Lemmings Forums

Lix => Lix Main => Topic started by: WillLem on May 08, 2021, 11:22:41 PM

Title: Antivirus (AV) keeps quarantining Lix
Post by: WillLem on May 08, 2021, 11:22:41 PM
It's in the title. It's happened a few times now and I have to keep manually restoring it only for it to get quarantined again.

I've now added it to my list of "Trusted Items" (not ideal), but... just thought you might want to know that something is flagging it up as a virus.
Title: Re: AV keeps quarantining Lix
Post by: Simon on May 09, 2021, 05:36:32 PM
Hmm, thanks, there is little I can do about it. Lix is generally unknown, it deletes files, and it sends things over the network. It's possible that some AV heuristics will flag it as malware.

Add an exception for Lix in the AV software, yes.

Which AV software is it?

-- Simon
Title: Re: AV keeps quarantining Lix
Post by: namida on May 09, 2021, 06:58:04 PM
In general - two things to always do when reporting an AV false positive:
1. Make sure to mention which AV it is. If many AVs are reporting a positive, it's possible that the app accidentally (or, not for Lix but just generally speaking, maybe intentionally) contains a virus. In the case of a false positive, it's far more likely to be isolated to one AV.
2. Report it to the AV devs as well. They are likely the ones who need to fix it (but doesn't hurt to report to the app's dev too).
Title: Re: AV keeps quarantining Lix
Post by: WillLem on May 10, 2021, 12:39:45 AM
The AV is McAfee LiveSafe. I got a free year's subscription when I bought my new laptop (coming up to the 12 month mark now actually - time flies!)

It's not the best AV I've had. The interface is really badly laid out and the tech support team were unable to fix an issue I've been having with the software on my Mac, so I've just had to live with that - I'll definitely be switching to a different one when the subscription's up.

Meanwhile, I've reported the Lix issue to the AV devs as suggested, just in case they can do anything about it which may benefit others - maybe it'll flag up a bug or something.
Title: Re: AV keeps quarantining Lix
Post by: Forestidia86 on May 11, 2021, 04:58:26 PM
Out of interest:
Does the AV quarantine the full Lix directory or only the executable lix.exe?
Does the AV give an explanation/decription why it quarantines?
Title: Re: AV keeps quarantining Lix
Post by: WillLem on May 12, 2021, 12:55:05 AM
Out of interest:
Does the AV quarantine the full Lix directory or only the executable lix.exe?
Does the AV give an explanation/decription why it quarantines?

Only the executable, and the threat is described as "Real-Protect" followed by a string of characters. No other information is given by the AV.
Title: Re: Antivirus (AV) keeps quarantining Lix
Post by: Simon on April 28, 2023, 11:03:56 PM
This week, I received a report via private email that Bitdefender flags 32-bit Windows Lix as malicious (but not 64-bit Windows Lix) and prevents downloading. Here is my reply to that email:



I've let VirusTotal (virustotal.com) scan the zip archive of Lix 0.10.8 for Windows (x86). Result: 52 out 62 antivirus engines found nothing. 10 out of the 62 engines considered it malicious; among these, the most common diagnosis was Gen:Variant.Lazy.165509, and one Trojan.Lazy.D28685. In particular, Bitdefender believes it contains Gen:Variant.Lazy.165509, which agrees with your report.

Findings are practically the same if I upload only the 0.10.8 x68 executable (instead of the entire zip archive), with 13/71 engines flagging it as that Lazy virus.

Then I've uploaded the Lix 0.9.48 x86 executable or the Lix 0.10.3 x86 executable from half a year ago, again 10 engines find something, but now those 10 engines (including BitDefender) believe it to be Gen:Variant.Fragtor.90414.

Given these results, I'll consider it a false positive: The 10/62 engines detect a different virus (between the 0.10.3 and the current 0.10.8) even though I believe I haven't changed Windows D compilers or dependencies in the past months. Also, most engines (over 80 %) don't see any virus at all.

Lix might easily appear as a thread to antivirus heuristics: It's a largely unknown program, it changes reasonably often to avoid cataloguing by antivirus engines, it creates and deletes files (level/replay delete button), and it can connect to the internet.

All the engines consider the x64 executable completely clean. If you're unsure, I recommend the x64 version over x86 version anyway; the x86 build is a fallback for old machines.

-- Simon
Title: Re: Antivirus (AV) keeps quarantining Lix
Post by: Simon on April 29, 2023, 04:46:09 PM
Bitdefender likes to see Gen:Variant.Lazy.xxxxxx in other software, too:

https://steamcommunity.com/app/1324130/discussions/0/3772365358800271110/

https://github.com/MiKTeX/miktex/issues/1218

-- Simon
Title: Bitdefender flags 32-bit Lix
Post by: The Mole UK on May 01, 2023, 11:25:12 AM
Lix (x86)
I am prevented from downloading.   Getting an infected web page message.  x64 is okay.
I used my phone to download the zip.  It is the zip that is infected.
Title: Re: Bitdefender flags 32-bit Lix
Post by: Simon on May 01, 2023, 12:00:27 PM
Hi!

Bitdefender likes to flag 32-bit Lix. I believe it's a false positive. See: Antivirus (AV) keeps quarantining Lix (https://www.lemmingsforums.net/index.php?topic=5586.msg98664#msg98664)

I recommend the x64 version over the x86 version in general. The x86 build is a fallback for old machines.

-- Simon
Title: Re: Bitdefender flags 32-bit Lix
Post by: The Mole UK on May 01, 2023, 01:21:54 PM
I suspect a false positive too.  Annoying tho...