Question

Hi!

Yesterday I bought the Making History EXPack, and KSP also updated itself for 1.4.1. I had fun with it for a while then today I got a warning from the Win. Defender.
It found "Trojan:Win32/Critet.BS" in one of the files under KSP:  "E:\Games\Steam\steamapps\downloading\220200\KSP_x64_Data\Managed\Assembly-CSharp.dll"

Have any of you experienced something similar? I got the game from Steam, deleted all the mods prior the intall, but it seems like the "trojan" came with the game.

I know what a trojan is supposed to do, but I don't really believe what the Defender says at this point...

Edited by NotJebediah
Typo

Share this post


Link to post
Share on other sites

Recommended Posts

  • 5

Hello all.

Windows 10 Defender was detecting Assembly-CSharp.dll as containing a virus. This has been found to be a false positive. 

The file was being detected as having a virus on the following previous definitions
1.263.580.0
1.263.582.0

1.263.580.0 release time corresponds with the first reported cases.

Virus definition 1.263.585.0, just released, does not quarantine the file. Please be sure to update Defender's virus definitions.

Source: https://www.microsoft.com/en-us/wdsi/definitions

Results of the analysis: https://www.microsoft.com/en-us/wdsi/submission/bdea1058-efcc-4c43-8051-22cfe1139e81

Update:

If Defender continues to flag the file as containing the Critet.BS trojan, the following advice comes from the Microsoft Defender team after the file was submitted again for review.
 

Quote

 

Thank you for your inquiry. 

We have reviewed the file (assembly-csharp.dll Sha256 1e9581f1fd73b33f8882dd0ac505736a7dfc0a96283a99755919e5f3004e0bfa) is not a malware and we cannot reproduce any detection on the file.  

Please try the following steps to clear cached detections and obtain the latest malware definitions. 

1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender  

2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures” 

This new definition library will be available for users who subscribe to the automatic definition update mechanism, as well as users who choose to manually update their definition library. The latest definition is available for download here: https://www.microsoft.com/en-us/wdsi/definitions 

 

Furthermore, you may find that a system restart is necessary to completely clear the problem

 

Share this post


Link to post
Share on other sites
  • 2

@NotJebediah @Chaia @Sirad @Kerbski @original_khawk

if you still have the issue,

Please help us analyze this issue

 

submit your file ( Steam\SteamApps\common\Kerbal Space Program\KSP_x64_Data\Managed\Assembly-CSharp.dll ) to https://www.virustotal.com

check the SHA-256 HASH of the file

and reply here with the HASH you have.

Example:

HCySXay.png

 

Share this post


Link to post
Share on other sites
  • 2

I got the original problem back. Obviously MS reintroduced the trojan-definition back in the latest definition 1.263.598.0

https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?RequestVersion=1.263.598.0&Release=Released&Package=AM

The virustotal.com check of the file came up clean, yet i'm not going to take any chances. Looking forward to see this issue ironed out.

cheers

chris

 

Share this post


Link to post
Share on other sites
  • 2
18 hours ago, million_lights said:

The issue has been resolved.

I'm afraid it hasn't.

It persisted on my system through 1.263.585.0 and into 1.263.598.0. It still gets picked up now.

If I restore it from quarantine, it'll only get flagged again at the next reboot (not the end of the world, but it is a bit of a pain)..

Share this post


Link to post
Share on other sites
  • 2

I also have same issue, everything is up-to-date in my system, virus definitions too.

I'm not taking any chances. I think it's a very bad idea to just add this folder to exclusions. This folder has also all the files from mods, you definitely want scanning over them.

Can we mark this issue as not solved until it is actually solved?

Share this post


Link to post
Share on other sites
  • 1

My Win Defender reports this also:

"D:\Steam\SteamApps\common\Kerbal Space Program\KSP_x64_Data\Managed\Assembly-CSharp.dll"

found a "Trojan:Win32/Critet.BS"

Share this post


Link to post
Share on other sites
  • 1

UPD

Yep, this is false positive. Just update your Windows Defender and perform file integrity check in steam for KSP fix.

Share this post


Link to post
Share on other sites
  • 1

The issue has been resolved.

It was a temporary false positive.

Please update your Windows Defender Definitions and advice others with similar issues to do the same

https://www.microsoft.com/en-us/wdsi/definitions
 

The file was being detected as having a virus on the following previous definitions
1.263.580.0
1.263.582.0

Share this post


Link to post
Share on other sites
  • 1

@Squelch @million_lights

Thanks for the quick response!

Edit:

Well... I updated the virus definitions, checked the version number, restarted th PC, deleted and re-installed KSP... Still got the issue

I have version 1.263.585.0 on Defender and still finds something fishy with the file. I'll check it again on virustotal.com and if it gets back clean again, I'll ignore the issue. I can work around the quaranteen...

Thank you all for the help!

Edited by NotJebediah

Share this post


Link to post
Share on other sites
  • 1

Hello,

I still cannot download the file from steam, windows defender keeps on removing it. Note that I cannot allow any file on windows defender.

My database version is the latest (Virus & Spyware) : 1.263.598.0

 

Even copying the file from an external drive gets blocked and deleted (including from the external drive...)

I have no problem on my second pc whatsoever...

I remember not being able to build any project on Unity some weeks ago, but it magically disappeared at some point.

Share this post


Link to post
Share on other sites
  • 1

I side with @million_lights in this topic. Maybe it's something Unity-related. That would explain the same issues with the other games on Steam. It could also be a false positive virus definition.

VirusTotal comes out clean, ergo Kaspersky, Norton, all the big anti-virus databases comes out clean. Only Microsoft had problem with it. Either everyone's wrong and Microsoft is right, or Microsoft is wrong and everyone else is right.

I didn't read the full EULA yet, but think about it, what would TT/SQUAD gain from a trojan in their game? Collect telemetry at most, so they can optimize the game better? This is a trusted program we're talking about, not some shady software from a no-name site.

At any case, I don't say that we should throw all caution out the window, but we shouldn't grab the torches and pitchforks just yet. One should think about the risk one's willing to take. I see your point of view @Wrench Head, and I would do the same if KSP came from a shady site.

Share this post


Link to post
Share on other sites
  • 1

 

On 26/03/2018 at 1:16 PM, 4721Archer said:

I'm also finding this issue is ongoing. Some Defender updates stop flagging the file, then further updates flag it again (only upon launch, which stops the game loading but doen't crash it).

I can't be bothered messing around with it anymore, and it is suspicious that it hasn't been resolved by either Mocrosoft or T2.

The lack of any updates to this thread from persons other than players is also concerning IMO, along with the flag suggesting a solution was sorted.

For anyone still experiencing this problem sporadically with new virus definitions, please follow the steps recommended by Microsoft to clear cached copies of the virus definitions outlined in the marked answer. We have been monitoring this closely, and can confirm that no further detections have been made by us since performing those steps despite some later sporadic reports.

 

Share this post


Link to post
Share on other sites
  • 0

have the same issue now.

Is this what we agreed to while signing the eula ?

Share this post


Link to post
Share on other sites
  • 0
12 minutes ago, Chaia said:

My Win Defender reports this also:

"D:\Steam\SteamApps\common\Kerbal Space Program\KSP_x64_Data\Managed\Assembly-CSharp.dll"

found a "Trojan:Win32/Critet.BS"

Same here.

Share this post


Link to post
Share on other sites
  • 0

I am also experiencing this issue. Its most likely a false positive but i'm concerned that maybe a file was infected on one of the devs PCs or something before uploading to steam.

Share this post


Link to post
Share on other sites
  • 0

On windows 7, Microsoft Security Essentials is giving me the same message. Uninstalled the whole game with all the mods, and reinstalling gives me this message

 

Share this post


Link to post
Share on other sites
  • 0
8 minutes ago, million_lights said:

@NotJebediah @Chaia @Sirad @Kerbski @original_khawk

if you still have the issue,

Please help us analyze this issue

 

submit your file ( Steam\SteamApps\common\Kerbal Space Program\KSP_x64_Data\Managed\Assembly-CSharp.dll ) to https://www.virustotal.com

check the SHA-256 HASH of the file

and reply here with the HASH you have.

Example:

HCySXay.png

 

as windows defender removes the file that is marked as infected i would strongly recomend to get this file from a sandbox envirement (VMware, virtual box, etc.) at this moment i dont have time to set up a sandbox will do this later today / tomorow

Share this post


Link to post
Share on other sites
  • 0

On Linux I have 3e3652a8c0f1488b7bde8d1635547234c920fcf4d4dbdb390d9a4b86dc71b79c, before and after validating local cache in Steam.

Share this post


Link to post
Share on other sites
  • 0

@million_lights
I'm about to do the virus check on the site. Thanks for the link.

Edit:

SHA-256 1e9581f1fd73b33f8882dd0ac505736a7dfc0a96283a99755919e5f3004e0bfa

According to the site above on the "Details" page, the file is not signed. Maybe that's what triggers the Defender?
It came out all clear tho...

I hope it'll help.

Edited by NotJebediah

Share this post


Link to post
Share on other sites
  • 0

Yeah, was probably a false-positive.
After rebooting (and probably updating, didn't track that tho) it doesn't get reported again. 

File integry check didn't report anything unusual.
Also here is the VirusTotal report:

 
3qHD0zo.jpg
 
Thanks for the quick help :)

Share this post


Link to post
Share on other sites
  • 0

Hello!
I have something like this just happened :(

My win defender reports :
Affected items: 
file: C:\KSP\Kerbal Space Program v1.4.1.2089\GameData\ModuleManager.3.0.6.dll
containerfile: C:\Users\Erik Grischuk\Downloads\ModuleManager-3.0.6.zip
file: C:\Users\Erik Grischuk\Downloads\ModuleManager-3.0.6.zip->ModuleManager.3.0.6.dll
webfile: https://ksp.sarbian.com/jenkins/job/ModuleManager/141/artifact/ModuleManager-3.0.6.zip
pid:11108,ProcessStart:131656143255802189

Share this post


Link to post
Share on other sites
This thread is quite old. Please consider starting a new thread rather than reviving this one.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.