Game executable triggers Windows Security

[Radiant]

When compiling Heroine's Quest under AGS 3.6.0.47 and Windows 11, I get a popup from Windows Security, which then proceeds to delete the game executable.

Detected: Behavior:Win32/DefenseEvasion.A!ml
Details: This program is dangerous and executes commands from an attacker.
file: C:\Heroine's Quest\Compiled\Windows\RCX976A.tmp

Asking for more info sends me to this microsoft page, which isn't helpful.

Does this look familiar to anyone? This has not happened with earlier versions of AGS. I can of course overrule windows security on this, but I'm worried that other players of the game will get the same error.

[Crimson Wizard]

Not exactly, but AGS has been a case of unending false positives from several antiviruses in the past. Notably Avast does not like AGS very much.

Something that may be tried is - disabling "Attach game data to EXE" in General Settings. I think it's disabled by default in contemporary templates, but may be enabled for older imported projects.
When this is disabled, Editor will produce 2 files: game.exe and game.ags, where game.exe will be the pure engine with nothing attached.
The purpose is that Antiviruses don't like it when a program writes something to exe file, or reads from it. I recall a real case when the AV kept rescanning AGS game which tried to load sounds from appended data, causing game to slowdown.

[Radiant]

Thanks. Turns out this option was already disabled (despite it being an imported project). However, oddly enough, enabling this option seems to fix the problem.

[Crimson Wizard]

Thanks. Turns out this option was already disabled (despite it being an imported project). However, oddly enough, enabling this option seems to fix the problem.

Maybe this Windows Security does not recognize something if the exe is different.

Honestly, I would not recommend enabling this option, since having data attached to exe may cause additional issues. For instance, all big AGS games that have this are starting up for 5-10 seconds on my PC (and winsetup too), I believe that's because antivirus scans whole exe (which may be few GBs because of the data).

I've been wondering if I did a mistake by leaving this switch.

[Radiant]

I'll trying attaching to the EXE with a size limit (which is what I did in previous AGS versions, as it puts most of the data in a Game.001 file).

The issue is that NOT attaching to the EXE causes my computer to immediately delete the EXE, both after compiling and after downloading it from Steam; and I can't really distribute the game like that.

[Crimson Wizard]

Well, I don't believe this is our task to fix this. The best course is to report false positive to Microsoft.

I found some other applications had the similar issue:
https://github.com/winsiderss/systeminformer/issues/1631

Their devs suggested reporting false positive here:
https://www.microsoft.com/en-us/wdsi/filesubmission

[Alan v.Drake]

If it's caused by the xor encryption, maybe we can use something else or not encrypt at all.


- Alan

[Crimson Wizard]

If it's caused by the xor encryption, maybe we can use something else or not encrypt at all.

Eh, this deserves elaboration.

The encryption is currently used in AGS game data for:
- translation texts;
- parser dictionary.

Personally I think it's useless, because engine is opensource, so anyone can find out how to decrypt it. Besides decryption always uses same key. Even before opensource era, there have already been tools that extracted texts from AGS based on reverse-engineered data format.
This only ever makes things difficult for people who open a game file in a notepad, hoping to find some hints inside.

[Radiant]

If it's caused by the xor encryption, maybe we can use something else or not encrypt at all.

What makes you think it is caused by XOR encryption?

By my understanding of the error message, the cause is that one program (the AGS executable) executes commands from another file (the game data); this is almost literally what the error message says.

[Crimson Wizard]

By my understanding of the error message, the cause is that one program (the AGS executable) executes commands from another file (the game data); this is almost literally what the error message says.

Then it could as well be plugins, since engine executes commands from it.

I wonder if and how Microsoft's security might actually detect that engine executes bytecode or other instructions from the game file. To know that it would require to analyze program's logic that loads data from file, creates a script object from it, then runs that object, reading the bytes and doing something about it.

Then again, most of the engines in the world today do the same, this way or another.

[Alan v.Drake]

If it's caused by the xor encryption, maybe we can use something else or not encrypt at all.

What makes you think it is caused by XOR encryption?

Heuristics can trigger at poor attempts at obfuscation but there's no telling if it's the case unless someone tries with a reproducible case.


- Alan

[Radiant]

I should add that under 3.6.0.51 this issue no longer occurs (although Windows Defender does mention it wants to send the executable to MS for checking).

[Alan v.Drake]

Fun fact from testing on my branch:
original acwin.exe:  Virustotal 2/71 (Bkav Pro, MaxSecure)

changed encryption string: Virustotal 1/71 (MaxSecure)

removed encryption: Virustotal 1/71 (MaxSecure)


So maybe "Avis Durgan" is in some class of heuristics, but no idea why MaxSecure's still triggers its own heuristics even with no en/decryption routine. I guess there's some other code piece causing the false positive.


- Alan