Source-based games being detected as malware

Discussion in 'ESET NOD32 Antivirus' started by Proactive Services, Apr 26, 2010.

Thread Status:
Not open for further replies.
  1. Proactive Services

    Proactive Services Registered Member

    Joined:
    Jan 10, 2006
    Posts:
    153
    Location:
    Petersfield, Hampshire, UK
    I've just started getting these false positives this evening (NOD32v4.2, virus db 5063). I've submitted them via ThreadSense.net with a note of them being FPs.

    left4dead.exe - a variant of Win32/GameHack.C potentially unsafe application
    left 4 dead 2\left4dead2.exe - a variant of Win32/GameHack.C potentially unsafe application
    hl2.exe - a variant of Win32/GameHack.C potentially unsafe application
     
  2. rockshox

    rockshox Registered Member

    Joined:
    Oct 23, 2009
    Posts:
    261
    And you are positive those are not hacked exe's? Cd-check removal? legitimately installed versions of Left4Dead and Half-Life?
     
  3. Proactive Services

    Proactive Services Registered Member

    Joined:
    Jan 10, 2006
    Posts:
    153
    Location:
    Petersfield, Hampshire, UK
    100%, downloaded from Steam. I'm also starting to get alerts from customers' NOD32 installs now.
     
  4. stratoc

    stratoc Guest

    i just 'in depth' scanned my steam folder (117 games including all the ones you mention) with smart 4.2.40 5063 and no threat found?
    potentially unwanted programs set to on.
    correction. on launching the games it detects threats, which kinda questions the scan i guess?
     
    Last edited by a moderator: Apr 26, 2010
  5. Bobbu

    Bobbu Registered Member

    Joined:
    Apr 26, 2010
    Posts:
    3
    I registered on the forums to say I have the exact same problem. When trying to play Team Fortress 2 I get this message.

    .....teamfortress 2\hl2.exe
    Threat:
    a variant of Win32/Gamehack.C application
     
  6. Proactive Services

    Proactive Services Registered Member

    Joined:
    Jan 10, 2006
    Posts:
    153
    Location:
    Petersfield, Hampshire, UK
    It's being detected as part of the "Potentially unsafe programs" feature; you may not have this enabled.
     
  7. STRYDER

    STRYDER Registered Member

    Joined:
    Aug 21, 2008
    Posts:
    99
  8. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  9. Proactive Services

    Proactive Services Registered Member

    Joined:
    Jan 10, 2006
    Posts:
    153
    Location:
    Petersfield, Hampshire, UK
    I'm with you, siljaline. Very silly indeed. Games will mostly be sustained I/O which anti-virus has less effect on as time goes by. Once the game data is cached you tend to be playing for some time before any more I/O is needed, so people who switch off their AV to play games are probably the same people who clean their registry and defrag every week :)

    The latest sigs no longer detect any of the mentioned exe's so I assume it was picked up and fixed. Steam also downloaded the missing exe's which were deleted :)
     
  10. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    I hope that Steam adjusts their KB Article(s) so as not to goad the users to use the games in a non AV mode :ouch:

    While I cannot confirm the F/P's were identified and whitelisted, I hope they were and that there will be no other issues with Steam games in the meanwhile.

    Regards,
     
  11. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    What do you expect when AV companies don't follow proper testing procedure, we are not beta testers, I completely agree with Valve.
     
  12. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    The onus is on the software vendor to submit the FP's

     
    Last edited: Apr 27, 2010
  13. stratoc

    stratoc Guest

    i know there were major issues when v3 first came out, took about 2 weeks to get everything ironed out. havnt had problems since then with steam fp's.
    you have to remember some programs have anti cheat running with them, open browsers etc.
    i suppose it's safer to disable PUA rather than turn anti virus off.
     
  14. techie007

    techie007 Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    125
    Location:
    Ontario, Canada
    What would you suggest for 'proper testing procedures' that Eset could have used to avoid this?
     
  15. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Obviously even the most basic testing procedures were not performed, such as scanning a pile of popular files before release.
     
  16. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    how about every game or software manufacturer test with all the AVs before release?
     
  17. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    This is not true, every update is scanned against dozens of thousands files before it's released. The only way to avoid FPs completely, one would need to collect every single legit file in the world and test every update against the collection. Needless to say it's impossible to collect every single legit file and keep the collection up to date, plus scanning of such large collections would take days.
     
  18. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    I don't know if these are FP's or not BUT IMHO any vendor that advocates reducing user security to run THEIR product should be avoided on a PC where real work and private data is stored.

    The best way if you can afford it is to have a work PC set up and a separate PC for games. Turn off the work pc if sharing a router with the gamer.
     
  19. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Err, the source exe's nearly enough never change, it's all the other data that does.


    The most popular games in the world aren't on your scan list? :rolleyes:
     
  20. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    The most popular games in the world are packed by tons of packers and obfuscated in tons of ways to penalize legitimate customers w/ rootkit-like protections etc., while the warez folks can enjoy gaming without problems, without DVDs in their drive, without being forced to uninstall their virtual-drive software etc.

    Go blame the gaming companies for this kind of *beeep* :rolleyes:
     
  21. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    I think the onus is on the game vendor to prove to the security software vendor why certain files, etc should not be blacklisted, the onus should not be on the security software vendor
    to assume a role to be proactive to issues with the game software when it is flagged as Malware :ouch:

    For those that have issues gaming on their home PC's should perhaps consider other media in order to game, I personally do not game on my PC.
     
    Last edited: May 1, 2010
  22. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    You're clearly confused with DRM, which isn't how this works. Steam games especially use the Steam DRM, so they have no need to "use a ton of packers"

    It's sickening to think in this day and age people think it's up to games development studios to submit their work to AV companies to make sure they don't FP. An AV is supposed to be the assistant at the side, forgotten about. Not the god of the PC.

    Oh I wonder how other companies manage not to have as many FP's yet higher detection rate than ESET? HMMMM!

    I'll leave it here, it's obvious we're not going to agree.
     
  23. ThomasC

    ThomasC Former ESET Support Rep

    Joined:
    Sep 8, 2008
    Posts:
    209
    According to industry standard tests, such as the following one from ~ Removed Direct PDF Link as per AV-Comparatives Request - See Main-Tests page for the actual PDF ~ , ESET has the one of the lowest instances for false positives in the industry. As for detection rate and overall product performance ESET received the highest award in this report as well. :)

    I would suggest just submitting the false positive and ESET will add it to a future update of the product, in the mean time you could add an exclusion for the offending file(s) to avoid the problem.

    -Tom
     
    Last edited by a moderator: May 4, 2010
Thread Status:
Not open for further replies.