Antivirus Quarantined cw3.exe due to possible Trojan

Started by DWCW3, August 28, 2019, 09:33:27 AM

Previous topic - Next topic

DWCW3

I fired up CW3 this morning and went to Colonial Space, then clicked on the 'Forum' link next to an interesting map and the game crashed.  Went to re-launch and discovered that Kaspersky had quarantined the .exe file and shows:


  • Quarantined   unknown object: 110 PDM:Trojan.Win32.Generic.nblk   c:\program files (x86)\steam\steamapps\common\creeper world 3\cw3.exe   Medium   

I'm assuming this is a false positive but wanted to see if anyone else was having a similar issue, or has had this issue in the past.  Kapersky also quarantined my gamesettings.xml file and stated that it was "rolling back changes" but I'm looking at the file in a text editor and can't see anything that doesn't look right.  Is it possible for the 'Forum' link to cause any changes to this .xml file that would trigger a threat reaction?

Thank you for your time!

Karsten75

#1
From time to time we have reports of 3rd party, aggressive anti-virus programs flagging or blocking CW3. A primary reason for this is that the game, in the greater scheme of things, is relatively unknown, so the AV writers don't automatically whitelist it.

There are procedures to do this, but those are onerous.

Additional, we can't aver with absolute certainty that  the executable on your computer is not corrupted. We know it is not corrupted in the download repository on knucklecracker.com, we know that it is not corrupted on Steam. We know, and assert that it has not been coded to be malicious.

What else can we tell you?

Update: Also, this thought that eluded me yesterday. You didn't download the game between the time that Kaspersky flagged it and the time prior to that that Kaspersky did not flag it, right? And I assume, based on your posting history that you have had the game for quite some time. If these assumptions are correct, then it is unlikely that the infection came to you vis the game - it may be that the executable got infected on your machine, but again, that is not under our control

DWCW3

Thanks for the response.

I wasn't really concerned that the program itself was malicious, but I did have a small concern that maybe there was some way for the Colonial Space downloads to contain something.  I reacquired the .exe from Steam Validation, and will just continue to use as normal.

Karsten75

AH! That is an interesting question. The short answer is that there is no executable code in a map. The map is only ever loaded as data. During map upload, the map is not uploaded with any meta-data. So it would be incredibly hard and unlikely for it to be infected, and again, incredibly hard and unlikely for it to transmit that infection. Finally, one has  to bear in mind that virus writers usually target well-known, popular and widely used application niche that has the largest chance of spreading. A niche application like CW3 is also a far less likely target.  I'd be confident to reassure  you that CW3 map data files do not carry or transmit viruses - and if it did, the AV program would flag the actual file, not the application.

Karsten75

Based on a passive reprimand delivered stealthily, I feel I should clarify my statement above.

Quote from: Karsten75 on August 29, 2019, 11:14:49 AM
...  there is no executable code in a map. The map is only ever loaded as data.

A member of the community felt beholden to point out that maps can contain a scripting language that is, in fact executable.

My "no executable code" statement refers to code that can be natively executed by the OS. Maps, as well as the scripts that may be associated with a map, are loaded by the game as data. The game has an execution environment that is native to the game, bears no resemblance to any other existing language, is sandboxed, allows only a very limited number of game-specific commands and has no, nor could it, allow any interface to external capabilities - no file calls, no memory access outside of in-game allocated storage, no direct or interpreted system calls, etc.

I'm not sure if this longer, more complex explanation is of more use to anyone, or if it is factually better, or allows for more interpretative questions/loopholes that require assurance regarding potential exploits, or if it simply demonstrates my inability to be technically precise and correct.  However, here it is, warts and all.

chwooly

Quote from: Karsten75 on August 28, 2019, 11:15:30 PM


Update: Also, this thought that eluded me yesterday. You didn't download the game between the time that Kaspersky flagged it and the time prior to that that Kaspersky did not flag it, right? And I assume, based on your posting history that you have had the game for quite some time. If these assumptions are correct, then it is unlikely that the infection came to you vis the game - it may be that the executable got infected on your machine, but again, that is not under our control

I just noticed this thread, The action of clicking on "Forum" is in effect opening an external web link, which could be mistaken as a Trojan and if he had updated Kasperskys definition file it is likely that the heuristic algorithm made that logic leap and did it's thing.



Cheers
I am free, no matter what rules surround me. If I find them tolerable, I tolerate them; if I find them too obnoxious, I break them. I am free because I know that I alone am morally responsible for everything I do."
― Robert A. Heinlein