View previous topic :: View next topic |
Author |
Message |
Rydian Grandmaster Cheater Supreme Reputation: 31
Joined: 17 Sep 2012 Posts: 1358
|
Posted: Wed Jul 01, 2015 1:40 pm Post subject: Avast responds to false positive reports. |
|
|
So like many other trainer makers, I hear that every so often some AVs start flipping out over the standalone trainers.
Generally there's nothing that can really be done because even big-name companies like Norton have false positive submission processes that are non-functional. In Norton's case it wants you to e-mail the file to them. Never mind that e-mailing an EXE in general, let alone one currently being flagged by AV software, is not allowed by the majority of e-mail providers...
However I've gotten a lot of reports of Avast flipping out this time, and Avast actually has an actual submission process on their site with proper file attachments and such. I submitted two trainer examples to then, got a response within 3 hours that it was being forwarded to the lab, and then 3 hours after that was told that detection would be disabled in the next definition update.
Now let's see how long this lasts and how it plays out!
_________________
|
|
Back to top |
|
|
Xblade Of Heaven Master Cheater Reputation: 0
Joined: 16 Oct 2005 Posts: 394 Location: DEAD
|
Posted: Wed Jul 01, 2015 2:14 pm Post subject: |
|
|
good notice, now is nod32 time... regards
_________________
Welcome to the Hell.
|
|
Back to top |
|
|
STN I post too much Reputation: 42
Joined: 09 Nov 2005 Posts: 2672
|
Posted: Wed Jul 01, 2015 2:20 pm Post subject: |
|
|
Oh, the trainers you submit will actually be undetected but that doesn't mean they will stop flagging all trainers as false-positives. They simply add the specific trainer to their white-list.
Norton is actually the best out of other AV in terms of response and being transparent. One of my team member (iNVOKE) contacted a few AV companies to remove the false positive on his trainers and Norton said it clearly that they can't remove the false positives for all trainers unless you buy a digital certificate (linked me to theirs), they can keep white-listing the trainers we send them but thats it. ViPRE lied outright and said the trainer was a virus lol, F-secure eventually removed their detection.
The funny thing is most other AV companies use signatures from these big companies so once Norton and f-secure white-listed the trainer, all other AVs stopped as well (Avira and another can't remember), only VIPRE kept their detection (1/57). It was pretty cool to see a trainer have such low FP like that .
So don't be so happy, they will start their detections again once you update your trainer.
_________________
|
|
Back to top |
|
|
Rydian Grandmaster Cheater Supreme Reputation: 31
Joined: 17 Sep 2012 Posts: 1358
|
Posted: Fri Jul 03, 2015 12:57 am Post subject: |
|
|
Updated the trainer (including a modified form, code list, and injection scripts) for the 1.3.0.3 patch of the game, and VirusTotal reports that the latest Avast definition raises no flags on it, so that's a good sign.
I also checked my Starbound trainer that I haven't updated in a while and it's showing as clean now too.
So it seems they didn't just whitelist the executables I sent them specifically. Think they just whitelisted the standalone CE engine build inside or actually modified their detection? A trainer that uses .NET and/or other additional things might be a good test.
_________________
|
|
Back to top |
|
|
STN I post too much Reputation: 42
Joined: 09 Nov 2005 Posts: 2672
|
Posted: Fri Jul 03, 2015 11:23 am Post subject: |
|
|
Rydian wrote: | Updated the trainer (including a modified form, code list, and injection scripts) for the 1.3.0.3 patch of the game, and VirusTotal reports that the latest Avast definition raises no flags on it, so that's a good sign.
I also checked my Starbound trainer that I haven't updated in a while and it's showing as clean now too.
So it seems they didn't just whitelist the executables I sent them specifically. Think they just whitelisted the standalone CE engine build inside or actually modified their detection? A trainer that uses .NET and/or other additional things might be a good test. |
That would be pretty awesome on their part removing their detections like that altogether. Means one less false positive for us to worry about
_________________
|
|
Back to top |
|
|
Rydian Grandmaster Cheater Supreme Reputation: 31
Joined: 17 Sep 2012 Posts: 1358
|
Posted: Mon Jul 06, 2015 3:27 pm Post subject: |
|
|
Now, the Symantec line on the other hand...
Anybody surprised? No?
_________________
|
|
Back to top |
|
|
STN I post too much Reputation: 42
Joined: 09 Nov 2005 Posts: 2672
|
Posted: Wed Jul 08, 2015 2:53 pm Post subject: |
|
|
huh, thats odd. Symantec were really nice with our trainers.
_________________
|
|
Back to top |
|
|
Rydian Grandmaster Cheater Supreme Reputation: 31
Joined: 17 Sep 2012 Posts: 1358
|
Posted: Wed Jul 08, 2015 4:34 pm Post subject: |
|
|
Previously I wasn't able to submit anything because they wanted it via e-mail (and sending .exe files that corporate AVs flag over e-mail is just not happening with most services), it's only since they implemented an actual submission system that I was able to send that in.
_________________
|
|
Back to top |
|
|
|