| View previous topic :: View next topic |
| Author |
Message |
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
 Posted: Tue Feb 25, 2014 8:51 am Post subject: Trainer Being Flagged For Containing Malware |
 |
|
For some reason, my latest trainer is being flagged for having Malware. The only thing I've done differently is incorporate an LUA script for buttons/text boxes.
As a test, I've scanned all of my older trainers, my tables and even my entire CE directory - all clean.
Is there any way to fix this? Why is this happening?
Thanks.
|
|
| Back to top |
|
 |
mgr.inz.Player
I post too much
 Reputation: 221
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Tue Feb 25, 2014 9:23 am Post subject: |
|
|
Yes, I understand how/why the AV would flag it as a false positive...I was just curious as to why it happened this time and never before. I sent you those tables...if you generate a trainer from that, you will see, I'm sure.
I can only assume that the added LUA caused it. It is rather unfortunate, but nothing to do about it, I suppose.
Thanks.
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 221
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Tue Feb 25, 2014 9:37 am Post subject: |
|
|
"I can only assume that the added LUA caused it"
Probably not. Creating EXE trainer will embed CETRAINER (encrypted). If you use Lua or nor, it doesn't matter. There is always CETRAINER inside cheat engine standalone EXE trainer.
I created EXE trainer based on your CT:
https://www.virustotal.com/file/57e22f3b90335bb179b080c9c15a11ea9701ab49ea85e98efa58fbfecd3c363b/analysis/1393337303/
Agnitum - HackTool.CheatEngine!h2lP7QG9eRI - good,
ESET-NOD32 - a variant of Win32/HackTool.CheatEngine.AF - great
Antiy-AVL - Trojan/Win32.Tgenic - bullshit
Jiangmin - TrojanDropper.Injector.bhlg - bullshit
VBA32 - Hoax.Blocker - bullshit
standalonephase1.exe SFX module works somewhat like UPX. There are many false positive alarms. Even when you write harmless program in C++, if you UPX it, or MPRESS it, some anti-virus will flag it as suspicious software.
EDIT:
The very same CT file used, but this time I used compression method: "fastest"
https://www.virustotal.com/file/927a0ffc23c68076ce97767bea7acf1fe88c1367b61be64eb9052892e95e7268/analysis/
Now "Antiy-AVL" doesn't detect anything.
Conclusion:
1. Some anti-viruses are stupid.
2. you need a place for you generated EXE trainers, or downloaded trainers. That place must be added to exclude list (antivirus advanced settings)
3. download trainer only from trusted sites
4. you want less false positive, report it. like I reported it here:
http://forum.avast.com/index.php?topic=122579.0
(if you are interested only in "how EXE trainers are made", you can read it too)
_________________
Last edited by mgr.inz.Player on Tue Feb 25, 2014 9:56 am; edited 1 time in total |
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Tue Feb 25, 2014 9:52 am Post subject: |
|
|
Thanks, mgr.inz.Player.
I agree. It is strange that it would happen this time and never before...however, given the fact that the compression type is producing different results, it is not so surprising.
Good catch.
I am actually in the process now of (trying...really trying) to add it to my exclusions list. If this doesn't work, I will do as you say and report it. Worst case, I'll do as you say and designate a folder for this type of thing...although, if I can't assign a file to the exceptions list, I may not be able to add a directory either.
Thanks, again.
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 221
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Tue Feb 25, 2014 10:10 am Post subject: |
|
|
"given the fact that the compression type is producing different results, it is not so surprising."
Most good anti-viruses have build-in zlib decompression module.
In my case, Avast will grab embedded data (RCData) from trainer main EXE (standalonephase1.dat with RCData):
- DECOMPRESSOR (which in fact is standalonephase2.dat)
After launching trainer, saved in TEMP directory as exe file with the same name as trainer main EXE - Avast analyzes it, nothing found.
- ARCHIVE (it is zlib archive, compression levels: none, fastest, normal, max)
After launching trainer, saved in TEMP directory as CET_Archive.dat - Avast decompress that zlib stream, nothing found
DECOMPRESSOR decompresses ARCHIVE (extraction to another folder in temp). There will be: ce exe file (cheatengine-i386.exe or cheatengine-x86_64.exe) with the same name as decompressor and trainer main EXE; dll files; define.lua file; cetrainer file ( CET_TRAINER.CETRAINER ).
then DECOMPRESSOR will launch ce exe.
ce exe automatically loads CET_TRAINER.CETRAINER and deletes it.
You can use Resource Editor software to see those:
_________________
|
|
| Back to top |
|
|
Rydian
Grandmaster Cheater Supreme
 Reputation: 31
Joined: 17 Sep 2012
Posts: 1358
|
| Posted: Wed Feb 26, 2014 12:22 am Post subject: |
|
|
I started finalizing trainers with no compression a while ago because some specific AVs just flip their shit.
"I can't see it? IT'S BAD."
Which of course stops users with stuff like Norton from even downloading the trainer.
_________________
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Wed Feb 26, 2014 12:59 am Post subject: |
|
|
| Yes...I think I will start doing the same.
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 221
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Wed Feb 26, 2014 2:04 pm Post subject: |
|
|
Thanks. I'm glad you did that, because I was too impatient (too busy) to fill out all of that nonsense. Avast should change their reporting system.
Update:
Avast has updated their database due to mgr.inz.Player's report, removing CE files from their blacklist (for now). Good work!
|
|
| Back to top |
|
|
STN
I post too much
 Reputation: 43
Joined: 09 Nov 2005
Posts: 2676
|
| Posted: Sat Mar 01, 2014 7:22 am Post subject: |
|
|
Its unfortunate. Most antivirus companies release incompetent bull$hit antivirus products that can't detect malware for shit. No actual malware uses those methods commonly in use by trainers to spread crap anymore but AV companies will still mark it as virus without actually looking at the data.
I don't use any AV at all, even have disabled the windows essential thing and i haven't got infected for years now. If you know what you are doing you don't need an AV but even an av can't save you if you are a noobie and clueless to what is a safe source to get things from and what is not.
BTW, reporting to those AV companies is pretty useless as they just add an exclusion to the trainer you sent them, they still detect others as malware.
_________________
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 221
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Sat Mar 01, 2014 8:14 am Post subject: |
|
|
"BTW, reporting to those AV companies is pretty useless as they just add an exclusion to the trainer you sent them, they still detect others as malware."
In this case, I mean Avast, at least trainers made with CE6.3 will work 
_________________
|
|
| Back to top |
|
|
Rydian
Grandmaster Cheater Supreme
Reputation: 31
Joined: 17 Sep 2012
Posts: 1358
|
| Posted: Sat Mar 01, 2014 2:18 pm Post subject: |
|
|
| STN wrote: | | Its unfortunate. Most antivirus companies release incompetent bull$hit antivirus products that can't detect malware for shit. No actual malware uses those methods commonly in use by trainers to spread crap anymore |
Because we all know that all malware has a built-in method that will totally wipe out their existence after a certain date, so that the only malware that exists is the latest stuff at any given time, right?
Wait...
| STN wrote: | | I don't use any AV at all, even have disabled the windows essential thing and i haven't got infected for years now. |
"I haven't gone to the doctor for years and a doctor hasn't told me I'm sick for years now."
| STN wrote: | | If you know what you are doing you don't need an AV |
That's right, only visit safe sites, like The New York Times.
http://www.businessinsider.com/downed-new-york-times-had-malware-2013-8
Shit wait... at least that was just a recent one-time thing.
http://allthingsd.com/20090913/home-delivery-the-new-york-times-serves-up-some-malware/
Whoops, no it wasn't.
Well that's just one website, at least it's not a trend that's becoming fairly common.
http://en.wikipedia.org/wiki/Malvertising
Oh shit, it is.
Well at least you only have to worry about downloading executables, it's not like malware hides in other files.
http://www.infosecurity-magazine.com/view/37024/zeus-trojan-now-hiding-in-plain-sight--using-pictures/
... goddamnit.
Well at least it's not like you can get infected just by looking at a website, via browser vunlerabilities.
http://www.mozilla.org/security/known-vulnerabilities/firefox.html
| Quote: | Impact key:
Critical: Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing. |
Well shit.
| STN wrote: | | but even an av can't save you if you are a noobie and clueless to what is a safe source to get things from and what is not. |
lolwut
If you do try to download something that's infected, even by being tricked into clicking on a bad site, and the AV picks up on it, it won't let it run (or, depending on the AV and settings, won't even let it finish downloading or unzipped). AVs hook into kernel methods and will even suspend any other IO on the suspected file.
_________________
|
|
| Back to top |
|
|
STN
I post too much
Reputation: 43
Joined: 09 Nov 2005
Posts: 2676
|
| Posted: Sat Mar 01, 2014 4:50 pm Post subject: |
|
|
| Rydian wrote: |
| STN wrote: | | I don't use any AV at all, even have disabled the windows essential thing and i haven't got infected for years now. |
"I haven't gone to the doctor for years and a doctor hasn't told me I'm sick for years now." |
This is actually a pretty stupid metaphor, so what you're suggesting is i should sit in the doctor office all day or have a doctor sit in my lap all day for the rest of my life so i don't get ill ? lol.
The rest of your post is based on a lot of assumption and basically assuming the user is an idiot and a lot of bad luck. Even steam was hacked at one point and google as well, the only place truly safe is a closet in your room but bad shit might happen there too. AVs just give you a false sense of security, i still have a trojan that is undetected by all AVs that i wrote back in the day when starting out programming and hacked a friend who was using kaspersky. It won't be undetected when it goes public but can your fully updated AV save you ? Nope, you are just as invulnerable as me except my PC resources aren't as hogged up. Same with any smart new malware, its undetected until it goes public and popular but for me to get it as just as unlikely as me winning a million dollar lottery.
_________________
|
|
| Back to top |
|
|
Hatschi
Master Cheater
![]() Reputation: 2
Joined: 28 Jan 2010
Posts: 327
|
| Posted: Sat Mar 01, 2014 4:56 pm Post subject: |
|
|
All you need is a strong firewall because nowadays only trojans are being coded. No one is interested in making a virus or worm anymore.
STN is mostly right, however telling someone only brain.exe is necessary is bullshit, I'm sorry to say. There are several exploits uses javascript on websites as an example and hackers even inject website on normal sites. So an AV is still recommended, but it's not a 100% valid solution.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
