Avast WEBforum
Other => Viruses and worms => Topic started by: mgr.inz.Player on April 27, 2013, 11:09:14 PM
-
Hi. I have problem with Avast 8.0.1483.
I'm using trainer created by CheatEngine6.2 and Avast shows message about virus:
"Win32:Evo-gen [Susp]"
- first problem:
I tried to add this EXE to exclude list:
*\Trainer.exe
*\Trainer.exe|[Embedded_R#DECOMPRESSOR]
But still, I can not launch trainer. Avast just ignore my exclude list.
- second problem
Currently, all CE6.2 trainers are made like this:
- files: .cetrainer, few .dll, one .exe , are compressed with zlib into ARCHIVE
- and there is DECOMPRESSOR file (standalonephase2.dat file inside installed cheatengine dir) - this file, when launched, will decompress ARCHIVE and execute final EXE
- ARCHIVE and DECOMPRESSOR are embedded into final EXE (standalonephase1.dat file)
So, standalonephase1.dat file with changed icon, name and with embedded ARCHIVE and DECOMPRESSOR is final product. For example as gameName_trainer.exe
On end-user side, it looks like this:
1) When user launch gameName_trainer.exe, embedded data:ARCHIVE and DECOMPRESSOR, are saved inside temp dir (F:\temp\cetrainers\CET28.tmp\),
ARCHIVE as CET_Archive.dat and
DECOMPRESSOR as gameName_trainer.exe (yes, the same name)
2) then DECOMPRESSOR (gameName_trainer.exe) decompresses CET_Archive.dat into "extracted" folder
3) inside "extracted" there are: .dll, .lua and exe file (with the same name: gameName_trainer.exe)
But, AVAST treats DECOMPRESSOR as malware. You could say: "you downloaded trainer from untrusted site". Well, I made that trainer and I know what it is exactly doing. And CheatEngine is an "open source GPL" application.
I even tried to compile DECOMPRESSOR myself with current Lazarus version 1.0.8. The same result.
Here is DECOMPRESSOR:
http://code.google.com/p/cheat-engine/source/browse/trunk/Cheat+Engine/sfx/level2
as you see, here http://code.google.com/p/cheat-engine/source/browse/trunk/Cheat+Engine/sfx/level2/main.pas
There is nothing suspicious.
Thanks for any help.
-
you can report it here http://www.avast.com/en-no/contact-form.php change subject to suite your case
you may add a link to this topic in case they reply here
-
Hello,
thanks for the sample, it will be fixed in next stream update.
Milos
-
I know this topic is old, but there's no other threads like this one. And first post contains useful informations.
Standalone single player trainers are again blocked by Avast: Win32:Evo-gen [Susp]
Problem applies to CheatEngine ver. 6.2 and the new one, CheatEngine ver. 6.3. I have to save my trainers to folder added to exclusion list. And downloaded (from trusted site) trainers do not work until I move them to excluded folder.
We can manually scan CheatEngine v6.2 installed inside "program files" folder - no threats detected. (CheatEngine v6.3 too).
Conclusion:
now standalonephase1.dat (from CE6.2 and CE6.3) file with appended RCData (ARCHIVE and DECOMPRESSOR, and changed icon) is treated as Win32:Evo-gen [Susp]
PS:
Thanks for previous fix.
PSS:
I'll use contact form. I'll post it here too:
link:
http://www.mediafire.com/?f34ax09b3xckvnd
Archive contains:
- standalonephase1.dat (no virus detected)
- emptyTrainer.EXE - (false positive - Win32:Evo-gen [Susp]). It is an empty trainer generated with CE6.3, this EXE is standalonephase1.dat file with appended RCData
Thank you.
-
Thank you for your previous fixes. Sadly, problem returns again.
As an example, trainer made by CheatEngine forum member. His trainer is flagged as Win32:Malware-gen.
I'm using "avast! Free Antivirus 2014 9.0.2013"
I attached:
Banished Trainer (x32).exe - flagged as Win32:Malware-gen
Banished Trainer (x32) (NO RCData).exe - flagged as safe, Avast doesn't find anything suspicious. I removed RCData (Embedded data) with Resource Editor.
Extracted from EXE resource, RCData, with Resource Editor:
ARCHIVE - flagged as safe. As mentioned earlier in my posts, this is zlib archive, and contains essential files: two DLL files, one EXE file (cheatengine main EXE), one LUA file, one CETRAINER file (which is XOR-crypted CheatTable file). Basically, it contains some files from "C:\Program Files\Cheat Engine 6.3". Worth to mention - Avast doesn't find anything suspicious in "C:\Program Files\Cheat Engine 6.3" directory. Main trainer exe (Banished Trainer (x32).exe) saves it as CET_Archive.dat.
cheatengine main EXE - it can be cheatengine-i386.exe or cheatengine-x86_64.exe.
DECOMPRESSOR - flagged as safe. This is executable file. It extracts ARCHIVE and executes another EXE file. It is the same file as standalonephase2.dat from "C:\Program Files\Cheat Engine 6.3".
Components are clean. Combined into one EXE, false-positively flagged as malware.
Link to sample:
http://www.mediafire.com/?c7r2j5i9zc623dq
I'll use contact form too.
EDIT:
Valerij Medviď, thank you. It is fixed.