Compiling errors due to virus scanner

grizzlypants · Thu 04/01/2024 12:34:14

I'm trying to do a small update for my already released game, but I have issues compiling the game in AGS, as Windows Security interrupts it due to threats it sees in the .tmp files during the process.

The compilation errors I get in AGS:

Unable to register for Windows Game Explorer: Unable to replace resource: BeginUpdateResource failed
Unable to set EXE name/description: LoadLibrary failed

And my Windows Security protection history says:

Detected:
Trojan: Win32/Bancteian!pz
Affected items:
file: C:\Users\Valtteri\Documents\Rock 'n' Roll Will Never Die\Compiled\Windows\RCX16A8.tmp
file: C:\Users\Valtteri\Documents\Rock 'n' Roll Will Never Die\Compiled\Windows\RCX87E.tmp

Windows Defender also says that the threat is removed, but it repeats every time nonetheless (the names of the .tmp files change). I could try allowing the threat, but since it's a specifically named Trojan, I'd want to make sure there aren't any actual viruses there. I know AGS can sometimes cause false positives with the virus scanners, but two months ago everything was still working fine, so something's changed somewhere. How do I know if it's a real threat or not?

Doing a full virus scan on my computer doesn't find any threats. It's just those .tmp files that AGS creates while compiling the game that are problematic. Also, the game actually compiles despite the errors and it seems to run okay. But I'm not sure I want to make it available to people if it has potential virus issues.

Crimson Wizard · Thu 04/01/2024 13:24:11

The same question was asked few days ago:
https://www.adventuregamestudio.co.uk/forums/ags-engine-editor-releases/ags-3-6-0-patch-7/msg636659979/#msg636659979

It seems that Windows Defender recognizes certain patterns in AGS that match ones in that Trojan.

Whether AGS is actually infected with that virus may be found if you test acwin.exe or compiled game exe with a anti-virus directly. For the reference: the executables that we distribute are not compiled by us, but by an automatic server provided by a Cirrus CI, and then uploaded to github. All of this is automated, and the program never appears on any personal computer during this process.

We do not know exactly what in AGS causes these false positives. There have been one guess about the text encoding algorithm, but even if it's true then it cannot be removed without breaking compatibility with older games, and this cannot be done in 3.* version.

If someone could help us with finding out the root of the problem, then we'd look for solutions to solve it.

At the moment I might only mention that not attaching game data to exe (there's an option in General Settings) improves the situation somewhat, at least when the game is run.

eri0o · Thu 04/01/2024 16:12:31

If people could submit false positive reports to Windows Defender, it would help.

glurex · Thu 04/01/2024 16:14:37

Quote from: Crimson Wizard on Thu 04/01/2024 13:24:11The same question was asked few days ago:
(...)
It seems that Windows Defender recognizes certain patterns in AGS that match ones in that Trojan.

I was about to post the same. I'm using version 3.5.1.22. The weird thing is that a few days ago, it didn't happen (at least to me)... so I guess it's something related to a recent update of Windows Defender.

grizzlypants · Thu 04/01/2024 17:10:52

Quote from: Crimson Wizard on Thu 04/01/2024 13:24:11Whether AGS is actually infected with that virus may be found if you test acwin.exe or compiled game exe with a anti-virus directly.
(...)
At the moment I might only mention that not attaching game data to exe (there's an option in General Settings) improves the situation somewhat, at least when the game is run.

Thanks, I did scan acwin.exe and my game exe separately, and found no issues with them. And after clicking "allow" on Windows Defender, the game compiled again without problems.

I don't have the "attach game data to exe" choice available, since my game was made in AGS 3.4.1 and I'm using that to update it too. Switching to a newer engine version would probably mess up all the save games for current players... I'll still test the game a bit, but at least it seems to run normally, so that's good.

Postmodern Adventures · Fri 05/01/2024 12:40:57

The same thing just happened to me today: Unable to set EXE name/description: LoadLibrary failed.

Crimson Wizard · Fri 05/01/2024 13:01:52

Quote from: Postmodern Adventures on Fri 05/01/2024 12:40:57The same thing just happened to me today: Unable to set EXE name/description: LoadLibrary failed.

Being unable to update exe resources also happens sometimes when you have Compiled/Windows folder opened in the windows explorer. Somehow explorer "locks" the files it views, preventing editor from editing them.

Postmodern Adventures · Fri 05/01/2024 13:56:39

Good to know as well! But if any of us have had the same problem today, I'm guessing it's some Windows Defender recent update as is being discussed here.

edmundito · Mon 08/01/2024 14:36:09

And here I thought I was the only one until I saw Grundislav's tweet.

Looks like it's specific to building the Windows EXE. The data file and other types of builds seem OK.

Quote from: eri0o on Thu 04/01/2024 16:12:31If people could submit false positive reports to Windows Defender, it would help.

@eri0o Would you know how we can report these to Windows Defender?

Khris · Mon 08/01/2024 15:49:14

Looks like you can do this here:
https://www.microsoft.com/en-us/wdsi/filesubmission/

eri0o · Tue 09/01/2024 00:58:39

I sent myself a report there explaining everything. It would be nicer if more people could send. The virus definition update only happened today for me, it was the 1.403.1858.0 that gave me the problem.

You can find out yours by going to Virus & Threat Protection, click the button "Check Updates" blue link, it won't already check for updates but instead open a new screen with the virus definition and a button that allows you really check for updates, but don't click it, first copy the virus definition so you can properly report to Microsoft.

Khris · Tue 09/01/2024 06:10:25

Btw, a quick fix for you personally is to add your AGS folder to the exclusions.
In Defender go into the Settings for Virus and Threat Protection, scroll down to Exclusions and add your folder.

eri0o · Wed 10/01/2024 20:51:23

My reports are still not reviewed. The weird thing is in the report it runs the analysis of the file again with a newer and the same version of Windows Defender that you report. And both runs say "No malware detected", apparently Final Determination is "Not malware", but it's still awaiting an analyst. It's weird the software locally would point as malware but not when running in the cloud?

It would be nice if more people could submit their files for analysis there.

Crimson Wizard · Thu 11/01/2024 05:36:37

But which file is detected as a threat though? is this acwin.exe, game.exe, or one of the temporary files that AGS Editor might produce? I think this should be clarified.

Khris · Thu 11/01/2024 08:07:57

It's primarily the .tmp files afaik. Windows also prevented me from running AGS4's AGSEditor.exe until I specifically allowed it, same for basically any game exe of a downloaded AGS game (and other Indie games tbf).

eri0o · Wed 17/01/2024 13:37:59

Hey, is this still happening to anyone or has Windows Defender updated and this is not happening anymore? Neither of my reports to MS have been reviewed yet by an human, only the automated stuff have processed. Has anyone else sent reports to them?

Postmodern Adventures · Wed 17/01/2024 18:43:27

It keeps happening.

eri0o · Wed 17/01/2024 20:24:38

But have you sent a report???

Here: https://www.microsoft.com/en-us/wdsi/filesubmission

As apparently no one sent files for analysis, I guess this won't go away. After all, it's a numbers game. Anyway, I already disable Windows Defender on my git repositories where I do development in different things, where I use JetBrains IDEs or VS to code. This article from JetBrains explains this a bit

https://intellij-support.jetbrains.com/hc/en-us/articles/360006298560-Antivirus-Impact-on-Build-Speed#:~:text=If%20your%20antivirus%20software%20has,the%20antivirus%20scans%20that%20file.

I guess their code for Windows Defender detection (linked here) could be ported so AGS Editor could detect Windows Defender is active in the game project directory and produce a warning about disabling it.

InfernalGrape · Tue 07/05/2024 17:14:40

Happened to me as well just now.

QuoteBut have you sent a report???

Guess it's demand to log into your MS account that puts off people perhaps. I'm not sure if I remember mine, for example, as havent been using MS Office for a while already and never used hotmail.

eri0o · Tue 07/05/2024 18:33:14

Which version of AGS are you using?

You have to understand that MS does this automatically and it's a game of numbers, we have no control on this.

In the latest 3.6.1 there's a change that should reduce changes of this happening in my experience, but you should anyway add an exception to your own game project dir.

InfernalGrape · Tue 07/05/2024 18:49:55

"Build 3.5.1.17" for me.

By the way, if we are supposed to submit files to MS, which files are meant? Defender reacts like that on temporary files during compiling process, so normally you never have access to those files... Right?

Crimson Wizard · Tue 07/05/2024 19:10:40

Quote from: InfernalGrape on Tue 07/05/2024 18:49:55By the way, if we are supposed to submit files to MS, which files are meant? Defender reacts like that on temporary files during compiling process, so normally you never have access to those files... Right?

I was asking same question.

Is there any way to recover this file, if it's stored in a quarantine for example? Then we could look inside and at least find out what is it.

EDIT: elaborating, I do not know if these "temp files" are reacted to because Defender does not like *them*, or because it generally does not like what AGS Editor is doing, and wants to prevent any files that it creates.