Jump to content

Recommended Posts

Hi!

Yesterday I bought the Making History EXPack, and KSP also updated itself for 1.4.1. I had fun with it for a while then today I got a warning from the Win. Defender.
It found "Trojan:Win32/Critet.BS" in one of the files under KSP:  "E:\Games\Steam\steamapps\downloading\220200\KSP_x64_Data\Managed\Assembly-CSharp.dll"

Have any of you experienced something similar? I got the game from Steam, deleted all the mods prior the intall, but it seems like the "trojan" came with the game.

I know what a trojan is supposed to do, but I don't really believe what the Defender says at this point...

Edited by NotJebediah
Typo
Link to comment
Share on other sites

@NotJebediah @Chaia @Sirad @Kerbski @original_khawk

if you still have the issue,

Please help us analyze this issue

 

submit your file ( Steam\SteamApps\common\Kerbal Space Program\KSP_x64_Data\Managed\Assembly-CSharp.dll ) to https://www.virustotal.com

check the SHA-256 HASH of the file

and reply here with the HASH you have.

Example:

HCySXay.png

 

Link to comment
Share on other sites

8 minutes ago, million_lights said:

@NotJebediah @Chaia @Sirad @Kerbski @original_khawk

if you still have the issue,

Please help us analyze this issue

 

submit your file ( Steam\SteamApps\common\Kerbal Space Program\KSP_x64_Data\Managed\Assembly-CSharp.dll ) to https://www.virustotal.com

check the SHA-256 HASH of the file

and reply here with the HASH you have.

Example:

HCySXay.png

 

as windows defender removes the file that is marked as infected i would strongly recomend to get this file from a sandbox envirement (VMware, virtual box, etc.) at this moment i dont have time to set up a sandbox will do this later today / tomorow

Link to comment
Share on other sites

@million_lights
I'm about to do the virus check on the site. Thanks for the link.

Edit:

SHA-256 1e9581f1fd73b33f8882dd0ac505736a7dfc0a96283a99755919e5f3004e0bfa

According to the site above on the "Details" page, the file is not signed. Maybe that's what triggers the Defender?
It came out all clear tho...

I hope it'll help.

Edited by NotJebediah
Link to comment
Share on other sites

Yeah, was probably a false-positive.
After rebooting (and probably updating, didn't track that tho) it doesn't get reported again. 

File integry check didn't report anything unusual.
Also here is the VirusTotal report:

 
3qHD0zo.jpg
 
Thanks for the quick help :)

Link to comment
Share on other sites

The issue has been resolved.

It was a temporary false positive.

Please update your Windows Defender Definitions and advice others with similar issues to do the same

https://www.microsoft.com/en-us/wdsi/definitions
 

The file was being detected as having a virus on the following previous definitions
1.263.580.0
1.263.582.0

Link to comment
Share on other sites

Hello all.

Windows 10 Defender was detecting Assembly-CSharp.dll as containing a virus. This has been found to be a false positive. 

The file was being detected as having a virus on the following previous definitions
1.263.580.0
1.263.582.0

1.263.580.0 release time corresponds with the first reported cases.

Virus definition 1.263.585.0, just released, does not quarantine the file. Please be sure to update Defender's virus definitions.

Source: https://www.microsoft.com/en-us/wdsi/definitions

Results of the analysis: https://www.microsoft.com/en-us/wdsi/submission/bdea1058-efcc-4c43-8051-22cfe1139e81

Update:

If Defender continues to flag the file as containing the Critet.BS trojan, the following advice comes from the Microsoft Defender team after the file was submitted again for review.
 

Quote

 

Thank you for your inquiry. 

We have reviewed the file (assembly-csharp.dll Sha256 1e9581f1fd73b33f8882dd0ac505736a7dfc0a96283a99755919e5f3004e0bfa) is not a malware and we cannot reproduce any detection on the file.  

Please try the following steps to clear cached detections and obtain the latest malware definitions. 

1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender  

2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures” 

This new definition library will be available for users who subscribe to the automatic definition update mechanism, as well as users who choose to manually update their definition library. The latest definition is available for download here: https://www.microsoft.com/en-us/wdsi/definitions 

 

Furthermore, you may find that a system restart is necessary to completely clear the problem

 

Link to comment
Share on other sites

@Squelch @million_lights

Thanks for the quick response!

Edit:

Well... I updated the virus definitions, checked the version number, restarted th PC, deleted and re-installed KSP... Still got the issue

I have version 1.263.585.0 on Defender and still finds something fishy with the file. I'll check it again on virustotal.com and if it gets back clean again, I'll ignore the issue. I can work around the quaranteen...

Thank you all for the help!

Edited by NotJebediah
Link to comment
Share on other sites

Hello!
I have something like this just happened :(

My win defender reports :
Affected items: 
file: C:\KSP\Kerbal Space Program v1.4.1.2089\GameData\ModuleManager.3.0.6.dll
containerfile: C:\Users\Erik Grischuk\Downloads\ModuleManager-3.0.6.zip
file: C:\Users\Erik Grischuk\Downloads\ModuleManager-3.0.6.zip->ModuleManager.3.0.6.dll
webfile: https://ksp.sarbian.com/jenkins/job/ModuleManager/141/artifact/ModuleManager-3.0.6.zip
pid:11108,ProcessStart:131656143255802189

Link to comment
Share on other sites

6 minutes ago, Erik Grischuk said:

Hello!
I have something like this just happened :(

My win defender reports :
Affected items: 
file: C:\KSP\Kerbal Space Program v1.4.1.2089\GameData\ModuleManager.3.0.6.dll
containerfile: C:\Users\Erik Grischuk\Downloads\ModuleManager-3.0.6.zip
file: C:\Users\Erik Grischuk\Downloads\ModuleManager-3.0.6.zip->ModuleManager.3.0.6.dll
webfile: https://ksp.sarbian.com/jenkins/job/ModuleManager/141/artifact/ModuleManager-3.0.6.zip
pid:11108,ProcessStart:131656143255802189

Can you upload that file to https://www.virustotal.com/ to see if it comes up with any hits? As @million_lights says, it's a file used by (quite a lot of) mods.

Link to comment
Share on other sites

Hello,

I still cannot download the file from steam, windows defender keeps on removing it. Note that I cannot allow any file on windows defender.

My database version is the latest (Virus & Spyware) : 1.263.598.0

 

Even copying the file from an external drive gets blocked and deleted (including from the external drive...)

I have no problem on my second pc whatsoever...

I remember not being able to build any project on Unity some weeks ago, but it magically disappeared at some point.

Link to comment
Share on other sites

I got the original problem back. Obviously MS reintroduced the trojan-definition back in the latest definition 1.263.598.0

https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?RequestVersion=1.263.598.0&Release=Released&Package=AM

The virustotal.com check of the file came up clean, yet i'm not going to take any chances. Looking forward to see this issue ironed out.

cheers

chris

 

Link to comment
Share on other sites

This thread is quite old. Please consider starting a new thread rather than reviving this one.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...