The International Simutrans Forum

 

Author Topic: simutrans-online-install.exe Windows 10 - Windows Defender quarantines download  (Read 5173 times)

0 Members and 1 Guest are viewing this topic.

Offline khamar

  • *
  • Posts: 1
  • Languages: EN
Windows 10 home, stock install, halts the download of simutrans-online-install.exe [ Chrome browser] from sourceforge and quarantines the file.

To verify the file integrity, I have marked the file "allow" in windows Defender and have uploaded the file for independent scan with the following results:

https://www.virustotal.com
2/54 report findings
McAfee-GW-Edition   BehavesLike.Win32.Dropper.dc
VBA32   suspected of Trojan.Downloader.gen.h
52 others CLEAN

https://virusscan.jotti.org
Scan finished. 1/21 scanners reported malware.
VBA32 Trojan.Downloader.gen.h
21 others CLEAN

I fear that many windows 10 users will not proceed past the quarantine action.



Offline Ters

  • Coder/patcher
  • Devotee
  • *
  • Posts: 5433
  • Languages: EN, NO
Looks like Simutrans isn't the only thing hit by this. Not much we can do, I suppose, except force Windows user to download and install pak sets manually, and/or disable network play. Getting a stamp of approval from some authority is going to cost some money.

Offline jamespetts gb

  • Simutrans-Extended project coordinator
  • Devotee
  • *
  • Posts: 18222
  • Cake baker
    • Bridgewater-Brunel
  • Languages: EN
Are we sure that this is connected to network play or might it just be the downloader? If the latter, one might consider shipping without it. If it includes network play, we certainly can't disable that. We might consider a prominent notice on the Simutrans website explaining the position and that a free game cannot pay for certification. We don't want to have users put off.

Offline DrSuperGood

  • Dev Team
  • Devotee
  • *
  • Posts: 2582
  • Languages: EN
On Wingows 10 only issue I get is when trying to first run the executables they are warned as being unsigned. Simply revealing the more info button and pressing run fixes this.

Offline Ters

  • Coder/patcher
  • Devotee
  • *
  • Posts: 5433
  • Languages: EN, NO
Are we sure that this is connected to network play or might it just be the downloader?

Hard to tell, and it might even be something else entirely. They probably won't tell exactly what ticks them off, as that also tells the bad guys how to work around it as well. Anything that writes to disk, in particular system directories like c:\windows or c:\program files, or that communicates over the Internet has the potential of being malicious. Security software can't afford to only look for known malware, they must be preemptive and risk a bit of collateral "damage".

Offline prissi

  • Developer
  • Administrator
  • *
  • Posts: 9378
  • Languages: De,EN,JP
It just uses the freely available NSIS in a slightly old version. That is also used by script kiddies, since the bad guys do not use commercial software too. Nothing that can be done about it (actually, on this WIn10 it works fine).

Offline jamespetts gb

  • Simutrans-Extended project coordinator
  • Devotee
  • *
  • Posts: 18222
  • Cake baker
    • Bridgewater-Brunel
  • Languages: EN
Perhaps just a prominent notice on the official simutrans.com page, which people are likely to consider to be a trustworthy source of information?

Offline Ters

  • Coder/patcher
  • Devotee
  • *
  • Posts: 5433
  • Languages: EN, NO
Perhaps just a prominent notice on the official simutrans.com page, which people are likely to consider to be a trustworthy source of information?

It wouldn't hurt, but it is also exactly what the (lesser) bad guys do. (The elite just hack their way around the problem.) I'm not convinced those that need such a text will read it, or if they do, understand how to make use of it.

Offline prissi

  • Developer
  • Administrator
  • *
  • Posts: 9378
  • Languages: De,EN,JP
I could try more recent NSIS; but NSIS is a self-compressed modular installer that load stuff over the network and want to run with admin priviledges. Any behavorial driven virus software is quite likely to think that his is a possible thread. (Avast blocks it for fuirst, but after 15s says that it is harmless.)

Offline Ters

  • Coder/patcher
  • Devotee
  • *
  • Posts: 5433
  • Languages: EN, NO
NSIS should really be well-known to the anti-malware folks. Although, being free, it might be a popular installation program for trojans.

In my case, Internet Explorer says SmartScreen doesn't trust the file when the download is complete. At the same time, Norton pops up and says it's safe. (Not the only time that's happened.) The file is not quarantined, but Internet Explorer won't give me the option to run it. I must go to the download folder and run it directly. Firefox doesn't give a ****.

Offline DrSuperGood

  • Dev Team
  • Devotee
  • *
  • Posts: 2582
  • Languages: EN
Windows 10 seems to have a policy of not allowing casual people to run executable files downloaded through the internet unless they are signed by a "trusted" source. That said the popup has a hidden run anyway button only visible if you press "More" that lets you run it anyway. Unless you press this "More" button and allow it to run anyway it will appear to be blocked and you will be unable to run the file.

Official builds of Simutrans will not contain malware as the developers are nice people. However that does not rule out the build become infected at the file hosting service (unlikely) or by a man in the middle (possible if you already have malware or are using an insecure network).

Offline Ters

  • Coder/patcher
  • Devotee
  • *
  • Posts: 5433
  • Languages: EN, NO
Windows 10 seems to have a policy of not allowing casual people to run executable files downloaded through the internet unless they are signed by a "trusted" source.

That was true back in Windows Vista as well, but that feature seems to have disappeared. It requires browsers to mark the files as from the Internet, but in the end, only their own browser did. I must either have managed to disable this feature, or it must be on its way out (perhaps too unreliable, since no one else honors it). Explorer still shows this mark in the file attributes dialog, but when running such a file, the origin is now reported as harddisk, not Internet as it used to be. And after having run it, the mark is gone. Newly downloaded files still get the mark though, both by Internet Explorer and Edge. Edge, by the way, does not give a "more" option. It also blatantly lies and says that the system administrator has blocked the file. Unless it's actually revealing a secret truth, that people are no longer in control of their computers.

Offline jamespetts gb

  • Simutrans-Extended project coordinator
  • Devotee
  • *
  • Posts: 18222
  • Cake baker
    • Bridgewater-Brunel
  • Languages: EN
Perhaps the "system administrator" part of the message refers to the fact that a user with administrative rights can change a setting to disable this feature?

Offline DrSuperGood

  • Dev Team
  • Devotee
  • *
  • Posts: 2582
  • Languages: EN
Quote
Edge, by the way, does not give a "more" option. It also blatantly lies and says that the system administrator has blocked the file. Unless it's actually revealing a secret truth, that people are no longer in control of their computers.
Edge download system is total trash anyway. Does not even let you save as. To use files I need to download, press a few buttons to open the folder. Open the folder I want to save as into and then cut from the download folder into the folder I wanted. What used to be a 3 press sequence is now 10+ with tons of mouse navigation.

Offline Ters

  • Coder/patcher
  • Devotee
  • *
  • Posts: 5433
  • Languages: EN, NO
Edge download system is total trash anyway. Does not even let you save as. To use files I need to download, press a few buttons to open the folder. Open the folder I want to save as into and then cut from the download folder into the folder I wanted. What used to be a 3 press sequence is now 10+ with tons of mouse navigation.

I'm actually more annoyed with not being able to run/open files without "saving" them, especially with all these online installers that do most of the downloading themselves. Other browser makers got that "bright" idea long before Microsoft. So rather than having automatic temp directory cleaning tidy up for me (or may Internet Explorer deletes the file once I'm done with it), I have to explicitly launch the file after downloading and then clean up my downloads manually.