Jump to content

virus software and how it works / false positives


ok since we just had a major problem with trojan reports and lots of confusion about it i want to share

my very own opinion and insights into how antivirus software works nowadays and why there are

such things as 'false positive' alarms.

 

i'm not an antivirus professional and this is not an official post by Gaijin but i think that there is a great

need on informations about this topic. this is a short and very simple explanation just to make sure

everyone will understand the basic mechanisms!


 

first off - most antivirus tools use (at least) two different ways to check files and/or the system:

1. definitions / signatures

2. behaviour analysis / heuristic

 

1. definition/signature based detection

for already known viruses/trojans there will be a definition/signature in the antivirus software. everytime

a file gets read or written from/to the harddrive the antivirus software will look through the file if there is

code in it which matches any of those signatures. 

 

if there is a match this means that there is a known virus/trojan in that file. the antivirus software will pop

a notifaction about it and will take actions (according to its settings) - the message will include the name

of the virus/trojan which is 100% identifiable and can be looked up in a database (showing the ways of

distribution, the severity and most likely some informations about how to get rid of it)

 

2. behaviour based detection / heuristic search

this detection method is looking for unknown threats, new viruses/trojans which haven't been analyzed

yet and therefore dont have a definition/signature. the antivirus software will pretty much try to analyze

the file on its own and is looking for code which is similar to known viruses/trojans or how the file is acting

or working (like the ability to open connections to the internet, hide itself, install/overwrite system files etc)

 

if the antivirus software finds something that it deems to be 'possibly malicious' or at least suspicious it

will not allow the file to be executed, read or written (most likely) and according to the settings it will either

ask about what to do or take automated actions (<- most of the times). additionally there will be a message

popup or entry in the log file which shows a generic virus/trojan name containing some sort of description

about what kind of behaviour the code is showing... e.g. Win32-Trojan.gen or abcd12345-trojan.xyz

 

there is much more to both of the detection methods but this is how they basically work. now what

is (or are) the major differenc(es) ?

 

while the signature based detection is pretty much 100% bulletproof (a match means an infection by an

already known and analyzed virus/trojan) the heuristic search/behaviour based detection may lead to

'false positives' since it is basically only suspecting/assuming that a file contains malicious code.

 

in short: 

signature based detection - less chance of false positives but higher risk of an infection by new threats.

behaviour based detection - better protection against new threats but higher chance of 'false positives'

 

 

why did the aces.exe get identified as being 'malicious/infected' ?

quite a few anti virus tools (AVG, Avast, Comodo, Norton 360 etc) have been blocking the aces.exe in

the past and notified the user about a potential threat - until today this have always been 'false positive'

alarms (!!! attention !!! this does not mean that this notification should be ignored in the future !!!)

 

the aces.exe may get identified as being malicious because it is using techniques which are also used by

trojans/viruses like it's a runtime packed executable, it is trying to open connections to the internet and it

is able to change files on the hard drive etc. these things may trigger the heuristic search or the behaviour

based detection modules in the anti virus software.

 

this may already happen while downloading a new patch and it may lead to the launcher not being able to

finish the download/update process since while downloading new patches there is an archive called pc.zip

being downloaded - this archive contains the aces.exe (and some other files). most anti virus tools are set

to check the content of archives before they get written to the hard drive. if the av software is detecting a

possible threat in the archive it will either block access to that archive, don't write it to the hard drive at all

or it is deleting the aces.exe within the archive. each of those possibilities will interfere with the update

process and the launcher will either crash, stop with an error message or just quit and exit.

 

on the next start of the launcher it will most likely open an error message stating that some files may be

outdated or corrupted (listing for instance the pc.zip). after analyzing the game files it will try to download

those files just to fail again due to the av software doing it's job (again) ^o^

 

so users may get stuck in a loop =/

 

 

what can i do to prevent this from happening or how do i get War Thunder running again if this

happens ?

you cannot prevent this from happening unless you turn down the security level of your anti virus software

and this is NOT AN OPTION (imho) - even though the heuristic/behaviour based detection may give you a

hard time enjoying the game or working with your system overall it's always better to be safe than sorry !!!

 

there are several things you can do though... first you may upload the questionable files (like the aces.exe

or the pc.zip archive) to a virus search website like www.virustotal.com which will check the files with 50+

different anti virus engines - if several search engines detect a potential threat (or a known virus/trojan) in

the file it is quite obvious that the file is indeed infected. if none (or only 1 or 2 of the less known anti virus

tools) detect a potential threat it is likely that the file is safe and the detection is a false positive... still it's

completely up to you if you want to take the risk and flag the file as being safe in your anti virus software!

 

pretty much any of the (well known) anti virus tools have an option to upload the suspicious file(s) to the

developer of the av software to make them analyze the file(s). if the developer does find a threat in the 

file it will update it's signatures/detection modules and the files will be blocked (in the future) while if they

don't find a problem with the files they will 'whitelist' them and after an update of the av software the files

may be read/written/executed... this is the safest option but this will take some time.

 

of course you can also put the War Thunder folder on the exception list of the anti virus software so it wont

check the content of that folder anymore - this will severely reduce the security of your system !!! personally

i'd say that this is an absolute 'no-go' and should never be done as well as deactivating the anti virus tool

while downloading patches unless you know what you do (and how to recover your system in case it get's

infected)

 

many players deactivate the heuristic/behaviour based detection in their anti virus software since most of

the alarms are 'false positives' and they dont want to get bothered by them - they trust the signature based

detection. this will cause them less hassle and may also increase the speed of the system but again this will

reduce the security of the system and with nowadays trojans/viruses this is not a good idea because once 

you got infected it's hard to get rid of the infection (often enough the system has to be installed from scratch)

 

so basically you got to live with the fact that sometimes you just need to invest some time to be sure that

there is no threat in a file or you got to wait for an update of your anti virus software (signatures/detection mod)

Edited by relliK
  • Upvote 14
medal medal medal

Share this post


Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...