Author Topic: Urgent! Avast reporting my game's executable as malware - false positive.  (Read 11632 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Hey there!

Sorry if this is not the right place for the topic.

I'm indie game developer, and I sent out press release yesterday. A lot of users are reporting that the game fails to boot through Steam (missing executable).
Took me a little while, but I was able to narrow the reason to antivirus software. In this case Avast, which is doing something with the executable.

The game is called DISTRAINT: http://store.steampowered.com/app/395170

I've tried contacting Avast via twitter, and also opened a ticket. But something says I won't get a swift reply from there.
I can't submit the exe for Avast as it's over 10mb. I've checked with Virustotal and it's only Avast and Rising (2/56) marking it as malware.

I'm going to release the game 21st and I can't even imagine what would happen if Avast would still flag the executable as malware.

Any help would be appreciated!

Jesse

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Quote
I've checked with Virustotal and it's only Avast and Rising (2/56) marking it as malware.
Post link to scan result here



REDACTED

  • Guest
I stripped my game to around 9mb and submitted to Avast using the form:
https://www.avast.com/false-positive-file-form.php

So what now? How long should it take? A few hours, a few days?
I simply can't afford to wait, as I type possible youtubers and reporters might try to play the game and fail due to this problem.

This is really destroying all the hard work, I just feel horrible about this. :(

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Do not worry, reported means there will be an evaluation. But there you have to wait for an Avast Team Member to reply, as we are not. My relevant knowledge is with volunteer website security so I scanned the IP the game website is on: https://www.virustotal.com/nl/ip-address/205.134.224.235/information/
and there were some bad web host reports there earlier concerning PHISHING scripts launched.
For the new executable, it says it seems to be studied and with two alledged generic PUP or adware detections so far,
that should not be so hard to establish it is actually above board.
So just wait for the final verdict from Avast.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

REDACTED

  • Guest
Of course I worry cause I don't know when the exe will be evaluated. As for the game's home page, I bought the domain and hosting from webhostinghub, not sure what that scan even means. O_o

I'm creating my games with Clickteam Fusion 2.5, and today I tried exporting a blank application, uploaded it to Virustotal and still Avast flagged it. Also a fellow Fusion developer reported the same problems I'm having.

And of course it's the developers that suffers the most from this. Avast should really do something about this, their scanner is just way too aggressive!

3 days to release.  :-\

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
I cannot judge what you say there. Again because I do not know where Avast detection stools on as I am not an Avast Team Member, just a volunteer with some relevant knowledge.
It assume your executable came signed, that of course will help when there is a generic packer detection or flagging chinks of pseudo-code for instance.

Hope soon when the week-end is over you will get the results before the software is due out.
But very responsible to report here as whenever really a false positive,
such detections should really be brought down.

Where I reported is whether the hoster is pro-actively secure or not, a bad web rep for phishing as abuse is not particularly a recommendation for the hosting party. When for instance you host a file on an IP where many other bad apples poison the basket, that hole IP can come blocked and one should seek for an exclusion as a good domain between the good, the bad and the ugly.  ;)

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

REDACTED

  • Guest
Ah okay thanks for the explanation, and thanks for your help!

More people reporting problems... Come on Avast, I've already potentially lost a few big youtubers and the coverage.
I don't mean to over-dramatize, but I develop games for living, and this is currently harming that big time. Releasing a game without hype, well, it just does not work.

Getting exposure as a small indie developer, I need to rely on Youtube Let's Players, but if they fail to launch the game due to false-positive...  :'(

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
You can also contact the viruslab directly via: virus[at]avast.com
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline denics

  • Avast team
  • Full Member
  • *
  • Posts: 168
    • avast!
Hi Jesse,

I'm really sorry for the inconvenience. Could you please upload the file somewhere and send me a link? We get a lot of false positive reports and it takes time for our systems to process it when you submit it via FP submit form. This way I will process the file myself and that will be much faster. Thanks!
Denis Konopiský - avast! VirusLab | Android & Windows Malware | VPS Operations | Whitelisting

REDACTED

  • Guest
Re: Urgent! Avast reporting my game's executable as malware - false positive.
« Reply #10 on: October 19, 2015, 10:15:38 AM »
Hey denics!

Sure, I actually sent email to virus(at)avast.com, can you find it there? There's a link to my dropbox that holds the game exe. It's not exactly the same as in Steam (I've rolled a few updates). But that should be good?

Let me know if this works!

Jesse

Offline denics

  • Avast team
  • Full Member
  • *
  • Posts: 168
    • avast!
Re: Urgent! Avast reporting my game's executable as malware - false positive.
« Reply #11 on: October 19, 2015, 10:43:34 AM »
Okay, I got the file and fixed it. The fix should be out with the next virus database update which I'm preparing right now. Anyway I noticed there's no digital signature so I can't assure you it won't happen again with some update. I could whitelist your files with your digital signature but you don't have one.
Denis Konopiský - avast! VirusLab | Android & Windows Malware | VPS Operations | Whitelisting

REDACTED

  • Guest
Re: Urgent! Avast reporting my game's executable as malware - false positive.
« Reply #12 on: October 19, 2015, 10:49:49 AM »
Thank you denics!

Can't you use author or publisher information from the file for whitelisting?

I gotta admit I'm not familiar with signing the files but I'll look into it now.

Can you give me an estimate when the next database update will be out? Also, do you have email or anything I could contact you (if I can sign the files asap, would be awesome if I could contact you straight away and you could whitelist).

Cheers,

Jesse

EDIT: Also, what was causing the false positive? I'm creating my games with Fusion 2.5, and tried with VirusTotal, and even a blank Fusion application will get flagged by Avast.
Maybe allowing it, whatever it is, could work for the future? There are lot of great games being made with Fusion, so it would be great if other devs wouldn't have to go through the same I'm going now.
« Last Edit: October 19, 2015, 10:53:48 AM by makkonen.j.k »

Offline denics

  • Avast team
  • Full Member
  • *
  • Posts: 168
    • avast!
Re: Urgent! Avast reporting my game's executable as malware - false positive.
« Reply #13 on: October 19, 2015, 11:28:04 AM »
Sadly not. I can use only a digital signature.

Please look into that, It'd prevent this from happening again.

The virus database update will be out approximately in an hour. I will send you my email in a direct message.

The false positives is something that you basically can't influence. It's generated by automated systems when a detection is made more generic that it should be. You can however eliminate this issue from happening again by whitelisting the digital signature as I said before.
Denis Konopiský - avast! VirusLab | Android & Windows Malware | VPS Operations | Whitelisting

REDACTED

  • Guest
Re: Urgent! Avast reporting my game's executable as malware - false positive.
« Reply #14 on: October 19, 2015, 11:36:10 AM »
Thanks again, that sounds awesome!

I hope that the new update will work.
Just one last thing, do you think you could approach Clickteam if they haven't approached you. I mean, they're constantly growing and some games like Five Nights At Freddy's has been made with their software.
Without a doubt, trying to figure this out would be a win win situation for us all, you, users, developers and Clickteam.

I'll see if I can sign my files, I'm just so busy atm and I figure it won't happen over night.

Alright, thanks again, fingers crossed everything goes well!

Jesse