v3.6.0 - P7 (3.6.0.54) blocked by Microsoft Defender

[rodrigoborgesdeoliveira]

The latest release (v3.6.0 - P7 (3.6.0.54)) is getting blocked by Microsoft Defender (possibly other anti-viruses as well).

Microsoft Defender is detecting a "Trojan:Win32/Wacatac.B!ml" in the .exe file. Previous releases work fine.

[rodrigoborgesdeoliveira]

I just did some tests with another project that had a new release today and I've seen a similar behavior. The issue is probably not with AGS.

[ericoporto]

@rodrigoborgesdeoliveira I noticed the winget package here has the display name as P4 instead of P7. Does winget pipeline do any sort of Windows Defender test that generates any log?

[rodrigoborgesdeoliveira]

Good catch, @ericoporto. Thanks! I'm going to update the display name manually and see. The winget pipeline does perform an anti-virus scan, but it seems like everything went fine there. When running winget install locally to test the new version, I was seeing the installation getting blocked by Microsoft Defender. Now I'm wondering if the issue is actually on my end. :)

[ivan-mogilko]

Hello. To be fair, AGS has a long history of false positive virus detection, Windows Defender was one av program, another often case is Avast.

[rodrigoborgesdeoliveira]

I'm not sure whether or not Chrome uses the local anti-virus to examine the Downloaded files, but I see this when I download the .exe on Windows (P6 works fine).

The same issue doesn't happen when downloading the same .exe on macOS.

[AlanDrake]

Last September I did a few tests with VirusTotal, the encryption string "Avis Durgan" was one of the sources of false positives, but there's also something else being caught by heuristic engines.

Completely removing the encryption did not help.

I propose changing the encryption string, at least for AGS4. Though, I wonder why ScummVM doesn't have these problems with the same string. Perhaps a conjuction of multiple factors...