search

dartraiden / NVIDIA-patcher

Adds 3D acceleration support for P106-090 / P106-100 / P104-100 / P104-101 / P102-100 / CMP 30HX / CMP 40HX / CMP 50HX mining cards.
194 stars 25 forks source link

Virus in driver patch #51

Closed arcanum144 closed 8 months ago

arcanum144 commented 8 months ago

After installing patched driver 472.12 I got alarm from windows defender. Defender found virus trojan:win32/wacatac.h!ml in video driver . Infected file file: C:\Windows\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_a99d999c59f11e58\nvlddmkm.sys. After deleting of this file videocards dont work because driver stop to work.

operador777 commented 8 months ago

This type of detection is mostly false positives, which is the case here. I analyzed the entire patch package on VirusTotal, as this way we can receive results from multiple antivirus programs. You can see that the only three detections are from ESET-NOD32, Sophos, and Google, and the detections are as follows: "A Variant Of Win32/RiskWare.FakeCert.A," which refers to a fake or dubious certificate but is not directly a threat. "Mal/Hooksign-A" refers to the application used to sign drivers.

Most of these detections occur because antivirus programs do not allow drivers signed by third parties or individuals who are not legal companies or entities with a legal certificate. However, you'll understand that being a community driver, in a manner of speaking, no one will pay for the use of a legal certificate.

Nevertheless, the patch and all others are free from any type of malware, and you can verify this yourself.

https://www.virustotal.com/gui/file/274666e7561a84c55427027a8bbf42cd941b2ae31b5aefb17ccac065ea34811f/detection

image

dartraiden commented 8 months ago

I'm using a certificate that was leaked by Atheros a long time ago. This certificate was used to sign a lot of things, probably even malware. It is publicly available and people can sign both good and bad programs with it. Unfortunately, I don't have an extra $250 a year to buy my own clean certificate. Besides the fact that I’m not ready to spend that kind of money out of my pocket, I live in Russia, therefore, buying a code signing certificate from a foreign certification authority is not an easy task for a Russian in 2023.

Antiviruses react nervously to such certificates, even if they are used to sign harmless software (for example, this driver).

Add C:\Windows\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_a99d999c59f11e58 to exclusion.

BluePurplePro commented 8 months ago

Why don't you use the reg method for 417.22? https://youtu.be/dkE4aAVUIzU