Mod is being marked as a virus via BitDefender

[Treazul]

Upon running a modpack with this mod bitdefender has marked it as infected The file D:\ATLauncher\instances\TerraFirmaGreg\mods\Ksyxis-1.2.2.jar is infected with Trojan.GenericKD.72678267 and was moved to quarantine. It is recommended that you run a System Scan to make sure your system is clean.

[VidTu]

[Treazul]

k

[VidTu]

@Treazul either your specific JAR is infected, your PC is infected with something else or you're getting man-in-the-middle-attacked: https://www.virustotal.com/gui/file/8e97bb392718099d54377738a3501284eef98fbd54f6b46b4350fc9267ef4d47

[Treazul]

It's probably just a false positive. I've submitted the file to the av and let them know

On Fri, 10 May 2024 at 18:55, VidTu @.***> wrote:

@Treazul https://github.com/Treazul either your specific JAR is infected, your PC is infected with something else or you're getting man-in-the-middle-attacked: https://www.virustotal.com/gui/file/8e97bb392718099d54377738a3501284eef98fbd54f6b46b4350fc9267ef4d47

— Reply to this email directly, view it on GitHub https://github.com/VidTu/Ksyxis/issues/25#issuecomment-2104220183, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAIOXSRMRFAEBGLHFFEAEB3ZBSDPLAVCNFSM6AAAAABHOJHJPKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMBUGIZDAMJYGM . You are receiving this because you were mentioned.Message ID: @.***>

[Treazul]

Correction, it is a false positive.

On Fri, 10 May 2024 at 19:07, Sam @.***> wrote:

It's probably just a false positive. I've submitted the file to the av and let them know

On Fri, 10 May 2024 at 18:55, VidTu @.***> wrote:

@Treazul https://github.com/Treazul either your specific JAR is infected, your PC is infected with something else or you're getting man-in-the-middle-attacked: https://www.virustotal.com/gui/file/8e97bb392718099d54377738a3501284eef98fbd54f6b46b4350fc9267ef4d47

— Reply to this email directly, view it on GitHub https://github.com/VidTu/Ksyxis/issues/25#issuecomment-2104220183, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAIOXSRMRFAEBGLHFFEAEB3ZBSDPLAVCNFSM6AAAAABHOJHJPKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMBUGIZDAMJYGM . You are receiving this because you were mentioned.Message ID: @.***>

[Treazul]

Scratch that. I clicked "Reanalyse" on virus total and it's reporting [image: image.png]

On Fri, 10 May 2024 at 19:13, Sam @.***> wrote:

Correction, it is a false positive.

On Fri, 10 May 2024 at 19:07, Sam @.***> wrote:

It's probably just a false positive. I've submitted the file to the av and let them know

On Fri, 10 May 2024 at 18:55, VidTu @.***> wrote:

@Treazul https://github.com/Treazul either your specific JAR is infected, your PC is infected with something else or you're getting man-in-the-middle-attacked: https://www.virustotal.com/gui/file/8e97bb392718099d54377738a3501284eef98fbd54f6b46b4350fc9267ef4d47

— Reply to this email directly, view it on GitHub https://github.com/VidTu/Ksyxis/issues/25#issuecomment-2104220183, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAIOXSRMRFAEBGLHFFEAEB3ZBSDPLAVCNFSM6AAAAABHOJHJPKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMBUGIZDAMJYGM . You are receiving this because you were mentioned.Message ID: @.***>

[VidTu]

for fs sake, what they don't like

[VidTu]

maybe they don't like the way it uses a lot of method injections like here for multiversion support

[VidTu]

what's funny, the latest gh actions snapshot is not being detected (even after reanalyzing) by any vendor

[Dorrivix]

*got this on mod version 1.2.2, the file extension isn't .jar, it's .bNIhAX

the full file my av shows is Ksyxis-1,2,2,jar.bNIhAX

download method: modpack via prism launcher, downloading from modrinth.

trying to download the mod again seems to end with a random string as the file extension, not just ".bNlhAX"

my AV is called "Vipre".

[VidTu]

@Dorrivix it seems like your antimalware renames it

[Dorrivix]

it doesn't trigger with downloading version 1.2.1

[VidTu]

well it also doesn't with 1.2.3-SNAPSHOT, you can reverse engineer 1.2.2 JAR and find nothing there. it was probably incorporated in some bigger malware (such as infected Minecraft modpack) and now antimalware flags it. i will not update JAR until I'll add 1.20.5 compat in a few days.

[VidTu]

hopefully fixed in 1.3.0.

[VidTu]

BitDefender no longer flags 1.2.2 as infected, other vendors should follow shortly