Comments (31)
UPDATE & ???: Windows defender now flags the RSMM executable (and even very very old releases) even more aggressively and this makes it impossible to download the source as a zip in chrome currently. Norton and many other AV engines all flag RSMM with pretty high confidence. This is extremely strange and I have no clue what is causing RSMM to be flagged on such a massive scale and I'm beginning to wonder if RSMM is perhaps being targeted for/by something. I've submitted RSMM to a few AV engines so far and have not gotten much yet.
I'm gonna ask about this on the devforum. This is sounding more serious I think.
from roblox-studio-mod-manager.
@Hexcede Would you say that it's safe to download and disregard Windows Defender?
Yes, I would say so. We are able to view the source code of RobloxStudioModManager since it's a .NET application (it's compiled to non-native bytecode which is what allows it to run on several platforms as well as 64/32 bit machines) using a ton of decompilers. I've had a look myself, and I don't see anything out of the ordinary. This, however, does not mean there isn't a possibility the file has been infected through an attack.
I've investigated the source code a bit further, and I believe that what is being detected is actually the fact that RobloxStudioModManager both downloads, and launches Roblox (lol). Essentially what happens when RBXModManager starts up is it contacts Roblox to locate versions, test branches, etc. This behaviour, since it happens without any user input, is probably seen as being "backdoor-like." There are plenty of ways to get Windows to execute an arbitrary program like this at launch, so my guess is that Windows defender and other AVs see this as a threat since it's contacting a remote service, downloading files, and other things.
#58 This was resolved! 😄
That additionally brings me to a possible solution/fix to this AV issue (@CloneTrooper1019 you could probably test this fairly easily by simply moving most of the launch code to be ran by a user interaction such as a button press, but that would not confirm that my following assumption would work) By having RobloxStudioModManager package a .NET library for installing Roblox, requesting resources, etc (there's a way to compile the library directly within your program without packaging any dlls or anything, I don't quite remember how, but it's not a huge task as far as I know), making startup requests, etc (thereby moving said code out of direct launch code) you could potentially circumvent AV flagging in a non-malicious way. Using a library in this way actually makes a bit of sense to me in this particular circumstance since RSMM is essentially already using code like a library, just directly within its own code rather than separate. I would personally not consider a circumvention like this to be unintended or hacky, but I suppose a lot of people would see this as a hacky or bandaid fix if my assumptions are correct.
from roblox-studio-mod-manager.
Try whitelisting it @Mullets-Gavin
https://twitter.com/BoatbomberRBLX/status/1347262909915738113
from roblox-studio-mod-manager.
Got a new one: Trojan:Win32/AgentTesla!ml
.
I don't believe signing it will help a lot; from what I can see antivirus vendors don't really consider a signed executable safe anymore since there's been a resurgence in malware that has been signed. It's definitely a factor in their conclusion but it's not a bulletproof solution. The best way of resolving these would to be manually contact each provider and get it whitelisted, but this takes time and it would have to be done for every release.
A possible solution would be to have the downloading functionality in a separate worker executable, and then get that worker to be cleared by AV companies. As long as it isn't updated, in theory it should be fine. Just make sure it's included as part of the download instead of it being downloaded by RSMM.
from roblox-studio-mod-manager.
I’m aware of the situation and I’m trying to get to the bottom of what’s going on here.
I’m going to submit the application to Microsoft’s Security Intelligence team with context to what the application is doing and see what further steps I can take from there.
from roblox-studio-mod-manager.
Just to clarify, are you seeing these false positives with old versions of the application?
I need to make sure the exe didn’t somehow actually get infected.
from roblox-studio-mod-manager.
@CloneTrooper1019
I am seeing these with the latest version of the executable. I may run it through a VM with some tracker software running to monitor what it's doing at some point just to see what could actually be triggering AV softwares.
Decompiling it and looking through the C# code didn't point to anything suspicious imo, but I'm not sure what extent of the program could be modified, for example, I have no idea if it's possible to insert assembly code into the application that wouldn't get decompiled.
from roblox-studio-mod-manager.
Excerpt from https://malwarefixes.com/threats/trojanwin32-occamy-c/:
Trojan:Win32/Occamy.C is a threat identified by Microsoft Security Software. This is a typical malware that targets the core system of Windows in order to complete its tasks. Trojan:Win32/Occamy.C was made to execute a series of commands once it gets inside the system. It will gather data like system settings, Windows version, network configuration, and so on. Collected data will be sent to remote attacker for analysis.
Hope this provides some help analyzing the issues. Seems like Windows Defender labels anything that accesses Windows preferences is a trojan?
from roblox-studio-mod-manager.
I've submitted a report to Microsoft's Security Intelligence Team explaining the situation.
Hopefully this will all be cleared up soon, though I'm not sure how quick their turnaround time is.
from roblox-studio-mod-manager.
Hi everyone! They got back to me much quicker than I anticipated.
The application should no longer be flagged as malware by Windows Defender.
Follow the steps provided below if it is still being detected as malware:
from roblox-studio-mod-manager.
With that said, several other antivirus programs are still reporting it as such.
I'll try contacting some of them individually to see if I can get this diagnosis cleared.
from roblox-studio-mod-manager.
@Hexcede Would you say that it's safe to download and disregard Windows Defender?
from roblox-studio-mod-manager.
Looks like it’s being false flagged again.
Gonna resubmit it and request advice for avoiding this problem in the future.
I’ll probably have to start signing the application.
from roblox-studio-mod-manager.
Looks like it’s being false flagged again.
Gonna resubmit it and request advice for avoiding this problem in the future.
I’ll probably have to start signing the application.
Yep, and it looks like Windows Defender isn't the only thing detecting this either. A lot of engines are falsely detecting this for some reason.
Edit: And it looks like even super old versions are also being flagged
from roblox-studio-mod-manager.
Could it be Windows Defender? Because whenever I try to extract it, it just deletes itself, tried making non-exe, it successfully extracted, but as soon as I renamed its extension to exe, it just deleted itself.
from roblox-studio-mod-manager.
Could it be Windows Defender? Because whenever I try to extract it, it just deletes itself, tried making non-exe, it successfully extracted, but as soon as I renamed its extension to exe, it just deleted itself.
Yes a lot of AV engines are detecting this right now. (Again)
from roblox-studio-mod-manager.
So the conclusion so far from the devforum post is as follows:
- Disabling code
Optimization
massively helps (for me it brought AV detections on VT from 11 to 4). This makes sense because optimized code is harder for AVs to interpret. - Using the
Signing > Sign the assembly
section with a new key massively helped (11 to 5). This makes sense since signed applications are more secure & easier to track I suppose. - Both in conjunction helped even more (11 to 2). This also makes sense because the application is now easier to interpret from an AV standpoint and doesn't have anything funky going on with strange settings, and it's signed so it looks more secure & is easier to be interpreted correctly.
(Currently the latest release results in 40 flags, which I expect is due to the pdb debug path in the executable for some weird reason)
from roblox-studio-mod-manager.
Applied this patch.
bc105c9
This seems to have reduced it significantly.
from roblox-studio-mod-manager.
@CloneTrooper1019 Crab rave
from roblox-studio-mod-manager.
This effectively means that Kaspersky and ZoneAlarm are the only false positives remaining and they classify RSMM as "non virus adware" which is very obviously not the case.
from roblox-studio-mod-manager.
This issue is occurring again since the latest release, and Windows AV keeps flagging & deleting mod manager. Disabling "Real-time Protection" doesn't work either. I've "allowed" the program to remain on this PC, but if I restart Windows it seems to forget and requires me to reinstall mod manager and re-allow the file to remain.
from roblox-studio-mod-manager.
I found what line's cause the detection by Microsoft defender
RegistryKey robloxPlaceCmd = robloxPlace.GetSubKey("shell", "open", "command");
robloxPlaceCmd.SetValue(_, $"\"{modManagerPath}\" -task EditFile -localPlaceFile \"%1\"");
and
RegistryKey studioUrlCmd = GetSubKey(robloxStudioUrl, "shell", "open", "command");
studioUrlCmd.SetValue(_, modManagerPath + " %1");
Both inside of the UpdateStudioRegistryProtocols
function
With both of these lines the virustotal score is 35 / 69
https://www.virustotal.com/gui/file/58f4f72bfb5413c586e758060a60d07a4fde62c9c183262a1a4895277a7aded0/detection
Commenting these out result in a virustotal score of 18 / 70
with Microsoft defender also considering it safe. https://www.virustotal.com/gui/file/b9a0a37074551b1bdd70516d93cdc422eab199f534b9b5d629aa126205a32a72/detection
If the whole function is commented out the score is reduced to 16 / 70
. https://www.virustotal.com/gui/file/4bd673b2b4e7ab9eafff05f4e1ca00e31428efcf66ed2cf590f9599ea75ac4c8/detection
It may be a good idea to try and make the program not use the registry, this should reduce the false positive count by a significant amount.
from roblox-studio-mod-manager.
@GlowingUmbreon Sure but would that really be an end-all catch for this? When I tried building the program as a debug version instead, virus-total dropped a large chunk of its detection count as well because the resulting code was not similar enough to be detected by the existing database, only for it to ramp back up again shortly after.
There is nothing inherently wrong with the registry key changes I'm making, Roblox Studio does a similar amount of registry key changes and it isn't marked as a virus. The key issue is that the program runs RobloxStudioBeta.exe after downloading and extracting it from Amazon S3. While the program is not acting malicious, it exhibits the behavior of a trojan and has no other choice but to assume it's unsafe.
I might have to just fork up like $300-$500 a year to have the application signed by a certificate authority, which I can afford to do but it's really annoying that I even have to.
from roblox-studio-mod-manager.
@CloneTrooper1019 While this will not fix all cases this would fix windows defender according to virus-total, which I feel most of the false positives come from since its built into windows, which is a step in the right direction.
I also doubt that windows defender will begin detecting it as a virus again unless it is submitted as a sample, and even then it might not be detected.
from roblox-studio-mod-manager.
I rescanned the file on virus total and the amount of detections dropped from 39 (10 months ago) to 27 so the false flags have improved but still a lot of AVs detect it.
from roblox-studio-mod-manager.
Bitdefender silently blocks this, creating an exception does absolutely nothing. I would suggest prioritizing av's that silently block it without exceptions.
from roblox-studio-mod-manager.
Even firefox thinks it's a PUP now.
from roblox-studio-mod-manager.
(necrobump)
Still happening again
from roblox-studio-mod-manager.
(necrobump)
Still happening again
It's basically impossible to add to allowed stuff or something, while being on a local account and can't access it because admin rights
Update: it literally gets deleted after downloading it
from roblox-studio-mod-manager.
Technically, this has never been fixed. The issue was closed because there's a workaround, however it requires admin privilages
from roblox-studio-mod-manager.
I hope avast stops detecting it soon
from roblox-studio-mod-manager.
Related Issues (20)
- Selecting older version bricks RSMM on next startup
- Unable to open place by pressing edit on website HOT 2
- Older versions are no longer supported
- Remove the -launchmode argument when launching with a URL
- is this ever gonna be updated? HOT 3
- Proposed new Logo HOT 1
- Stuck in a logging in loop HOT 1
- Clicking "Launch Studio" crashes program HOT 1
- freezing HOT 4
- I get this error when trying to launch
- Login Failed - An error occurred while logging into Studio. Please login on the website or try again later. HOT 1
- cant Ctrl+A or any form of multi-selecting
- How do you uninstall the mod manager? HOT 1
- Roblox Studio Mod Manager cannot connect to anything
- Capabilities of the manager HOT 2
- Trying to update Roblox Studio to a new version shows a Microsoft .NET error
- Studio updates force close all active Studio processes HOT 3
- Object reference error when launching Mod Manager
- weird ui bug
- Unable to uninstall
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from roblox-studio-mod-manager.