DFHack 0.47.04-r2-windows-64-bit reported as virus, has network traffic?

[etmoonshade]

My AV reported it (edit: dfhack-run.exe specifically,) so I ran it through VirusTotal. See the report from VirusTotal below: https://www.virustotal.com/gui/file/fcb52de87e5bf28f56dba244486c2993f15c19cb5e4d8110d5ceeaa255f2f470/behavior

The version I downloaded before seems to match what's in releases on GitHub. As you can see from the report, it access some IP addresses and writes some registry keys.

Is this some debug stuff that was accidentally left in place? I saw that it was reported on Reddit at one point but was shut down with the typical "virus detection engines are overzealous" lines, but this does seem a bit dodgy, especially when you compare the r3 version which tries to access... nothing. :P

[lethosor]

dfhack-run does try to connect to localhost when run - I wonder if checks were run on some machines corresponding to those IPs? I'm not sure how else to interpret the VirusTotal output.

You can check the source code if you like - relevant files include:

• https://github.com/DFHack/dfhack/blob/develop/library/dfhack-run.cpp
• https://github.com/DFHack/dfhack/blob/develop/library/RemoteClient.cpp

You can see the full diff from 0.47.04-r2 to 0.47.04-r3 here: https://github.com/dfhack/dfhack/compare/0.47.04-r2...0.47.04-r3

The build process for the binaries on GitHub is automated, and hasn't changed significantly since 0.47.04-r1 - @BenLubar might have more details on that. To my knowledge, there was no debugging left behind in a release - it would have to have been in the diff above, and I checked that when I was writing release notes.

I'm wondering if this is an issue on VirusTotal's side. If it's trying to run dfhack-run.exe in a completely isolated environment, it will probably crash, because it depends on other DFHack-provided DLLs (e.g. dfhack-client.dll). On Linux, attempting to start an isolated copy of dfhack-run just prints an error message, but maybe it triggers some complicated Windows crash-reporting process on Windows that VirusTotal is catching. This could also be somewhat related to the registry-related files being accessed (although the MSVC runtime libraries could also be accessing those, I suppose). I would expect VirusTotal to be smarter than that, but there is no code in DFHack that even tries to use HTTPS (port 443), so I don't really know what to tell you.

[etmoonshade]

lol like i can read code (okay, I sort of can - probably at least enough so to know if it's trying to do http stuff)

In all seriousness though, it's less a lack of trust and more that I figured it was good to get an official word on it. I'm only using Windows Defender, so I assume I wouldn't be the only one to stumble across this today.

Also, I'll note that the run against -r3 didn't pop up that "behavior" section at all (though maybe it takes a little bit to actually do that part of the analysis - let me go grab it... Nope. https://www.virustotal.com/gui/file/dad24b00f4913b9de8c48c491f5fd9912077c86c065a20c2bc44edc9e3cc4e6c/details - maybe I'll check tomorrow just out of curiosity.)

I agree with you in general on it being something weird on VirusTotal's side, based on your analysis of it compared to what's in DFHack's code (and for what it's worth, I agree with what you said as well - it doesn't look like those two files are really attempting to touch anything other than localhost, based on my limited ability to read what it's doing.)

Wouldn't hurt to get a second opinion of course, but I'm not posting this to raise a major stink about it - feel free to close it once y'all feel it's been commented on enough.

[lethosor]

Yeah, Windows Defender flagging it is a bit more concerning than usual. I suppose it's possible that Windows Defender is flagging it and a different antivirus is reporting that it's sending out network traffic, which might make a bit more sense.

I'm curious what an r3 scan turns up - I suspect this things aren't very quick to complete.

[etmoonshade]

So, the "behavior" bit, as far as I can tell, is a sandboxing app separate from the AV programs it uses to scan stuff. Might be that they batch stuff and fire it over for analysis or something.

Also, I've actually been doing a bit of digging on those registry keys, and lol, at least some of it looks like Windows 10 telemetry.

Oooo. Also also: https://app.sndbox.com/sample/243c79c9-ea99-4396-853d-60e4ed5b0a0b Basically, it looks like the app they use is "under maintenance." It's possible that this is just really bad timing on my part, and it's a bug in the sandboxing app.

Late addition/edit: To make things clear, I was never worried about Windows Defender Microsoft Security Essentials (my bad there) tagging this as a "virus" - anything that does the sort of stuff the DFHack does is likely to set off some AV programs. My worry was always the exhibited behavior in that sandboxing app that VirusTotal uses, since I didn't see why DFHack would access IP addresses.

[lethosor]

Per Quietust's comments here, as well as yours in https://github.com/DFHack/dfhack/issues/1669#issuecomment-706840512, I think this can be closed. I'd assume this was a false-positive as long as you obtained DFHack from GitHub, but feel free to bring up any other concerns you might have.