Jump to content
LaunchBox Community Forums

Zpevdo.b trojan in latest LB installer


Benjc
 Share

Recommended Posts

We can confirm that the reports are indeed false positives, but that's all we can say. Every single release we put out, we end up fighting with a million and one broken anti-virus programs to do our best to eliminate any false positives. But every release that task becomes more daunting and more difficult.

It's very rare that Windows Defender reports a false positive like this, but Microsoft apparently updated the definitions today and it is now being reported as a false positive. Obviously we couldn't catch that because when we released 11.14 it wasn't being reported as a false positive. I'm going to look to attempt to put out a new release that does not throw a false positive, but it may or may not be possible, depending.

The unfortunate truth is that most anti-virus programs are absolute garbage and report more false positives than true viruses, so they're much like the boy who cried wolf. They become useless because they cannot be trusted when a virus is reported. Windows Defender has a much better track record than most third-party anti-virus programs, but it's not perfect. When you're searching new developments for a series of bits and bytes from well over 30 years of viruses, it's nearly an impossible task to do without getting it wrong.

Regardless, you're getting a very false sense of "security" if you're trusting an anti-virus program (especially a third-party anti-virus program) to tell you whether or not you have any bad or malicious software on your machine. That's the sad truth these days.

We'll do our best to fix the issue. If you can, please report this to your anti-virus providers as a false positive.

  • Like 1
Link to comment
Share on other sites

16 minutes ago, zetec said:

This is atrocious. Blaming a specific antivirus instead of providing information about why it's being flagged as a false report is the kind of thing that makes security-conscious users like myself run for the hills.

The way this is being handled deserves more attention, because that response is completely inappropriate and dismisses serious concerns with no justification for doing so.

No, it's the truth. What would you expect us to say in this regard? We've run every single file in the release through Virus Total. We always do before all official release. We're very confident it's a false positive.

Link to comment
Share on other sites

Just now, Jason Carr said:

No, it's the truth. What would you expect us to say in this regard? We've run every single file in the release through Virus Total. We always do before all official release. We're very confident it's a false positive.

This is a regretful answer, because it means that Launchbox doesn't take it's security seriously. I was hoping the official response would be more professional.

"Dude trust me" doesn't fly in today's security environment. If I planned on continuing to use Launchbox - which, based on this response, I won't - I would want to know the answers to the following questions:

- What steps have you taken to ensure that your codebase hasn't been compromised?

- Has there been a review of recent commits?

- Has there been a review of the build tools to make sure they're not compromised?

- When was the last security audit of LB systems?

A common method for malware to be inserted into legitimate software is for the build tools themselves to be compromised - I'm posting this in hopes that a lesson can be learned - but the arrogance of the entire LB team's reaction to a serious concern has me officially done with this solution.

Hope you guys figure out how to respond to security concerns in a more professional manner in the future.

Link to comment
Share on other sites

3 minutes ago, zetec said:

- What steps have you taken to ensure that your codebase hasn't been compromised?

I just explained to you our steps of running the software through Virus Total before release. We run through all false positives reported and do our best to confirm that they are false positives before release.

4 minutes ago, zetec said:

- Has there been a review of recent commits?

Yes, we always review all commits before releasing new versions.

4 minutes ago, zetec said:

- Has there been a review of the build tools to make sure they're not compromised?

We use Visual Studio as the build tools. I've run virus checks on Visual Studio on the release machine and they are not compromised.

5 minutes ago, zetec said:

- When was the last security audit of LB systems?

We run the normal tools like everyone else, and they're running in the background. I'm not sure what kind of audit you're looking for here, but it doesn't sound like we'd ever be able to satisfy you here, honestly. We're a very small team, and we do take security very seriously. But we also know how flawed the entire industry is, and it sounds like you have a false sense of security with it.

We're doing our best here guys; if you want to paint us as the enemy, then go ahead, but we're really doing all we can do.

  • Like 1
  • Thanks 2
Link to comment
Share on other sites

I think zetec was a little aggressive but I do understand his concerns. I think what he really wanted was a more complete response from the beginning explaining why the launchbox considers it a false positive and what kind of checks you guys do.

Just a few months ago the Retroach team had its codebase compromised (I know it is a very different situation but we better be safe than sorry, right?).

I'm glad this is just a false positive and that we got a response though.

I've allowed my antivirus to exclude the file just to be safe, I'll wait for a new patch before attempting to restore my launchbox installation.

Thanks. 

Link to comment
Share on other sites

Alright, 11.15 is out now. Apparently all we needed to do was recompile and it seems that it no longer trips Microsoft Defender. Just bad luck with that false positive I guess (but what else is new).

If you're unable to auto-update to 11.15, you can manually download it here:

https://www.dropbox.com/s/wsflw0p0iu8g3o4/LaunchBox-11.15-Setup.exe?dl=0

Once downloaded, you can just manually install it over top of your existing LaunchBox folder, and it will keep all your games and settings. Just be sure to install it to the LaunchBox folder, like this:

image.thumb.png.fe06485a7724872387cd756d958133b4.png

And not a LaunchBox folder inside of the LaunchBox folder like this:

image.thumb.png.5f64976e4145a8ddfcf20cb1cb8fddd2.png

Thanks all; my apologies for the trouble. Sometimes we're blindsided with false positives like this and unfortunately there's really nothing we can do to improve it. It's just the nature of software development on Windows these days.

Oh, one last note: as with many of the previous releases, we are still tripping a false positive with Symantec/Norton. This has been unavoidable for us unfortunately. Symantec/Norton seems to be the worst of the anti-virus industry, spitting out more false positives than most other providers.

  • Game On 1
Link to comment
Share on other sites

1 minute ago, HomerJ said:

I just downloaded a fresh 11.15 ...But now Avast is tripping...

image.thumb.png.9eef0dd973d0b5912ed9a80018f2795f.png

Unfortunately there's not much we can do about that. As stated previously, it's a nightmare avoiding different false positives on different anti-virus engines. You might just need to add an Avast exclusion for it.

Avast was not triggered when I tested the files on Virus Total, but sometimes Avast does time out during the tests, Virus Total doesn't always work perfectly.

Link to comment
Share on other sites

Also, one last thing: we are committed to making sure that new official versions of the software do not trip Microsoft Defender (Windows' built-in anti-virus), because we feel like it's the best solution out there, as it generally doesn't act like the boy who cried wolf, reporting millions of false positives, and for the most part it just works. However, sadly, it would be impossible for us to commit to eliminating false positives with every third-party anti-virus product out there.

This is just our 2 cents: if you are using a third-party anti-virus product, we recommend uninstalling it and using Microsoft Defender instead. Here's why: Microsoft has a vested interest in doing the anti-virus job properly, without interfering with performance or producing false positives, because they want users on Windows to have the best experience possible. Anything less than the best experience makes Windows look bad, so it's obvious why Microsoft cares in this regard.

Unfortunately the vast majority of third-party anti-virus companies do not maintain the same level of care. Some important notes:

  • Many of the anti-virus companies take the stance that the more "viruses" they report, the "safer" users will think that their product is; they don't care if they report false positives or not, because they think users are stupid and it doesn't matter. They're not held accountable for false positives in any way, shape, or form, so they don't invest very much in getting rid of them.
  • Many third-party anti-virus companies have a relatively scandalous history, including famous ones like Symantec/Norton, and McAfee; in the worst cases they have introduced viruses themselves that only their own software can fix, just so that they can look better than the competition.
  • Third party anti-virus companies do not have much incentive to increase performance, because as they're often installed before a user even gets their computer, users will usually just blame the hardware or Windows itself.
  • Like 1
Link to comment
Share on other sites

2 minutes ago, Jason Carr said:

What anti-virus product(s) are you running?

I'm using Kaspersky. I tried a new installation to another location and it started fine, for some reason my collection is broken now is there any way to troubleshoot?

Link to comment
Share on other sites

Just now, jacks897 said:

I'm using Kaspersky. I tried a new installation to another location and it started fine, for some reason my collection is broken now is there any way to troubleshoot?

Yes; if you would please, let's create another thread. I'm guessing you're running into a different issue than an anti-virus issue, but I don't know for sure. Can you create a new topic and call me out with @Jason Carr?

Link to comment
Share on other sites

5 minutes ago, Jason Carr said:

Yes; if you would please, let's create another thread. I'm guessing you're running into a different issue than an anti-virus issue, but I don't know for sure. Can you create a new topic and call me out with @Jason Carr?

Thanks I created a new thread, I couldn't find out how to tag you though.

Link to comment
Share on other sites

2 hours ago, Jason Carr said:

Je viens de vous expliquer nos étapes d'exécution du logiciel via Virus Total avant sa sortie. Nous analysons tous les faux positifs signalés et faisons de notre mieux pour confirmer qu'il s'agit de faux positifs avant leur diffusion.

Oui, nous examinons toujours tous les commits avant de publier de nouvelles versions.

Nous utilisons Visual Studio comme outils de construction. J'ai exécuté des vérifications antivirus sur Visual Studio sur la machine de publication et elles ne sont pas compromises.

Nous exécutons les outils normaux comme tout le monde, et ils fonctionnent en arrière-plan. Je ne suis pas sûr du type d'audit que vous recherchez ici, mais il ne semble pas que nous soyons jamais satisfait ici, honnêtement. Nous sommes une très petite équipe et nous prenons la sécurité très au sérieux. Mais nous savons aussi à quel point l'ensemble de l'industrie est imparfait, et il semble que vous ayez un faux sentiment de sécurité avec cela.

Nous faisons de notre mieux ici les gars ; si vous voulez nous présenter comme l'ennemi, alors allez-y, mais nous faisons vraiment tout ce que nous pouvons.

merci de votre réponse effectivement j'ai une alerte Microsoft est ça inquiète sur le coup mais Malwarebytes lui ne détecte rien et j'ai plutôt tendance à faire confiance à Malwarebytes (qui m'as déjà sorti de bien des désagréments) merci pour vos réponses et launchbox est un outil fantastique ont devrait soutenir la team qui bosse dessus plutôt que de mettre en doute leurs réponses. quel intérêt ont il a vous donner un logiciel corrompu si ce n'est de perdre des clients au final 

thank you for your answer indeed I have a Microsoft alert is that worries at the time but Malwarebytes him does not detect anything and I rather tend to trust Malwarebytes (which has already relieved me of many inconveniences) thank you for your answers and launchbox is a fantastic tool that should support the team working on it rather than questioning their answers. what interest does it have to give you corrupted software if not to lose customers in the end

Edited by TOnino83
  • Like 1
Link to comment
Share on other sites

2 hours ago, Jason Carr said:

Alright, 11.15 is out now. Apparently all we needed to do was recompile and it seems that it no longer trips Microsoft Defender. Just bad luck with that false positive I guess (but what else is new).

If you're unable to auto-update to 11.15, you can manually download it here:

https://www.dropbox.com/s/wsflw0p0iu8g3o4/LaunchBox-11.15-Setup.exe?dl=0

Once downloaded, you can just manually install it over top of your existing LaunchBox folder, and it will keep all your games and settings. Just be sure to install it to the LaunchBox folder, like this:

image.thumb.png.fe06485a7724872387cd756d958133b4.png

And not a LaunchBox folder inside of the LaunchBox folder like this:

image.thumb.png.5f64976e4145a8ddfcf20cb1cb8fddd2.png

Thanks all; my apologies for the trouble. Sometimes we're blindsided with false positives like this and unfortunately there's really nothing we can do to improve it. It's just the nature of software development on Windows these days.

Oh, one last note: as with many of the previous releases, we are still tripping a false positive with Symantec/Norton. This has been unavoidable for us unfortunately. Symantec/Norton seems to be the worst of the anti-virus industry, spitting out more false positives than most other providers.

Thank you very much for the rapid response as usual, when I saw your statement that it was a false positive I allowed the DLL through defender, but was even more grateful to see you discovered the issue with defender and fixed the problem in such a timely manner. I definitely have not been disappointed with the program and the work you all do especially in responding to issues etc, have not regretted buying that lifetime license one bit.

  • Thanks 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...