This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

False Positive dota.exe Troj/Ransom-RT

Hi.

It seems there is a problem with the recently updated Troj/Ransom-RT detection.

When i tried to launch Dota2 today Sophos claimed that dota.exe and several other files in the game folder are infected with Troj/Ransom-RT and deleted several files. When i tried to redownload the deleted files via steam they got deleted again right away.

Since Steam downloads these files directly from the Steam servers and the Detection files for the Virus in question got updated a few hours ago i assume there is a false positive.

I added the output from Sophos regarding the files in the following spoiler tag.

Really annoying since im not able to Play Dota 2 right now.

20130815 002351   Die Erkennungsdatenversion 4.91G (Detection Engine 3.45.0) wird verwendet. Diese Version kann 5363789 Objekte erkennen.
20130815 002351   Benutzer (NT-AUTORITÄT\SYSTEM) hat den On-Access-Scan auf diesem Computer gestartet.
20130815 002351   Treibereinstellungen für On-Access-Scans:
   Filter beim Lesen: Wahr
   Filter beim Schreiben: Wahr
   Filter beim Umbenennen: Wahr
   Bootsektorzugriff genehmigen: Falsch
   Alle Dateien prüfen: Falsch.
20130815 013727   Datei "C:\Dota2\dota 2 beta\dota.exe" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 013727   On-Access-Scanner hat den Zugriff auf den Speicherort "C:\Dota2\dota 2 beta\dota.exe" für folgenden Benutzer verweigert: ***************
20130815 013734   Datei "C:\Dota2\dota 2 beta\dota.exe" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 013734   Registrierungseintrag "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{145C4EB1-10CE-49D3-BE53-63E582C576F9}" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 013734   Registrierungseintrag "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{713F7EB8-A3EA-4490-B1FF-DFA6876F288A}" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 013734   Registrierungseintrag "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Start" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 013734   Registrierungseintrag "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 013734   Registrierungsschlüssel "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 013734   Registrierungseintrag "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 013734   Registrierungsschlüssel "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 013734   Registrierungseintrag "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 013734   Registrierungsschlüssel "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 013734   Registrierungseintrag "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{145C4EB1-10CE-49D3-BE53-63E582C576F9}" wurde bereinigt.
20130815 013734   Registrierungseintrag "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{713F7EB8-A3EA-4490-B1FF-DFA6876F288A}" wurde bereinigt.
20130815 013735   Datei "C:\Dota2\dota 2 beta\dota.exe" wurde bereinigt.
20130815 013735   Registrierungseintrag "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Start" wurde bereinigt.
20130815 013735   Registrierungseintrag "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall" wurde bereinigt.
20130815 013735   Registrierungsschlüssel "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts" wurde bereinigt.
20130815 013735   Registrierungseintrag "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall" wurde bereinigt.
20130815 013735   Registrierungsschlüssel "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts" wurde bereinigt.
20130815 013735   Registrierungseintrag "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall" wurde bereinigt.
20130815 013735   Registrierungsschlüssel "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts" wurde bereinigt.
20130815 013735   Virus/Spyware 'Troj/Ransom-RT' entfernt.
20130815 020122   Datei "C:\Dota2\dota 2 beta\bin\SHADERAPIEMPTY.DLL" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 020122   On-Access-Scanner hat den Zugriff auf den Speicherort "C:\Dota2\dota 2 beta\bin\SHADERAPIEMPTY.DLL" für folgenden Benutzer verweigert: ***********
20130815 020123   Datei "C:\Dota2\dota 2 beta\bin\VAUDIO_MILES.DLL" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 020123   On-Access-Scanner hat den Zugriff auf den Speicherort "C:\Dota2\dota 2 beta\bin\VAUDIO_MILES.DLL" für folgenden Benutzer verweigert: ************
20130815 020129   Datei "C:\Dota2\dota 2 beta\bin\SHADERAPIEMPTY.DLL" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 020131   Datei "C:\Dota2\dota 2 beta\bin\VAUDIO_MILES.DLL" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 020132   Datei "C:\Dota2\dota 2 beta\bin\SHADERAPIEMPTY.DLL" wurde bereinigt.
20130815 020134   Datei "C:\Dota2\dota 2 beta\bin\VAUDIO_MILES.DLL" wurde bereinigt.
20130815 020134   Virus/Spyware 'Troj/Ransom-RT' entfernt.
20130815 020149   Datei "D:\Steam\steamapps\downloading\570\bin\shaderapiempty.dll" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 020149   Datei "D:\Steam\steamapps\downloading\570\bin\vaudio_miles.dll" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 020150   Datei "D:\Steam\steamapps\downloading\570\dota.exe" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 020156   Datei "D:\Steam\steamapps\downloading\570\bin\shaderapiempty.dll" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 020158   Datei "D:\Steam\steamapps\downloading\570\bin\vaudio_miles.dll" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 020200   Datei "D:\Steam\steamapps\downloading\570\dota.exe" gehört zu Virus/Spyware 'Troj/Ransom-RT'.
20130815 020201   Datei "D:\Steam\steamapps\downloading\570\bin\shaderapiempty.dll" wurde bereinigt.
20130815 020203   Datei "D:\Steam\steamapps\downloading\570\bin\vaudio_miles.dll" wurde bereinigt.
20130815 020204   Datei "D:\Steam\steamapps\downloading\570\dota.exe" wurde bereinigt.
20130815 020204   Virus/Spyware 'Troj/Ransom-RT' entfernt.

This thread was automatically locked due to age.

0 MikeMiller007 over 12 years ago

I also recieved the same false positive. Happened sometime during the yesturday afternoon (EST). Was playing fine in the AM, then its a virus when i came back in the evening.
Here is a post from the Steam Forums, others having the same issue.
http://steamcommunity.com/app/570/discussions/0/864976115037054545/#p1
****************** Sophos Anti-Virus Log - 8/15/2013 5:59:14 PM **************
...
20130815 023453 Using detection data version 4.91G (detection engine 3.45.0). This version can detect 5363789 items.
20130815 023454 User (NT AUTHORITY\LOCAL SERVICE) has started on-access scanning for this machine.
20130815 031136 File "D:\SteamLibrary\steamapps\downloading\570\bin\shaderapiempty.dll" belongs to virus/spyware 'Troj/Ransom-RT'.
20130815 031140 File "D:\SteamLibrary\steamapps\downloading\570\dota.exe" belongs to virus/spyware 'Troj/Ransom-RT'.
20130815 031142 File "D:\SteamLibrary\steamapps\downloading\570\bin\vaudio_miles.dll" belongs to virus/spyware 'Troj/Ransom-RT'.
20130815 031143 File "D:\SteamLibrary\SteamApps\downloading\570\bin\vaudio_miles.dll" belongs to virus/spyware 'Troj/Ransom-RT'.
20130815 031143 On-access scanner has denied access to location "D:\SteamLibrary\SteamApps\downloading\570\bin\vaudio_miles.dll" for user NT AUTHORITY\SYSTEM
20130815 031144 File "D:\SteamLibrary\steamapps\downloading\570\bin\shaderapiempty.dll" belongs to virus/spyware 'Troj/Ransom-RT'.
20130815 031144 File "D:\SteamLibrary\SteamApps\downloading\570\bin\shaderapiempty.dll" belongs to virus/spyware 'Troj/Ransom-RT'.
20130815 031144 On-access scanner has denied access to location "D:\SteamLibrary\SteamApps\downloading\570\bin\shaderapiempty.dll" for user NT AUTHORITY\SYSTEM
20130815 031146 File "D:\SteamLibrary\steamapps\downloading\570\dota.exe" belongs to virus/spyware 'Troj/Ransom-RT'.
20130815 031148 File "D:\SteamLibrary\steamapps\downloading\570\bin\shaderapiempty.dll" has been cleaned up.
20130815 031150 File "D:\SteamLibrary\steamapps\downloading\570\dota.exe" has been cleaned up.
20130815 031150 Virus/spyware 'Troj/Ransom-RT' has been removed.
20130815 031152 File "D:\SteamLibrary\SteamApps\downloading\570\bin\vaudio_miles.dll" belongs to virus/spyware 'Troj/Ransom-RT'.
20130815 031154 File "D:\SteamLibrary\SteamApps\downloading\570\bin\vaudio_miles.dll" has been cleaned up.
20130815 031154 Virus/spyware 'Troj/Ransom-RT' has been removed.
20130815 034110 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
20130815 034123 Using detection data version 4.91G (detection engine 3.45.0). This version can detect 5363792 items.
20130815 034124 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
...
(20 items)
:42648
Cancel
Vote Up 0 Vote Down

Cancel
0 MikeMiller007 over 12 years ago

This type of response from you is not helpful at all either. What do you want a sample of? Tell me specifically what file you want uploaded and i will upload it. You can see exactly what the file is detected as in both of our posts. In case you missed it, its the Troj/Ransom-RT (also placed in the title of forum post).
:42678
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 12 years ago

Hello MikeMiller007,
What do you want a sample of?
of course the files which have been (perhaps falsely) detected. How else should someone be able to determine whether a detection is correct or not (and needs to be amended)?
Christian
:42702
Cancel
Vote Up 0 Vote Down

Cancel
0 MikeMiller007 over 12 years ago

Sophos has removed those files and they no longer exist. In order to get them again, i will need to re-download Dota (a Steam application) in order to get those files. It would seem to me, that a software manufacturer of anti-virus software would have a lab environment so you could reproduce these results.The whole reason i posted the log in the spoiler tag was to show you what those files were. I fully understand in releasing software patches that can advertly affect software (including your own), but if i wanted to do your job then i would work at an antivirus company.
I will once again, download this app, and try to capture the file before it is removed via Sophos and upload it to your site.
:42732
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 12 years ago

Hello MikeMiller007,
I'm not Sophos :smileyhappy:, I'm just trying to convey some background. While your reaction is understandable, the whole process is not as simple as it looks on the first glance. Allow me to explain some details.
Sophos has removed those files and they no longer exist
Admittedly this is can be the worst case - false positives happen, it's definitely not feasible to absolutely avoid them (disputably it's theoretically possible for "existing" files). Quite unpleasant if it happens with "old" files which are no longer available - a reminder that you should regularly back up "important" stuff (especially as there are also other ways to lose them).
a lab environment so you could reproduce these results
This is only partially true. Of course these lab environments exist and the results can be reproduced given the respective files can be obtained by the vendor and the environment is sufficiently similar. Obtaining the files is not so simple - for example, even with free applications you often need to sign up and what you get might also depend on your OS (version) and depend on or require other software. If an installation process is involved you can't just download on an arbitrary platform and scan. But more important - there's a twist (especially in conjunction with malware): Files downloaded by different clients, in different locations and from different servers (which is usually the case for popular files as they are hosted on content distribution networks) might not be the same.
[the logs hows] what those files were
This information is (see above) not sufficient to identify the actual content.
software patches [...] if i wanted to do your job
Technically detection identities are (at least part) software as they are instructions for a virtual machine, the detection engine (for the same reason they are not simple strings which are looked up). You might want to read chapter 2 in this article to get an idea what the "test part" (other parts are analyzing threats, writing the software - engine, integration with the OS, UI, updates and management -, providing the infrastructure and so on) of their job encompasses. Guess any vendor would be more than happy if in their job it would be even remotely possible to assure 100% correct results. There are literally millions of applications out there, you can't make sure you have all the latest versions, let alone that you can test and roll out your changes before users can download them. You could argue that in this case the files were already "known" - but it's all but impossible to test against all applications.
try to capture the file
Thanks for taking the effort - I hope I was able to explain why you "have to do their job" :smileywink:
Christian
:42754
Cancel
Vote Up 0 Vote Down

Cancel