VirusTotal, Rising - Suspicious, and Gaming.

Hi everyone. Lately I've been trying to get a variety of older games working on a newer Windows 7 machine, for the sake of nostalgia and fun. Thanks to the painstaking work of a lot of source porters and modders, this has been made possible, but usually requires the application of tweaks, patches, and fixes developed by the fan community. Downloading and installing such applications is not something I take lightly, so I've tried to do research beforehand.

For example, I've found that over on the Good Old Games community, there are a bevy of compatibility and usability patches for the fan-favorite: Planescape Torment. The forums seem rife with people who have applied and used these patches.

However, when submitting these files to VirusTotal, almost every single one turns up a hit. It's always the same hit, too: The Rising engine labels it as the 'Suspicious' virus.

Attempting to discuss this with the aforementioned fan-patch community is largely useless. For the most part, if you bring up security issues with modders and gamers, the cry across the board is "FALSE POSITIVE!!! YOUR ANTIVIRUS SUCKS UNINSTALL IT!!" Which I find to be simultaneously poor advice, and short sightedness. A result of 1/42 on VirusTotal usually indicates to me that the other engines haven't caught up yet, not that the file is harmless. I've had more than one occasion where a 'false positive' from one engine was, weeks later, classified as a threat from MANY engines. Heck, I've had fan patches I've had installed for YEARS suddenly get targeted by NOD32 out of the blue!

What I'd like to solicit from the Wilders community is an assessment of how to proceed. Am I overreacting in this situation? Is this likely a false positive, and not a yet-to-be-classified threat? I'm simply trying to keep myself as safe as possible, while still enjoying the older software I still want to use. Thanks for any help!

 

It's good that you're being careful with "community-made" patches, mods and such. Although it's my experience that much of that stuff is clean as a whistle, sometimes there are nasty surprises. Thumbs up.

However, the problem with AVs in this case here is two-fold.

1) False positives. AVs have lots, and to me it seems to be increasing, not decreasing. If the file is something rarely seen, like some game mod or unofficial patch, chances are good some AV is going to flag it as some generic malware detection or heuristic detection, because of packers used or the signatures fitting something that was found in another file that was really malware, maybe. These false positives don't get fixed well because they're not seen by a large number of people and often go unreported. And now AVs are copying false detections from each other. Kaspersky I believe tested this by intentionally submitting dummy, harmless files to VT and then flagging said files as a new malware in their own signature database, and soon other AVs, upon seeing Kaspersky detecting the files - wrongly! - as malware, also started detecting them as malware. So, yeah, false positives. It's seldom the case, in my experience, that when an obscure AV product like Rising is the only one to detect some file as malicious, the detection is actually accurate. Most often it's a false positive, and especially so when the detection is "suspicious" or "generic" instead of a precisely named malware.

2) False negatives. Because the files are relatively rare, if they do have malware, chances are poor the AVs will detect it. Unless whoever put the mawlare in the file is just stupid, or hoping to exploit people who don't have AVs or don't trust them and haven't figured out working alternatives.

In a case like this, options are few. You could, in theory, start sending such files for research to AV companies, but that would be slow, cumbersome and probably ineffective - but, with a little luck, they might even research the file and make an accurate positive or negative detection. You could do testing yourself, with the aid of virtualization and sandboxing or dedicated testing systems without such measures that malware easily detects, or if bold, on your main rig with a paranoid HIPS etc. This would be time-consuming and difficult, depending on your skill level in such things. And you might miss something, just like AVs.

There is some security in the community. The more users are using some patch or mod, the more likely it is that someone will notice any malware it may have. And if the mod etc is old, as in months or years old, and still doesn't have a reputation for being nasty even when it's in fact the same old file (checksum-verified), then that's a good sign, too. Time is your friend when it comes to malware detection. In those cases where a really old file is suddenly detected as malicious by a few AVs, in my experience again that is likely to be a false positive. But it's impossible to know without seeing the files in question and examining.

Not very helpful, I know, but them's the breaks in such a case. Something that I've sometimes done, when in the mood for gaming, is just dedicate a worthless machine to that purpose, and assume it'll get owned sooner or later (even if it probably doesn't), so I can happily install all the third party stuff I could want without infecting any system I use for something that actually matters. But not everyone has idle systems sitting around that could be used for this.

 

The "Suspicious" detection by Rising is a behavior detection afaik, so it's detected by the behavior engine in their products.

And FYI the first beta of Webroot Cloud AV was also detected as Suspicious by Rising.

 

Some antivirus companies also detect executables that they know to be just unofficial patches or cheats.

MSE draws the line somewhere between keygens and cheats. It will detect Keygens and Cracks that allow access to paid content without payment, but it won't detect unofficial patches or cheats. The name that MSE reports can tell you the reason MSE detects it.

The sample submission page for MMPC, should you need it, is https://www.microsoft.com/security/portal/Submission/Submit.aspx

 

Agree with above comments, normally community made items are usually quite clean - especially when it comes to older games.

I wouldn't rely on Rising antivirus for anything.

You can run most of these old games in Sandboxie (and limit access to your files with file and folder restrictions) if you are concerned. Sometimes it's easier to install the original game outside of a sandbox, and then afterwards install and run the fan patches/mods within the sandbox.

I've quite a collection of old DOS and early Windows games, and odd detections come and go for particular executables. Sometimes programs will be detected because of the naming conventions, e.g. a legitimate file that happens to be called loader.com will be flagged as a trojan.

 

Thanks for the assistance, everyone. The long-time history of these patches, combined with their widespread use, probably does mean they're clean. I just don't like to take any unnecessary risks, and if a file triggers a detection somewhere down the line it's likely to give me a heart-attack even if it is a false positive.

Good to know that Rising isn't particularly trustworthy with this 'suspicious' tag, too. I wonder if it's a cloud thing? I remember a while back the Symantec engine on VirusTotal would label EVERYTHING it hadn't seen before as a risk.

As for the virtualization recommendations, I think that's an excellent way to approach things. Sadly, Sandboxie just tends to freak right the flip out these days when I try to make a new sandbox and install something to it. I still can't get a handle on the random, completely arbitrary behavior that occurs when I attempt creating a new sandbox and installing to it. Files 'blur' between sandboxes, preferences and settings get screwed up, and Sandboxie itself tends to choke hard. It makes me a little wary to attempt installing to a new sandbox again, but I suppose it's worth the risk. And those Sandboxie issues are probably a subject for another thread or the Sandboxie forums.

Thanks again for the assistance!

 

You can upload to online sandboxes as well. Plus URLVoid for scanning the download and author websites.