News:

Do you need help?
Simutrans Wiki Manual can help you to play and extend Simutrans. In 9 languages.

simutrans-online-install.exe Windows 10 - Windows Defender quarantines download

Started by khamar, November 09, 2015, 09:21:25 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

khamar

Windows 10 home, stock install, halts the download of simutrans-online-install.exe [ Chrome browser] from sourceforge and quarantines the file.

To verify the file integrity, I have marked the file "allow" in windows Defender and have uploaded the file for independent scan with the following results:

https://www.virustotal.com
2/54 report findings
McAfee-GW-Edition   BehavesLike.Win32.Dropper.dc
VBA32   suspected of Trojan.Downloader.gen.h
52 others CLEAN

https://virusscan.jotti.org
Scan finished. 1/21 scanners reported malware.
VBA32 Trojan.Downloader.gen.h
21 others CLEAN

I fear that many windows 10 users will not proceed past the quarantine action.



Ters

Looks like Simutrans isn't the only thing hit by this. Not much we can do, I suppose, except force Windows user to download and install pak sets manually, and/or disable network play. Getting a stamp of approval from some authority is going to cost some money.

jamespetts

Are we sure that this is connected to network play or might it just be the downloader? If the latter, one might consider shipping without it. If it includes network play, we certainly can't disable that. We might consider a prominent notice on the Simutrans website explaining the position and that a free game cannot pay for certification. We don't want to have users put off.
Download Simutrans-Extended.

Want to help with development? See here for things to do for coding, and here for information on how to make graphics/objects.

Follow Simutrans-Extended on Facebook.

DrSuperGood

On Wingows 10 only issue I get is when trying to first run the executables they are warned as being unsigned. Simply revealing the more info button and pressing run fixes this.

Ters

Quote from: jamespetts on November 09, 2015, 11:03:48 PM
Are we sure that this is connected to network play or might it just be the downloader?

Hard to tell, and it might even be something else entirely. They probably won't tell exactly what ticks them off, as that also tells the bad guys how to work around it as well. Anything that writes to disk, in particular system directories like c:\windows or c:\program files, or that communicates over the Internet has the potential of being malicious. Security software can't afford to only look for known malware, they must be preemptive and risk a bit of collateral "damage".

prissi

It just uses the freely available NSIS in a slightly old version. That is also used by script kiddies, since the bad guys do not use commercial software too. Nothing that can be done about it (actually, on this WIn10 it works fine).

jamespetts

Perhaps just a prominent notice on the official simutrans.com page, which people are likely to consider to be a trustworthy source of information?
Download Simutrans-Extended.

Want to help with development? See here for things to do for coding, and here for information on how to make graphics/objects.

Follow Simutrans-Extended on Facebook.

Ters

Quote from: jamespetts on November 10, 2015, 10:25:58 AM
Perhaps just a prominent notice on the official simutrans.com page, which people are likely to consider to be a trustworthy source of information?

It wouldn't hurt, but it is also exactly what the (lesser) bad guys do. (The elite just hack their way around the problem.) I'm not convinced those that need such a text will read it, or if they do, understand how to make use of it.

prissi

I could try more recent NSIS; but NSIS is a self-compressed modular installer that load stuff over the network and want to run with admin priviledges. Any behavorial driven virus software is quite likely to think that his is a possible thread. (Avast blocks it for fuirst, but after 15s says that it is harmless.)

Ters

NSIS should really be well-known to the anti-malware folks. Although, being free, it might be a popular installation program for trojans.

In my case, Internet Explorer says SmartScreen doesn't trust the file when the download is complete. At the same time, Norton pops up and says it's safe. (Not the only time that's happened.) The file is not quarantined, but Internet Explorer won't give me the option to run it. I must go to the download folder and run it directly. Firefox doesn't give a ****.

DrSuperGood

Windows 10 seems to have a policy of not allowing casual people to run executable files downloaded through the internet unless they are signed by a "trusted" source. That said the popup has a hidden run anyway button only visible if you press "More" that lets you run it anyway. Unless you press this "More" button and allow it to run anyway it will appear to be blocked and you will be unable to run the file.

Official builds of Simutrans will not contain malware as the developers are nice people. However that does not rule out the build become infected at the file hosting service (unlikely) or by a man in the middle (possible if you already have malware or are using an insecure network).

Ters

Quote from: DrSuperGood on November 21, 2015, 12:25:51 AM
Windows 10 seems to have a policy of not allowing casual people to run executable files downloaded through the internet unless they are signed by a "trusted" source.

That was true back in Windows Vista as well, but that feature seems to have disappeared. It requires browsers to mark the files as from the Internet, but in the end, only their own browser did. I must either have managed to disable this feature, or it must be on its way out (perhaps too unreliable, since no one else honors it). Explorer still shows this mark in the file attributes dialog, but when running such a file, the origin is now reported as harddisk, not Internet as it used to be. And after having run it, the mark is gone. Newly downloaded files still get the mark though, both by Internet Explorer and Edge. Edge, by the way, does not give a "more" option. It also blatantly lies and says that the system administrator has blocked the file. Unless it's actually revealing a secret truth, that people are no longer in control of their computers.

jamespetts

Perhaps the "system administrator" part of the message refers to the fact that a user with administrative rights can change a setting to disable this feature?
Download Simutrans-Extended.

Want to help with development? See here for things to do for coding, and here for information on how to make graphics/objects.

Follow Simutrans-Extended on Facebook.

DrSuperGood

Quote
Edge, by the way, does not give a "more" option. It also blatantly lies and says that the system administrator has blocked the file. Unless it's actually revealing a secret truth, that people are no longer in control of their computers.
Edge download system is total trash anyway. Does not even let you save as. To use files I need to download, press a few buttons to open the folder. Open the folder I want to save as into and then cut from the download folder into the folder I wanted. What used to be a 3 press sequence is now 10+ with tons of mouse navigation.

Ters

Quote from: DrSuperGood on November 21, 2015, 04:59:36 PM
Edge download system is total trash anyway. Does not even let you save as. To use files I need to download, press a few buttons to open the folder. Open the folder I want to save as into and then cut from the download folder into the folder I wanted. What used to be a 3 press sequence is now 10+ with tons of mouse navigation.

I'm actually more annoyed with not being able to run/open files without "saving" them, especially with all these online installers that do most of the downloading themselves. Other browser makers got that "bright" idea long before Microsoft. So rather than having automatic temp directory cleaning tidy up for me (or may Internet Explorer deletes the file once I'm done with it), I have to explicitly launch the file after downloading and then clean up my downloads manually.