[External Problem][Editor] NLEditor gets put into quarantine by Avira

Started by Strato Incendus, August 02, 2018, 02:58:22 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Strato Incendus

So, when I just started my PC, Avira notified me that it had put the New Formats Editor into the quarantine because of "suspicious patterns".

I just tried redownloading the Editor, and it got put into quarantine right away. I had no opportunity to instruct Avira to make exceptions or similar, and when I say "show details", this only starts a quick scan with Luke Filewalker, rather than telling me anything specific about why the editor was removed.

Since namida is using Avira as well, as far as I know, has anyone else had this issue?
My packs so far:
Lemmings World Tour (New & Old Formats), my music-themed flagship pack, 320 levels - Let's Played by Colorful Arty
Lemmings Open Air, my newest release and follow-up to World Tour, 120 levels
Paralems (Old Formats), a more flavour-driven one, 150 levels
Pit Lems (Old Formats), a more puzzly one, 100 levels - Let's Played by nin10doadict
Lemmicks, a pack for (very old) NeoLemmix 1.43 full of gimmicks, 170 levels

Nepster

Ah, nothing new there. It feels like once per year they make an update that declares NeoLemmix or its editor to be malware. :(

Way around:
1) Launch Avira Security Center (SecurityCenter.exe)
2) Click on "quarantine"
3) Select the NeoLemmix editor in the list
4) Click on "restore object"
5) Click "Yes" when asked whether this file should be added to the white-listed files.

PS: This is not a "bug" in the sense that I can do anything against it, because I don't know which patterns they search for, so I can't do anything to avoid them. Please complain to Avira!

Ryemanni

I must point out that Avast also detects nl and the editor as a threat. Making an exception of the .exe is the only way around it. (Or uninstall your antivirus ;P )

mobius

any good antivirus program should let you make exceptions easily. I think I tried Avast once (as Raymanni said) and had to make exceptions of things like Lemmix etc.

I feel I must point out again, that I've tried many different ones and so far Malwarebytes is far above and beyond the others. Never get miss hits (I don't even have to make exceptions of NL or other similar programs). And it actually finds the actual viruses (rare these days anyway), but something that Avast and other programs I tired failed to do many times >:( :-\
everything by me: https://www.lemmingsforums.net/index.php?topic=5982.msg96035#msg96035

"Not knowing how near the truth is, we seek it far away."
-Hakuin Ekaku

"I have seen a heap of trouble in my life, and most of it has never come to pass" - Mark Twain


ccexplore

I'm kind of curious what exactly is in the EXE that is tripping up multiple AV engines apparently.  Clearly there is some actual real virus or malware out there whose uniquely identifying contents the AV engines are checking against.  Wonder what could be in the NL executables that would look similar to AV engines?

Does the AV at least call out what specific threat it thinks it detected?

namida

I use Avira (premium edition) and I haven't had any problems with NL, either player or editor.
My projects
2D Lemmings: NeoLemmix (engine) | Lemmings Plus Series (level packs) | Doomsday Lemmings (level pack)
3D Lemmings: Loap (engine) | L3DEdit (level / graphics editor) | L3DUtils (replay / etc utility) | Lemmings Plus 3D (level pack)
Non-Lemmings: Commander Keen: Galaxy Reimagined (a Commander Keen fangame)

Strato Incendus

Thanks, Nepster! It was called "avcenter" on my PC, but it worked! ;)
My packs so far:
Lemmings World Tour (New & Old Formats), my music-themed flagship pack, 320 levels - Let's Played by Colorful Arty
Lemmings Open Air, my newest release and follow-up to World Tour, 120 levels
Paralems (Old Formats), a more flavour-driven one, 150 levels
Pit Lems (Old Formats), a more puzzly one, 100 levels - Let's Played by nin10doadict
Lemmicks, a pack for (very old) NeoLemmix 1.43 full of gimmicks, 170 levels

Nepster

Quote from: ccexplore on August 03, 2018, 01:08:10 AM
I'm kind of curious what exactly is in the EXE that is tripping up multiple AV engines apparently.  Clearly there is some actual real virus or malware out there whose uniquely identifying contents the AV engines are checking against.  Wonder what could be in the NL executables that would look similar to AV engines?
As I said, I have no clue why it considers the editor to be dangerous. One big issue is probably that I am not a certified software vendor but a rather unknown entity, which certainly doesn't help my case.
One interesting bit is, that I have quite a few copies of the editor lying around, but Avira only complains about the one in the "playing folder". Not sure how this changes anything. Perhaps because I used it to playtest levels, which automatically opens another very dubious application called NeoLemmix.exe with some weird command line arguments?

Quote from: ccexplore on August 03, 2018, 01:08:10 AM
Does the AV at least call out what specific threat it thinks it detected?
It's really not helpful in that regard, as it only links to this incredibly useful page.;P  But if you search long enough, you realize that it is TR/AD.Quervar.bfsbw from virus defintion 8.15.02.112 released two days ago. Still, that doesn't tell me anything useful.

mobius

some antivirus programs give warnings or automatically suspect any program that is not widely known or as Nepster said, is was taken from an unknown entity (which by default includes NeoLemmix and Lix for example).  Some seem to suspect any program that writes or moves or edits other files anywhere on the PC (Also NL and Lix).
everything by me: https://www.lemmingsforums.net/index.php?topic=5982.msg96035#msg96035

"Not knowing how near the truth is, we seek it far away."
-Hakuin Ekaku

"I have seen a heap of trouble in my life, and most of it has never come to pass" - Mark Twain


ccexplore

Yeah, I didn't get anywhere looking up the thing Avira said it detected.  I guess it's inevitable that some AV software will tune their detection towards being over-aggressive.  As long as it doesn't cause issues in widely used software, the overall impact of a false positive is low and may even trick some people into thinking the AV is better because it "seems to find more things".

Quote from: Nepster on August 03, 2018, 04:29:22 PMOne interesting bit is, that I have quite a few copies of the editor lying around, but Avira only complains about the one in the "playing folder". Not sure how this changes anything. Perhaps because I used it to playtest levels, which automatically opens another very dubious application called NeoLemmix.exe with some weird command line arguments?

Hmm, so the copies are identical but Avira only picks up the playing folder one?  Are the other copies lying in folders that you still access frequently?

My guess is that if you now explicitly ask Avira to scan the other copies, it would probably flag them as bad as well.  The one in the playing folder, by virtue of getting executed frequently, may be triggering Avira to proactively (re)scan it.  The other copies may have been scanned previously before the update that introduced the false-positive detection, and have not yet been re-scanned.

Nepster

Quote from: ccexplore on August 03, 2018, 08:36:40 PM
Hmm, so the copies are identical but Avira only picks up the playing folder one?  Are the other copies lying in folders that you still access frequently?
My guess is that if you now explicitly ask Avira to scan the other copies, it would probably flag them as bad as well.  The one in the playing folder, by virtue of getting executed frequently, may be triggering Avira to proactively (re)scan it.  The other copies may have been scanned previously before the update that introduced the false-positive detection, and have not yet been re-scanned.
Good point. The others are in the folder for the "current release", "current update" and the original compile-location. I haven't opened any of them after the virus definition update in question. And I am not tempting fate by opening them right now just for the sake of testing. ;)

namida

So, after ages with no problem, Avira randomly decided to (in the middle of the night) flag the editor for me too. Marking the first time I've ever had a false positive from Avira, actually.

I have reported the false positive to them, along with links to the Git repo of the source code so that they can analyze that too if they need to.

In the meantime, if you're using Avira and it's removing your editor:
1. Open Avira
2. Go to Quarantine
3. Find a copy of NLEditor.exe in there
4. Restore
5. Make sure to select "Add this path to ignore list" or whatever it's called
My projects
2D Lemmings: NeoLemmix (engine) | Lemmings Plus Series (level packs) | Doomsday Lemmings (level pack)
3D Lemmings: Loap (engine) | L3DEdit (level / graphics editor) | L3DUtils (replay / etc utility) | Lemmings Plus 3D (level pack)
Non-Lemmings: Commander Keen: Galaxy Reimagined (a Commander Keen fangame)

Strato Incendus

Old Formats NeoLemmix Player suddenly also gets put into quarantine by Avira. And Avira didn't even consider it necessary to inform me about its removal. Funnily enough, the issue seems to be related to the name; because if my player was named NeoLemmix(1) - which arose because I had several versions of the .exe in my downloads folder - then copying it back works :D . If I tried to remove the (1) and call it "NeoLemmix" again, I'm told I need administrator rights.

Anyway, added to the ignore list and restored. It's just strange that Avira suddenly becomes suspicious of these files, as namida said, after ages of not complaining about them.
My packs so far:
Lemmings World Tour (New & Old Formats), my music-themed flagship pack, 320 levels - Let's Played by Colorful Arty
Lemmings Open Air, my newest release and follow-up to World Tour, 120 levels
Paralems (Old Formats), a more flavour-driven one, 150 levels
Pit Lems (Old Formats), a more puzzly one, 100 levels - Let's Played by nin10doadict
Lemmicks, a pack for (very old) NeoLemmix 1.43 full of gimmicks, 170 levels