MarmadukePattle Posted March 20, 2023 Posted March 20, 2023 Had to delete whole game folder and all contents as it wont download the last bit due to this virus. Not sure how to contact the Devs.
1CGS LukeFF Posted March 20, 2023 1CGS Posted March 20, 2023 It's a False Positive like it practically always is with this sort of thing.
Strewth Posted March 20, 2023 Posted March 20, 2023 Just remember: There was a certain software developer that was renowned for viruses and "a cure" for a price. In more ways than one.
jollyjack Posted March 20, 2023 Posted March 20, 2023 (edited) I use paid avast now (and Tiny wall 3) disabled defender and it's firewall .. less issues. Here's how to spank and correct your windows defender: https://www.windowscentral.com/software-apps/windows-11/windows-defender-is-reporting-a-false-positive-threat-behaviorwin32hivezy-its-nothing-to-be-worried-about Edited March 20, 2023 by jollyjack
MarmadukePattle Posted March 20, 2023 Author Posted March 20, 2023 (edited) I dont think this is the same virus you talking about. Its this one. This virus came when I was re installing the game from the offical IL2 download site. Happened twice. so have not downloaded my games. not happy. Is Trojan script Wacatac B ML a virus? Wacatac. B! ml, also called Win32/Wacatac virus, is classified as a Trojan virus as it conceals its true nature under a harmless-looking file, program, link, etc., just like other Trojan Horse viruses. However, it mainly targets banking credentials and is designed for phishing purposes. Edited March 21, 2023 by MarmadukePattle
IckyATLAS Posted March 20, 2023 Posted March 20, 2023 I will think twice before downloading a new update.
MAJ_Boatswain Posted March 21, 2023 Posted March 21, 2023 Verified upon my download as well. Trojan:Win32/AgentTesla!ml file: E:\IL-2 Sturmovik Great Battles\updates\22-12-28\copies\22-12-28_data_Camo4.gtp.packed Quarantined and "Update Failed." Perhaps they should see to that... 2
Alexenyanna Posted March 21, 2023 Posted March 21, 2023 Got this warning while installing trough installer from website.
jollyjack Posted March 21, 2023 Posted March 21, 2023 (edited) I think that file is harmless. Where did you get the download from? If you disable the updates folder IL-2 refreshes. Make the usual important backups first! PS It seems that defender is buggy since some recent windows update, maybe update windows? I have defender off and replaced by Avast, and use tinywall3 instead of defender's fire wall. Edited March 21, 2023 by jollyjack
MAJ_Boatswain Posted March 21, 2023 Posted March 21, 2023 (edited) Windows picks it up because it is not harmless: Agent Tesla is an extremely popular spyware Trojan written for the.NET framework that has been observed since 2014 with many iterations since then. It is used to steal sensitive information from a victim’s device such as user credentials, keystrokes, clipboard data, credentials from browsers, and other information. What Is Agent Tesla Spyware and How Does It Work? - Datto www.datto.com/blog/what-is-agent-tesla-spyware-and-how-does-it-work Edited March 21, 2023 by MAJBoatswain 1
AEthelraedUnraed Posted March 21, 2023 Posted March 21, 2023 (edited) 19 hours ago, MarmadukePattle said: I dont think this is the same virus you talking about. Its this one. This virus came when I was re installing the game from the offical IL2 download site. Happened twice. so have not downloaded my games. not happy. Is Trojan script Wacatac B ML a virus? Wacatac. B! ml, also called Win32/Wacatac virus, is classified as a Trojan virus as it conceals its true nature under a harmless-looking file, program, link, etc., just like other Trojan Horse viruses. However, it mainly targets banking credentials and is designed for phishing purposes. Nope, it's not the same "virus" but that's not what jollyjack is trying to say. His point is that it's likely not a virus at all. A virus scanner works (at least, part of what it does) by scanning a file against a list of certain characteristic chunks of bytes of known viruses, also called "virus signatures". This is byte code, so may look like something like "08fa7bf17a048fa7". This is the compiled (and possibly obfuscated or encrypted) code of the virus and if executed together with the rest of the virus code, would do something malicious. Now, since it's basically just an array of bytes, sometimes as short as 16, any process generating large amounts of data has a chance to generate the same sequence by accident. These files will then - uncorrectly - get flagged as a virus by virus scanners. Because of their nature, large, compressed files like those downloaded by the IL2 installer/updater are especially at risk of this. When this happens, it doesn't have any implications for the safety of the file. Even if you'd execute the bytecode - which you aren't - it's missing the rest of the "virus code" and as such is completely harmless by itself. Odds are that this too is a so-called "false positive". If you're unsure, scan the file with a few different virus scanners - because virus scanners have different ways of recognising viruses as well as different signatures, it's likely that another virus scanner will not flag the file as a virus. In our corporate environment, I once encountered a file related to some lab equipment software of which 7 out of 25-ish virus scanners flagged its signature as a virus. Although we cleaned up the PC just to be sure, my money is on the file being a false positive after all. TLDR; don't get scared, it's likely a false positive. If you're unsure, test with a different virus scanner (e.g. the free version of AVG). If the other virus scanner doesn't recognise the file as a virus, it's probably safe and you can create an exception in Windows Defender. Edited March 21, 2023 by AEthelraedUnraed 1 3
Alexenyanna Posted March 21, 2023 Posted March 21, 2023 jollyjack, i got installer from official page, but yeah it is false positive Do i need update folder?
Dudok1212 Posted March 21, 2023 Posted March 21, 2023 I too downloaded the game from the official Il-2 site yesterday and received the same warning on the Tesla Trojan from MS Defender. The explanation from AEthelraedUnraed sounds plausible. I would be encouraged to ignore Defender on the Tesla Trojan warning if others have tested the same file and reported no issues. Apologies for being careful re. Trojans.
MAJ_Boatswain Posted March 21, 2023 Posted March 21, 2023 If this is false positive, why is it staying in my system after I delete the IL2 folders, and why has it never appeared before? Also - why are there sequences that do resemble it? From what I know, it isn't just one string, but several in context with one another, that create warnings. Otherwise you'd have false positives all over the place. I'd like to hear from an actual developer, whether or not this is something to allow. I've had information stolen before, and given that most of the virus' I see come from that half of the world, I need some more official assurances before allowing that on my system. If I have part of a code that gets a virus, but not all of it, would it not also be a danger that the the rest of that code could be slipped in later without pinging the system, to activate it now that you've allowed it? Seems like a liability to have any of it as an exception. I play a lot of games and have never had my system throw alerts out, and have never had to issue an exception. What makes this different?
AEthelraedUnraed Posted March 22, 2023 Posted March 22, 2023 (edited) That's a lot of questions. Let's address them one at a time 14 hours ago, MAJBoatswain said: If this is false positive, why is it staying in my system after I delete the IL2 folders Likely because Defender has "frozen" the file. 14 hours ago, MAJBoatswain said: why has it never appeared before? These files get re-generated each update. If you add or modify some data, which updates tend to do, the resulting binary data can be quite different after compression (note that compression and encryption are very much related in the field of Information Theory - a minor change in the uncompressed file can lead to major changes in the compressed file). 14 hours ago, MAJBoatswain said: Also - why are there sequences that do resemble it? You know the saying that if you give a million monkeys a typewriter and enough time, eventually one of them ends up writing Shakespeare by accident? If you randomly generate enough data, eventually you'll end up with certain sequences such as this virus signature. EDIT: It just occurred to me that the underlying question might be "why does this file contain code". It doesn't. There's really no difference between data and code - both are just ones and zeros. For example, the image below looks like an abstract painting, but does in fact contain code. It all depends on what you do with the data; the bytes themselves aren't any different. 14 hours ago, MAJBoatswain said: From what I know, it isn't just one string, but several in context with one another, that create warnings. It could be as little as one string. Anyhow, probability-wise it doesn't make a difference - in fact, the probability of a couple short sequences turning up is many times larger than that of one larger sequence. 14 hours ago, MAJBoatswain said: Otherwise you'd have false positives all over the place. Actually, you do have false positives "all over the place". They're not a rare occurrence at all. 14 hours ago, MAJBoatswain said: If I have part of a code that gets a virus "Part of a code" is really a wrong way of putting it (even though I kinda said such a thing above). It's just a couple of bytes out of at least several thousand. Translated into human language, the bytecode could be something like "add 1 to the result of the previous function". Or it could be embedded data instead of code, e.g. part of a path where the virus tries to write something. In both cases it's *completely* harmless. 14 hours ago, MAJBoatswain said: would it not also be a danger that the the rest of that code could be slipped in later without pinging the system, to activate it now that you've allowed it? Nope. As said, it's just a couple of bytes. Assembling a virus by inserting a couple of bytes at a time into a huge file would be a really stupid way of spreading a virus - especially since any of the thousands of necessary steps is at risk of being picked up by a virus scanner. 14 hours ago, MAJBoatswain said: Seems like a liability to have any of it as an exception. Again, "any of it" is not really correct. If you are sure it's a false positive, the risks of creating an exception are miniscule, really. 14 hours ago, MAJBoatswain said: I play a lot of games and have never had my system throw alerts out, and have never had to issue an exception. What makes this different? The difference is that you were lucky with those other games 14 hours ago, MAJBoatswain said: I'd like to hear from an actual developer, whether or not this is something to allow. I've had information stolen before, and given that most of the virus' I see come from that half of the world, I need some more official assurances before allowing that on my system. You're right to be careful. However, did you download the file from either the official site or Steam? If so, the Developers won't tell you anything different than I. They likely don't use the same virus scanner and/or virus definitions as you, so they likely won't be able to directly verify whether or not this is a false positive. Honestly, a false positive is not *that* rare an occurrence. Just test with a different virus scanner - if that doesn't detect the supposed "virus," you're fine really. Edited March 22, 2023 by AEthelraedUnraed
jollyjack Posted March 22, 2023 Posted March 22, 2023 (edited) 13 hours ago, Alexenyanna said: jollyjack, i got installer from official page, but yeah it is false positive Do i need update folder? Not if you got it fixed. For the die hard defender fans: more control with this tool? https://www.sordum.org/downloads/?st-defender-control ?? BTW it's the updates folder, not to be confused with the updater folder. Let that be. Edited March 22, 2023 by jollyjack
IckyATLAS Posted March 22, 2023 Posted March 22, 2023 Where are the servers that hold the IL2 website IL2sturmovik.com located? I think IL2 Devs should pay a lot of attention to this issue and solve them very very quickly. The geopolitical situation makes it that like for banks, a bank run that is fueled by mistrust can bring down the largest bank, same if there is a similar situation here that may scare away people. IL2 must stay safe and secure so devs that is up to you. 1
jollyjack Posted March 22, 2023 Posted March 22, 2023 56 minutes ago, AEthelraedUnraed said: Honestly, a false positive is not *that* rare an occurrence. Just test with a different virus scanner - if that doesn't detect the supposed "virus," you're fine really. You could check a file on https://www.virustotal.com/gui/home/upload 1
AEthelraedUnraed Posted March 22, 2023 Posted March 22, 2023 4 hours ago, IckyATLAS said: Where are the servers that hold the IL2 website IL2sturmovik.com located? The Amazon.com, Inc. servers in Dublin, Ireland. 3 hours ago, IckyATLAS said: IL2 must stay safe and secure so devs that is up to you. What exactly is not "safe and secure" right now? 3 hours ago, jollyjack said: You could check a file on https://www.virustotal.com/gui/home/upload Good one! I've used that tool in the past to dive a bit more in-depth into suspected viruses. Although I'm not sure if it supports files as large as those downloaded by IL2.
MAJ_Boatswain Posted March 22, 2023 Posted March 22, 2023 (edited) False positives do occur - yes. I would not say they happen 'all the time.' Again, I've had likely close to several hundred games downloaded from Steam and developer sites in the last decade, I've never had a false positive on a single one. That includes IL-2 - which I downloaded directly from their website, not Steam. (Coincidentally the Steam installer seems not to have a problem, indicating this string is only present in the direct-site download, which I find more concerning.) I've also scanned with with Avast, AVG, Malwarebytes, Defender and BitDefender, and all of them caught it. Finally, I've scanned a downloader from IL-2 that was an old, cached copy from a few months ago - it was clean. What changed here? And why did it not appear for Steam? At this stage, I do not think it is unreasonable for a developer to go on record for the error, to clear the air whether it is a false result or not. While you could be correct, and it could be false, there's too many factors lining up here for me to risk losing my credit information again. Once bitten, twice shy, as they say. Edited March 22, 2023 by MAJBoatswain
simfan2015 Posted March 22, 2023 Posted March 22, 2023 23 minutes ago, MAJBoatswain said: I've also scanned with with Avast, AVG, Malwarebytes, Defender and BitDefender, and all of them caught it. That makes it hard to be a False Positive ! IMHO they should -indeed- investigate this asap. Websites get hacked all the time. It is in a *packed file, so maybe this is a falso positive, but it is strange they did not ever try to install GB themselves because ... it would come up immediately on their PCs, unless they don't use any virus scanner !??? Even more strange ... AFAIK there was no new update ... why does this come up now ? 1
AEthelraedUnraed Posted March 22, 2023 Posted March 22, 2023 18 minutes ago, MAJBoatswain said: False positives do occur - yes. I would not say they happen 'all the time.' Again, I've had likely close to several hundred games downloaded from Steam and developer sites in the last decade, I've never had a false positive on a single one. I didn't mean "all the time" as saying that it happens a lot per user. As a normal user, it's indeed pretty rare to encounter them. But in the grand scheme of ICT, they are very common. It seems https://www.av-comparatives.org/tests/malware-protection-test-september-2022/ tests 200 samples (although it isn't completely clear), which means that for most virus scanners, around 2 to 3 percent of all virus alerts are false positives. With Windows Defender it's even a staggering 10%! 31 minutes ago, MAJBoatswain said: That includes IL-2 - which I downloaded directly from their website, not Steam. (Coincidentally the Steam installer seems not to have a problem, indicating this string is only present in the direct-site download, which I find more concerning.) [...] And why did it not appear for Steam? Steam has a completely different download system with different files, so that's not strange at all 32 minutes ago, MAJBoatswain said: Finally, I've scanned a downloader from IL-2 that was an old, cached copy from a few months ago - it was clean. What changed here? Might be anything that got updated in the game since you downloaded that cached copy, really. Because of how compression algorithms work, a tiny change in the uncompressed file can cause relatively major changes in the compressed file. 7 minutes ago, simfan2015 said: That makes it hard to be a False Positive ! Nope, not at all. If all of those virus scanners have the same signature for this virus, then it makes complete sense that they'd all detect it. However, if so many different virus scanners pick this up, it is something that the Devs would need to take a look at @Regingrave. Even if it's a false positive (which my money is still on), it's an issue if many people cannot install IL2.
IckyATLAS Posted March 22, 2023 Posted March 22, 2023 (edited) 2 hours ago, AEthelraedUnraed said: What exactly is not "safe and secure" right now? I see different opinions here. Not having had this issue I cannot judge. However it has been mentioned in the posts above that this Virus would scan passwords personal data etc. Maybe all this is a wrong interpretation or a misunderstanding. Fine but in such an unclear situation the precautionary principle says that until this possible issue is resolved/clarified, you should not update for the time being even if there is a new update available. If this danger is true then risking to have such a virus downloaded from the website during an update means at least for me that the website is not safe and secure. Edited March 22, 2023 by IckyATLAS 2
TargetGT Posted March 22, 2023 Posted March 22, 2023 Yesterday on 3/21 I was trying to download the installer and got that same Agent Tesla warning, and the download failed. The file was quarantined. Today I tried it again and everything worked fine and was able to play the game. I did not make any changes to my system.
Dudok1212 Posted March 22, 2023 Posted March 22, 2023 Similar to TargetGT I tried again today to download the game client of the game I bought 2 days ago. No Agent Tesla warning this time, so the issue has been fixed. Big thanks to the developers and you guys on the forum ?. I can now start the game and am admiring an Il-2. Hopefully I can get to settings etc and start flying...
MarmadukePattle Posted March 23, 2023 Author Posted March 23, 2023 I did not get the Agent Tesla warning. My original post was about a completly diffent this virus.
jollyjack Posted March 23, 2023 Posted March 23, 2023 (edited) For all you defender fans: you can mark the whole IL2 URL site as white listed and safe somewhere, maybe easier with the tool above. I don't have defender running now, but i tuned it before ... Edited March 23, 2023 by jollyjack
simfan2015 Posted March 23, 2023 Posted March 23, 2023 It is not up to the customers to solve this, but why can't 1C simply change that so called false positive!? I would think this kind of issue should be an instant cause for alarm in any company!
AEthelraedUnraed Posted March 25, 2023 Posted March 25, 2023 On 3/23/2023 at 4:39 AM, MarmadukePattle said: I did not get the Agent Tesla warning. My original post was about a completly diffent this virus. Nope - please read the answers well. It doesn't matter what virus your software shows, the answers are equally valid for any of them. On 3/22/2023 at 5:27 PM, IckyATLAS said: I see different opinions here. Erm, not really. I only see people saying that it's a false positive, and those saying that their virus scanner detected some kind of issue which is a given and has little to do with opinion. On 3/22/2023 at 5:27 PM, IckyATLAS said: means at least for me that the website is not safe and secure. That still supposes it is in fact a virus, while most likely it's not. A false positive doesn't have any implications on the security of the site whatsoever. On 3/23/2023 at 10:00 AM, simfan2015 said: It is not up to the customers to solve this, but why can't 1C simply change that so called false positive!? I would think this kind of issue should be an instant cause for alarm in any company! This is not something you can "simply change" in the blink of an eye. Solving things like this will take many hours, if not days, and likely requires actively engaging with multiple third parties (i.e. the virus scanner companies). Judging from Dudok1212's post, they have already fixed it for at least one virus scanner vendor, but depending on the support from other vendors, this may take much longer for others- if it ever gets fixed at all. Provided of course that it is indeed a false positive, it's got me puzzled how any of this can be blamed on the developers as it's the virus scanners that's at fault. You pay them to tell you if a certain file is a virus or not, so whenever they've got it wrong, it's them who don't do their job well and it's them you should blame. If it were my PC, I'd just go ahead - even *if* the data does contain a virus, there's no obvious way on how to run it - you cannot simply run a 1GB file containing mostly data; without going into detail, PC's just do not work that way, period. I could keep a million viruses on my computer and open those files as much as I want, but unless I specifically execute them it won't do any harm whatsoever. If this thing were really a virus, it would need some sort of secondary virus to run it in the first place. Thinking a bit more about this problem, assuming this is a virus, we've got some malicious hacker that *at the very least* must have succeeded in tackling at least the following problems: - Hacked into the IL2 file servers. - Found a way to insert a virus into the compressed/encrypted data files *without* breaking the validity of the files and/or certain file hashes that are likely used. - Created a secondary virus that runs this code after the file got downloaded but before it's removed after the update. - Found a way to put this secondary virus on your PC. - Succeeded in hiding this secondary virus from your virus scanner. What are the odds of that, really? Anyone who wants to respond to that may want to read the Wikipedia page on Occam's razor first.
RossMarBow Posted April 6, 2023 Posted April 6, 2023 (edited) Considering the number of supply chain attacks, I would not say it's a false positive straight away. And from a basic programming viewpoint I have no idea why a compressed art asset package the installer has downloaded has a script inside it that downloads more assets. Shouldn't the installer be handling all the update scripts? https://www.theregister.com/2023/04/03/3cx_false_positive_supply_chain_attack/ But like AEthelraedUnraed said theirs only so many ways to write code. If a virus executes a script to download code and you block every piece of code that does that. How would you update/install normal programs? So now you allow activity that could be malicious, well now you have a vulnerability. Personally, I wouldn't be doing anything too important on a windows gaming PC anyway. Windows has the gates open by design. And considering the massive chain of dependencies a windows gaming PC needs, your surface area for attacks is huge. Edited April 6, 2023 by RossMarBow 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now