Kaspersky keeps finding a trojan in the .exe file

[WCG]

Is no one else having a problem with Kaspersky Anti-Virus identifying DistantWorlds.exe as malware? I did a search here, but I'm not finding any posts about that, and it's been going on for some time.

I'd stopped playing for awhile this summer, when Kaspersky first decided that DistantWorlds.exe was a Trojan, and then I'm sorry to say that I forgot about it (busy with other stuff). But I wanted to get back into the game now, so I updated to the latest version of Shadows, and Kaspersky is still identifying the file as malware.

I can't restore the file without Kaspersky immediately deleting it again, so I can't send it to Kaspersky as a suspected false positive. I did report it, but since I can't send them the file itself, I don't seem to be getting anywhere.

But is it just me? As I say, I'm really surprised that no one else seems to have this problem. But either way, maybe Matrix Games should check with Kaspersky about this. Even if I'm the only gamer who uses Kaspersky, that might not last forever.

Bill

[Deathball]

Its a known issue that the last two patches are marked as false positive by many anti-viruses. If you open Kaspersky and go to settings, there is a checkmark to disable auto-delete of infected files. You can also add your DW folder to the list of exceptions, Matrix even provided a guide.

Edit: Link to the guide: http://www.slitherine.com/forum/viewtop ... 34&t=45519
Also Google says Kaspersky are already working on an update.

[RockKahn]

My Avast antivirus kept quarantining distantworlds.exe a few months ago. I had to shut avast off, start distant worlds, then start avast again. Avast had a link to inform them that the file was actually ok. Since the next avast virus database update the next day, I haven't had any problems.

[aaatoysandmore]

so now you are starting to disbelieve your anti-virus software over a games .exe? If they make you start believing that stuff they can start to put anything in the .exe's If my antivirus ever says any game's .exe is bad that game is outta here.

[Lecivius]

ORIGINAL: aaatoysandmore

so now you are starting to disbelieve your anti-virus software over a games .exe? If they make you start believing that stuff they can start to put anything in the .exe's If my antivirus ever says any game's .exe is bad that game is outta here.

Then you must not play a lot, or do a lot, with your PC. Virus software is a tool, no more. Many have dictated games as trojans just because the certificate on the DL file is not current, a naming fault, or any one of dozens of other possibilities. Just being on the internet leaves you open. You will get infected if you surf enough, it is inevitable. It's what you do to limit your exposure, and what to do to recover from infection, that counts.

[Kayoz]

ORIGINAL: aaatoysandmore

so now you are starting to disbelieve your anti-virus software over a games .exe? If they make you start believing that stuff they can start to put anything in the .exe's If my antivirus ever says any game's .exe is bad that game is outta here.

You really need to read a bit and understand what the AV engine does. As Lecivius noted, it could be any number of reasons - but one he missed is a simple binary comparison for a block of data in the file. I've seen JPEGs which triggered false positives... and I've never heard of JPEGs carrying a live virus (steganography aside).

To be honest, if a vendor wanted to slip a virus into it's product, you wouldn't detect it if it were written by a programmer who could code his way out of a wet paper bag. Yes, you're vulnerable - but doing so would be nothing short of suicide for any software vendor.

If you're -STILL- paranoid, check out virustotal.com or similar sites. If it's dinging bells with multiple AV engines, then you should look into it further. If it's only one, then chances are it's a false positive.

[Canute0]

Look a Anti-virus tool look for pattern of known threats at the code. But since the threats changed weekly their code, the AV-tools rarely find a 100% match. Thats why they put a possible threat into quarantäne. So you can decide if you want keep or delete the file.

But no pattern search is perfect. Example the german word "weniger" means lesser. Serveral forums mark this word as bad word because of the "niger". But does it means this word is realy bad ?

[Kayoz]

ORIGINAL: Canute

Look a Anti-virus tool look for pattern of known threats at the code. But since the threats changed weekly their code, the AV-tools rarely find a 100% match. Thats why they put a possible threat into quarantäne. So you can decide if you want keep or delete the file.

There's a binary comparison - like testing for Eicar, or heuristic testing where it looks for dodgy behaviour - messing with the MBR or altering operating system files. It's actually pretty fascinating stuff that engine bods do.

http://en.wikipedia.org/wiki/Heuristic_analysis

ORIGINAL: Canute
But no pattern search is perfect.

Binary comparison isn't reliable. It's too easy to pack/encrypt executable code or otherwise hide it. Most engines have some sort of heuristic testing.

ORIGINAL: Canute
Example the german word "weniger" means lesser. Serveral forums mark this word as bad word because of the "niger". But does it means this word is realy bad ?

It's a racist derogatory term used for people of African descent. Though the etymology is completely different, some people get upset when the term "niggardly" is used. Just goes to show how political correctness overlaps so much with ignorance.

That sort of testing is like the binary comparison. It looks for specific black-listed strings in posts. That's why people will purposefully misspell words so they can post profanity on the forums.

[WCG]

Thanks for the replies. I don't feel comfortable with excluding any folder from my anti-virus software. Maybe I'm paranoid, but I've never had a problem with malware, and I don't want to start now. Still, I'm comfortable enough that DistantWorlds.exe isn't a trojan.

I would think, however, that this would be a big deal - a very big deal - for Matrix Games. So I was shocked that I couldn't find a post on the forum about it, when I searched. Still, maybe my search wasn't up to snuff, huh?

But, clearly, this is a known problem, and it's good to know that Kaspersky is working on a solution. (I haven't heard back from them myself.)

Thanks again for the replies!

Bill

[Tophat1815]

ORIGINAL: WCG

Thanks for the replies. I don't feel comfortable with excluding any folder from my anti-virus software. Maybe I'm paranoid, but I've never had a problem with malware, and I don't want to start now. Still, I'm comfortable enough that DistantWorlds.exe isn't a trojan.

I would think, however, that this would be a big deal - a very big deal - for Matrix Games. So I was shocked that I couldn't find a post on the forum about it, when I searched. Still, maybe my search wasn't up to snuff, huh?

But, clearly, this is a known problem, and it's good to know that Kaspersky is working on a solution. (I haven't heard back from them myself.)

Thanks again for the replies!

Bill

Edit: Link to the guide: http://www.slitherine.com/forum/viewtop ... 34&t=45519
Also Google says Kaspersky are already working on an update.

Don't understand what you mean when matrix did address this issue.

Edit: Link to the guide: http://www.slitherine.com/forum/viewtop ... 34&t=45519
Also Google says Kaspersky are already working on an update.

So you must have missed it with your search and review of this thread. Have a good holiday and checkout the latest patch for Shadows if you get a chance.

[WCG]

ORIGINAL: Tophat1812
Don't understand what you mean when matrix did address this issue.

I just meant that nothing came up when I searched the forum here.

Bill

[sventhebold]

Yes my game has also been sabotaged by Kaspersky and still does not work right.
Yes I changed the Kaspersky to standby. And it works now.
I hope they can straighten this out.

[WCG]

ORIGINAL: sventhebold

Yes my game has also been sabotaged by Kaspersky and still does not work right.

I went into the general protection settings of Kaspersky Anti-Virus and unchecked "Select action automatically." Then, when I restored DistantWorlds.exe, Kaspersky just warned me about it, so I could go ahead and play the game. (And I haven't had that warning again, not so far.)

Maybe that will work for you?

Good luck,

Bill

[CyclopsSlayer]

I had this problem as well with ZoneAlarm, which uses Kaspersky code.
You need to mark DW's exe as an exception to the scan.

Follow the instructions here, should be similar for Kaspersky; http://www.matrixgames.com/forums/fb.asp?m=3501220
1 Choose 'Computer' view details
2 In 'Anti-virus & Anti-spyware' select 'Settings'
3 At the lower right select 'Advanced Settings'
4 From the list on the left of new dialogue box choose 'Exceptions'
5 Then click 'Add' on the lower right
6 Click 'Browse' in the next dialogue box
7 In the file locator window find your offending DW file and select it - then click 'Open'

Your DW file should now be excluded from checks by ZoneAlarm

Edit: The offending file for me was the downloaded zip file: DistantWorldsShadows-update19012.zip

Edit2: If the file is 'quarantined' then you need to 'restore' it from that area. After you have done so, follow instructions from 1 above.

[Hotschi]

Has Kaspersky already resolved this issue? I am a new user of Kaspersky and don't want to fiddle too much with it. This whole thing of them is holding me off from purchasing the Shadows expansion.

[Hotschi]

It's disappointing to see that after 8 days, no one bothers to answer. [:(]

Well, I actually purchased Shadows today - and Kaspersky still marks it as malware.

What I would like to know is, what's matrixgames' policy on this?

There's a guide over at the slitherine forum (btw, it's a "brilliant" solution to create the need to check three different forums on three different homepages to find relevant posts about one and the same game...) dated 21st October 2013 - we now have 5th January 2014, so the problem is an old one and known.

And I don't like the idea of having to create a "exclusion zone"!

Does anyone from matrixgames actually make any pressure on Kaspersky, which marks one of its products as malware, when it isn't?

Or does matrixgames' support end as soon as one hits the "purchase" button...

[Buio]

Only way to get it removed is if Kaspersky users report it as a false positive to Kaspersky.

Somewhat ironic that Kaspersky got 0 false positives in the latest realworld protection test at AV-Comparatives.org.

[bvoid]

Kaspersky is too aggressive and just causes more problems than it solves imo. In work I found it would silently block emulators, without even a warning. This caused much grief...