Lemmings Forums
NeoLemmix => Bugs & Suggestions => Closed => Topic started by: Strato Incendus on August 02, 2018, 02:58:22 PM
-
So, when I just started my PC, Avira notified me that it had put the New Formats Editor into the quarantine because of "suspicious patterns".
I just tried redownloading the Editor, and it got put into quarantine right away. I had no opportunity to instruct Avira to make exceptions or similar, and when I say "show details", this only starts a quick scan with Luke Filewalker, rather than telling me anything specific about why the editor was removed.
Since namida is using Avira as well, as far as I know, has anyone else had this issue?
-
Ah, nothing new there. It feels like once per year they make an update that declares NeoLemmix or its editor to be malware. :(
Way around:
1) Launch Avira Security Center (SecurityCenter.exe)
2) Click on "quarantine"
3) Select the NeoLemmix editor in the list
4) Click on "restore object"
5) Click "Yes" when asked whether this file should be added to the white-listed files.
PS: This is not a "bug" in the sense that I can do anything against it, because I don't know which patterns they search for, so I can't do anything to avoid them. Please complain to Avira!
-
I must point out that Avast also detects nl and the editor as a threat. Making an exception of the .exe is the only way around it. (Or uninstall your antivirus ;P )
-
any good antivirus program should let you make exceptions easily. I think I tried Avast once (as Raymanni said) and had to make exceptions of things like Lemmix etc.
I feel I must point out again, that I've tried many different ones and so far Malwarebytes is far above and beyond the others. Never get miss hits (I don't even have to make exceptions of NL or other similar programs). And it actually finds the actual viruses (rare these days anyway), but something that Avast and other programs I tired failed to do many times >:( :-\
-
I'm kind of curious what exactly is in the EXE that is tripping up multiple AV engines apparently. Clearly there is some actual real virus or malware out there whose uniquely identifying contents the AV engines are checking against. Wonder what could be in the NL executables that would look similar to AV engines?
Does the AV at least call out what specific threat it thinks it detected?
-
I use Avira (premium edition) and I haven't had any problems with NL, either player or editor.
-
Thanks, Nepster! It was called "avcenter" on my PC, but it worked! ;)
-
I'm kind of curious what exactly is in the EXE that is tripping up multiple AV engines apparently. Clearly there is some actual real virus or malware out there whose uniquely identifying contents the AV engines are checking against. Wonder what could be in the NL executables that would look similar to AV engines?
As I said, I have no clue why it considers the editor to be dangerous. One big issue is probably that I am not a certified software vendor but a rather unknown entity, which certainly doesn't help my case.
One interesting bit is, that I have quite a few copies of the editor lying around, but Avira only complains about the one in the "playing folder". Not sure how this changes anything. Perhaps because I used it to playtest levels, which automatically opens another very dubious application called NeoLemmix.exe with some weird command line arguments?
Does the AV at least call out what specific threat it thinks it detected?
It's really not helpful in that regard, as it only links to this incredibly useful page. (https://www.avira.com/de/support-threats-summary-product?tid=148076&threat=TR&track=1);P But if you search long enough, you realize that it is TR/AD.Quervar.bfsbw from virus defintion 8.15.02.112 (https://www.avira.com/en/support-vdf-details/ivdf_no/8.15.02.112) released two days ago. Still, that doesn't tell me anything useful.
-
some antivirus programs give warnings or automatically suspect any program that is not widely known or as Nepster said, is was taken from an unknown entity (which by default includes NeoLemmix and Lix for example). Some seem to suspect any program that writes or moves or edits other files anywhere on the PC (Also NL and Lix).
-
Yeah, I didn't get anywhere looking up the thing Avira said it detected. I guess it's inevitable that some AV software will tune their detection towards being over-aggressive. As long as it doesn't cause issues in widely used software, the overall impact of a false positive is low and may even trick some people into thinking the AV is better because it "seems to find more things".
One interesting bit is, that I have quite a few copies of the editor lying around, but Avira only complains about the one in the "playing folder". Not sure how this changes anything. Perhaps because I used it to playtest levels, which automatically opens another very dubious application called NeoLemmix.exe with some weird command line arguments?
Hmm, so the copies are identical but Avira only picks up the playing folder one? Are the other copies lying in folders that you still access frequently?
My guess is that if you now explicitly ask Avira to scan the other copies, it would probably flag them as bad as well. The one in the playing folder, by virtue of getting executed frequently, may be triggering Avira to proactively (re)scan it. The other copies may have been scanned previously before the update that introduced the false-positive detection, and have not yet been re-scanned.
-
Hmm, so the copies are identical but Avira only picks up the playing folder one? Are the other copies lying in folders that you still access frequently?
My guess is that if you now explicitly ask Avira to scan the other copies, it would probably flag them as bad as well. The one in the playing folder, by virtue of getting executed frequently, may be triggering Avira to proactively (re)scan it. The other copies may have been scanned previously before the update that introduced the false-positive detection, and have not yet been re-scanned.
Good point. The others are in the folder for the "current release", "current update" and the original compile-location. I haven't opened any of them after the virus definition update in question. And I am not tempting fate by opening them right now just for the sake of testing. ;)
-
So, after ages with no problem, Avira randomly decided to (in the middle of the night) flag the editor for me too. Marking the first time I've ever had a false positive from Avira, actually.
I have reported the false positive to them, along with links to the Git repo of the source code so that they can analyze that too if they need to.
In the meantime, if you're using Avira and it's removing your editor:
1. Open Avira
2. Go to Quarantine
3. Find a copy of NLEditor.exe in there
4. Restore
5. Make sure to select "Add this path to ignore list" or whatever it's called
-
Old Formats NeoLemmix Player suddenly also gets put into quarantine by Avira. And Avira didn't even consider it necessary to inform me about its removal. Funnily enough, the issue seems to be related to the name; because if my player was named NeoLemmix(1) - which arose because I had several versions of the .exe in my downloads folder - then copying it back works :D . If I tried to remove the (1) and call it "NeoLemmix" again, I'm told I need administrator rights.
Anyway, added to the ignore list and restored. It's just strange that Avira suddenly becomes suspicious of these files, as namida said, after ages of not complaining about them.