_________________
Cheat Requests/Tables- Fearless Cheat Engine
https://fearlessrevolution.com
Back to top
View user's profile Send private message
Hatschi
Master Cheater
Reputation: 2

Joined: 28 Jan 2010
Posts: 327

PostPosted: Sat Mar 01, 2014 4:56 pm    Post subject: Reply with quote

All you need is a strong firewall because nowadays only trojans are being coded. No one is interested in making a virus or worm anymore.

STN is mostly right, however telling someone only brain.exe is necessary is bullshit, I'm sorry to say. There are several exploits uses javascript on websites as an example and hackers even inject website on normal sites. So an AV is still recommended, but it's not a 100% valid solution.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites