Recent Topics

Ads

Malware Detection - Update

Problems installing or downloading the game? Check the Install Guide first.
Forum rules
READ THE INSTALL GUIDE BEFORE YOU POST IN THIS SUBFORUM.

The stickies exist to handle common queries. Save our time and yours by reading them first.

Thank you.
AllegiancyUK
Posts: 1

Malware Detection - Update

Post#1 » Sun May 24, 2020 8:14 pm

Good Evening All,

Following the recent patch / update I saw the the latest downloaded version of rorlauncher.exe file was being detected as malware by Microsoft Defender (the version in the torrent does not trigger the Defender alert).

I read through the install guide and other comments posted by fellow players in relation to the launcher being quarantined / removed and decided to follow up with the Microsoft Security team.

Happy to report that Microsoft have removed the detection from their latest malware definitions (as there is no malware present) and that this will be reflected in the next malware definitions update that you download when updating your definitions.

Have a good evening, and thanks again to the team behind RoR - this is the closest thing to original DAOC i've seen in years

Ads
User avatar
wargrimnir
Head Game Master
Posts: 8280
Contact:

Re: Malware Detection - Update

Post#2 » Tue May 26, 2020 7:10 pm

AllegiancyUK wrote: Sun May 24, 2020 8:14 pm Good Evening All,

Following the recent patch / update I saw the the latest downloaded version of rorlauncher.exe file was being detected as malware by Microsoft Defender (the version in the torrent does not trigger the Defender alert).

I read through the install guide and other comments posted by fellow players in relation to the launcher being quarantined / removed and decided to follow up with the Microsoft Security team.

Happy to report that Microsoft have removed the detection from their latest malware definitions (as there is no malware present) and that this will be reflected in the next malware definitions update that you download when updating your definitions.

Have a good evening, and thanks again to the team behind RoR - this is the closest thing to original DAOC i've seen in years
This is awesome and very much appreciated. Thanks!
Image
[email protected] for exploits and cheaters.
grimnir.me Some old WAR blog

Kobra
Suspended
Posts: 128

Re: Malware Detection - Update

Post#3 » Tue May 26, 2020 11:18 pm

I've submitted it to several honeypots and analysis engines to try and get it whitelisted. Depending on the company, I can get it whitelisted permanently. However once the hash changes again it sometimes gets re-flagged.

It seems to be triggered, depending on product with either the heuristics or AI/ML engines. Beast/Deepray for GDATA, Cylance, Crowdstrike, Sentinel, McAfee (Artemis) and others tag it with their AI/ML. For a heuristic hit it will usually show as a .GEN detection.

One of the main culprits is Avira and anything that uses the AVIRA engine/API (F-Secure, GData, Avira, and others all detect it as Trojan.TR/Kryptik.eamji. I've sent the file over to some contacts at AVIRA to get it whitelisted. Companies use systems like YARA to automatically classify malware, and things like ROR can slip through the cracks until someone in the lab gets their hands on it.

Current hash is 469307e48a1219f88c179cf5bc89466b9f5eccea13071a1b670eae9dfce8374f

23% of Antivirus Software detect this hash as malware.

Kobra
Suspended
Posts: 128

Re: Malware Detection - Update

Post#4 » Tue May 26, 2020 11:30 pm

Running RoRLauncher.exe through HA Sandbox, here's the report, which shows us what is flagged as malicious(incorrectly) but these are the triggers.

https://www.hybrid-analysis.com/sample/ ... 27e53db8a3

It's all false positive nonsense. I sent if off to Avira, because their API it used in so many products, this should get it whitelisted. I also had GDATA and Cylance whitelist it, although GDATA said their AI/ML system has no whitelisting, and to move it to log-only on detection for folks that use GDATA.

fatelvis
Posts: 44

Re: Malware Detection - Update

Post#5 » Wed May 27, 2020 2:38 pm

Is there a way to recover the quaranteened files? When I started the pc yesterday the launcher was missing and the Updater-file had an issue with accessing the files (see error down below).
If there's no way to recover the launcher, what would be the best way to fix the problem?
Re-downloading the torrent an patch it up again? Is there a way to prevent future quaranteens?
I'm using Avira and got the Windows-security-thing running.

Error Downloading updater:
System.UnauthorizedAccessException: Der Zugriff auf den Pfad "C:\Users\derp\Desktop\Warhammer Online - Age of Reckoning\RoRLauncher.exe" wurde verweigert. (has been denied)
bei System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
bei System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
bei System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share)
bei RoRUpdater.MainWindow.c7L3Zl71wSqG8TOaIO(Object , FileMode , FileAccess )
bei RoRUpdater.MainWindow.tYB114Sxk(Object , DownloadDataCompletedEventArgs )

Kobra
Suspended
Posts: 128

Re: Malware Detection - Update

Post#6 » Wed May 27, 2020 6:52 pm

You will need to go to the AVIRA Quarantine and remove them. Also, you should add the entire RoR folder to the Avira Whitelist.

https://support.avira.com/hc/en-us/arti ... uarantine-

https://support.avira.com/hc/en-us/arti ... -scanning-

However, Avira just gave me word they have whitelisted RoR files.

The analysis you requested is now complete:
File Result
RoRLauncher.exe Clean
RoRUpdater.exe Clean

Stay safe,
Your Avira Virus Lab team

Who is online

Users browsing this forum: No registered users and 21 guests