Cheat Engine

Rydian

So like many other trainer makers, I hear that every so often some AVs start flipping out over the standalone trainers.

Generally there's nothing that can really be done because even big-name companies like Norton have false positive submission processes that are non-functional. In Norton's case it wants you to e-mail the file to them. Never mind that e-mailing an EXE in general, let alone one currently being flagged by AV software, is not allowed by the majority of e-mail providers...

However I've gotten a lot of reports of Avast flipping out this time, and Avast actually has an actual submission process on their site with proper file attachments and such. I submitted two trainer examples to then, got a response within 3 hours that it was being forwarded to the lab, and then 3 hours after that was told that detection would be disabled in the next definition update.

Now let's see how long this lasts and how it plays out!

Xblade Of Heaven · Posted: Wed Jul 01, 2015 2:14 pm Post subject:

good notice, now is nod32 time... regards

STN · Posted: Wed Jul 01, 2015 2:20 pm Post subject:

Oh, the trainers you submit will actually be undetected but that doesn't mean they will stop flagging all trainers as false-positives. They simply add the specific trainer to their white-list.

Norton is actually the best out of other AV in terms of response and being transparent. One of my team member (iNVOKE) contacted a few AV companies to remove the false positive on his trainers and Norton said it clearly that they can't remove the false positives for all trainers unless you buy a digital certificate (linked me to theirs), they can keep white-listing the trainers we send them but thats it. ViPRE lied outright and said the trainer was a virus lol, F-secure eventually removed their detection.

The funny thing is most other AV companies use signatures from these big companies so once Norton and f-secure white-listed the trainer, all other AVs stopped as well (Avira and another can't remember), only VIPRE kept their detection (1/57). It was pretty cool to see a trainer have such low FP like that Very Happy

.

So don't be so happy, they will start their detections again once you update your trainer.

Rydian · Posted: Fri Jul 03, 2015 12:57 am Post subject:

Updated the trainer (including a modified form, code list, and injection scripts) for the 1.3.0.3 patch of the game, and VirusTotal reports that the latest Avast definition raises no flags on it, so that's a good sign.

I also checked my Starbound trainer that I haven't updated in a while and it's showing as clean now too.

So it seems they didn't just whitelist the executables I sent them specifically. Think they just whitelisted the standalone CE engine build inside or actually modified their detection? A trainer that uses .NET and/or other additional things might be a good test.

STN · Posted: Fri Jul 03, 2015 11:23 am Post subject:

Rydian · Posted: Mon Jul 06, 2015 3:27 pm Post subject:

Now, the Symantec line on the other hand...

Anybody surprised? No?

STN · Posted: Wed Jul 08, 2015 2:53 pm Post subject:

huh, thats odd. Symantec were really nice with our trainers.

Rydian · Posted: Wed Jul 08, 2015 4:34 pm Post subject:

Previously I wasn't able to submit anything because they wanted it via e-mail (and sending .exe files that corporate AVs flag over e-mail is just not happening with most services), it's only since they implemented an actual submission system that I was able to send that in.