DRM causing virus flag (Wacatac)

[PixelNinja132]

Describe the bug When wrapping EXEs with the Discord DRM, it causes many anti-viruses to flag it as Wacatac spyware.

Steps to reproduce Steps to reproduce the behavior:

1. Wrap your EXE with the Discord DRM (Not validate or exit)
2. Upload build
3. When installing, most anti-viruses flag it, including windows, McAfee, and loads of others.

Expected behavior It should not flag as a virus

Screenshots https://cdn.discordapp.com/attachments/613425905708171300/712263538537660476/VirusTotal_check_exe_with_drm.png

Implementation specifics

• C++
• Noticed by me (Buildbox) and DavidLloyd (Unity)

Additional context This is a major problem, especially since I can't add the SDK, it is causing lot's of comments, and refunds, which, at the end of the day, causes Discord to lose money. This needs to be looked at, I think it should only inject the validate or exit code, not all the extra always online stuff.

[DLloyd777]

It is a very serious problem that FALSE POSITIVE the Discord DRM-Wrapper gets with Anti-Viruses. I'm really amazed we can't find much out there about this issue. Here the very specific match that drm .exe gets by windows 10 security:

It feels so bad when it says that the game your are developing is a trojan ! even more when your players run away...

I love Discord for all the amazing tools they made for game developper, but here, a quick reaction is needed by Discord to correct this security issue about their drm-wrap tool. ( emailed dev discord support days ago and still waiting for the response )

[rickmartensnl]

Some of the windows developers of my game. Said they also got a virus alert. That was weird because it is a Unity game with nothing in it except a web request to my site, and discord GameSDK. But for mac, it is fine(no virus alerts of built-in antivirus) weird enough.

[DLloyd777]

So it is very likely the same discord drm-wrap issue. your developers probably also used that drm-wrap on the game .exe (as specified by discord developer documentation)

[rickmartensnl]

Forgot to say that I don't have used drm-wrap. I build the game for both devices on the same computer. And push them to discord via dispatch, but I don't use the drm-wrap command.

[DLloyd777]

oh ok, maybe it's the http requests that triggered the security alert then.

[Variiuz]

I execute many API Requests myself and nobody got any Virus alerts, using Unreal tho

[rickmartensnl]

I think it is a unity problem.

EDIT: Without uploading via dispatch it also gives a virus alert at VirusTotal.

[PixelNinja132]

I think it is a unity problem.

EDIT: Without uploading via dispatch it also gives a virus alert at VirusTotal.

Yes it does, it's a problem with the DRM, the problems only started recently, anti-viruses must only just be seeing the signs and similarities.

[rickmartensnl]

This virus flag is a issue of unity, use the latest unity version and you won’t have this issue anymore.

[PixelNinja132]

This virus flag is a issue of unity, use the latest unity version and you won’t have this issue anymore.

I say again, it's not just unity. I have it on https://buildbox.com, they say the problem is with the DRM, not their engine

[msciotti]

There are a number of ways around this that have been talked about in the server (and maybe the FAQ apologies if it's not there I'll add it) before.

The way dispatch build drm-wrap works is by replacing the entry point of the target exe with a piece of our code that calls ValidateOrExit(). If you are getting antivirus issues with exes after doing this, you can:

• Let the antivirus know it's a false positive, which would be much appreciate
• Sign your executables, which I imagine most of them will tell you to do anyway
• Call ValidateOrExit() in your game code from the SDK instead of wrapping the exe (bonus you don't have to wrap it every time!)

[PixelNinja132]

Thank! I'm going to go ahead and contact the companies flagging it. Signing it is probably best though.

[PixelNinja132]

@msciotti Just a thought, but maybe the docs should have a note about it causing false positives, while I'm waiting to hear back from anti-virus companies. Thanks