Antivirus detecting Teamcraft desktop app as a threat

[diashto]

Avast detects a virus threat on install of 11.3.11

Describe the bug Went to open the software this morning and got a threat warning from Avast. Downloaded the latest installer, got the same threat warning.

To Reproduce Steps to reproduce the behavior:

1. Have Avast Free antivirus installed
2. Run installer for 11.3.11 (or current version)
3. Error Occurs

Expected behavior Program is expected to run, it does not.

Screenshots

Also got this error from the installer:

Desktop (please complete the following information):

• OS: Windows 11, fully patched
• Browser: Chrome
• Version 11.3.11 of the desktop app (installer)

Additional context Add any other context about the problem here.

[Lalalavicious]

Same issue I responded about here: https://github.com/ffxiv-teamcraft/ffxiv-teamcraft/issues/2925#issuecomment-2394753926

False positive! Excluding localappdata in your antivirus and possibly explicitly allowing the installer should do the trick. You may also wish to follow up with the procedure for a clean install here, in the event that it refuses to install properly: https://wiki.ffxivteamcraft.com/troubleshooting#i-believe-i-may-have-a-dirty-install-and-need-to-fully-remove-all-remnants-of-older-versions-of-team

[diashto]

Yeah, i figured.. i've submitted all the related files to Avast for additional "analysis", that they're false positives. Hopefully it helps :/

[Uriei]

Just to add to this, Windows Defender also detects it now, deleting the file and breaking the app.

[Sililos]

Can confirm the error https://gyazo.com/30d52b997969013d6ac82ff69a65546f

Its also nearly impossible to uninstall using Windows tools. Using Windows app tools to uninstall gives the message that "Update" file is missing and prevents it from being uninstalled. (Note that the update file windows claims is missing is still in the folder at the location).

Teamcraft after the error keeps several processes running in the background even though the app didnt launch. https://gyazo.com/b0d5212a271d347f624a6da57ec90647

Steps taken: Launched Teamcraft: Error Attempted reinstall: Error (Files missing) Attempted uninstall: Error, Missing Update file. Attempted manual Teamcraft folder removal: App running. Found active processes despite app not running: Closed processes. Deleted folder. Attempted install off fresh installer download: Failed Update file missing. Disabled Windows defender: Install succeeded and app ran. Marked app as safe in Windows Defender, Enabled Windows defender. Launched app with it added as safe: Error, Update file missing, Malicious software warning.

Adding Teamcraft as safe in Windows defender fails to allow the app to run still.

Only way to run the app is with all anti-virus and anti-malware services disabled. Doing a virus scan also results in Teamcraft being quarantined, Even when Teamcraft is whitelisted.

[Braxeo]

Also getting this same issue with Windows Defender

[ebyrwa]

Likewise having this issue with Windows Defender.

[heroofhatz]

Hello, after installing the latest update, Malwarebytes flagged for Trojans hiding in the code.

I'm hesitant to believe this is just a bug in Malwarebytes, especially since others are flagging similar issues.

[Lalalavicious]

I have already explained above that this is 100% definitely a false positive across multiple AVs, and the particular component being flagged has been essentially unchanged for a year and a half, actually! To quote the announcement post I have since made on the TC Discord:

Yes, basically every antivirus is currently giving a false positive malware detection for the desktop app following what we assume is a common definition update between AV programs (now including Windows Defender) from Friday, September 27th. This will also likely mean that a file used for packet capture is removed from the install, meaning you will get a Javascript error. As a reminder, Teamcraft continues to be fully open-source, and it's readily visible that it doesn't contain malware. The only reason for the false positive is that as of FFXIV patch 6.35, TC does need to inject Deucalion in order for packet capture/inventory detection/etc. to work, and of course packet capture needs to read your packets from FFXIV to work, which could be interpreted as malicious behaviour if we weren't transparent about what exactly it does (spoiler: it is VERY limited!). As you may remember, that patch was in March 2023, and nothing has changed with how we do pcap since some early bugfixes to it. ACT also uses Deucalion through similar methods.

Generalized solutions for installing TC despite the false positive can be found by typing !!antivirus in #bot-chat, and some instructions for specific AVs are in #known-bugs. You may also need to remove the latest installer from your antivirus's quarantine so that it fully installs instead of giving an error about a missing file. Please also feel free to report the false positive to your antivirus provider if you have the time.

(The antivirus command basically says: whitelist %LocalAppData%\ffxiv-teamcraft\ in your antivirus. I will need to add to the command that you might now also need to go into your antivirus's history and expressly allow the threat that has been found, so that you're able to reinstall TC.)

[diashto]

If I were a member of that discord, I probably would have seen it. Might be a good idea to mention this on the actual download page or FAQ page of the software if it's a known issue. Mentioning it on the github page wouldn't be a bad idea either.

Believe me, I understand the frustration of having to repeat yourself multiple times, but you can't expect everyone who installs this software to be using discord, much less be a member of this discord. There are some players that don't use discord at all.

[Supamiu]

That issue is pretty new so based on how it evolves, we'll add more instructions in various places yeah.

[brianaydemir]

As a reminder, Teamcraft continues to be fully open-source, and it's readily visible that it doesn't contain malware.

The question isn't whether the source code on GitHub is free of malware.

The question is whether the binaries and artifacts that the typical person installs are free of malware. Recall that the XZ Utils backdoor was made possible, in part, because the actual tarballs that distributions used to build packages differed in significant ways from the source code on GitHub, and no one bothered to check.

Or as Reflections on Trusting Trust, one of the classic talks in Computer Science, puts it:

To what extent should one trust a statement that a program is free of Trojan horses? Perhaps it is more important to trust the people who wrote the software.

Because if that is the question, then I would point out that while...

ACT also uses Deucalion through similar methods.

ACT is not being flagged. There's a better story to be told.

[Lalalavicious]

As you observe, there eventually comes a certain point where you have to just trust that people aren't lying to you, particularly when it's not especially complicated to check, and as I am not the actual developer (I just assist in the community), I think we have now passed the point where a conversation on that is going to have any useful effect. Believe me or don't; I'm just attempting to explain what evidence we have on our side so users can come to their own conclusions.

Also, RE: the Discord vs. Github thing in a different comment above, I totally agree that this information should be visible multiple places! Which is why I purposely copied it over here. I'd like it to be as visible as possible, and adding that to the Github page could be prudent. But this has only just spontaneously cropped up in the last couple weeks at most -- and, again, crucially, before a new release of TC had even been recently made. We're still figuring out how difficult this is going to be to resolve. Aaaand one of the very fun things, of course, is that we can't actually warn existing users within the program itself before they download the update, instantly run into the message about it being blocked, and TC failing to run after that, cuz... the installer is getting blocked before we could tell them what has happened with this false positive stuff. Understandable, of course, but still sucks. =/

I'm just trying to calm things down a bit before folks get unnecessarily stressed out about the safety of the tool (as the relative safety has not changed), and as this is a completely new experience for everyone assisting with TC in any way, I apologize if the handling hasn't been entirely smooth thus far.

[Supamiu]

In this case, everything is indeed open source, and AVs are technically not wrong, Teamcraft acts lie a malware in its core for packet capture logic by injecting a dll in the running process, just like ACT indeed, but using a different, and easier to detect, method.

Injection is made using a nodejs binding I've modified here: https://github.com/Supamiu/dll-inject and yes, injecting a dll into another process can definitely be used for malicious purposes. But in our case, injection is done by pcap-ffxiv calling the library mentionned above and as you can see here: https://github.com/ffxiv-teamcraft/pcap-ffxiv/blob/main/src/pcap-ffxiv.ts#L177-L180 I'm checking the hash of the dll before injecting it.

Deucalion (that dll) is also Open Source here: https://github.com/ff14wed/deucalion and you can check the hash to make sure it matches too.

All this to say that I understand your concern, and while the XZ backdoor existed, you can be sure I'm checking everything here.

This issue will probably exist for at least a couple of months because of how slow AVs are to update this kind of false positive.

[StarkITA]

Maybe this issue could be renamed to something more generic like "Antivirus detecting 11.3.11 as a threat", rather than just Avast

[jhawkwind]

When VirusTotal says no, you really have issues here:

Also, if you take version 11.3.10's injector.node and drop it in to %localappdata%\ffxiv-teamcraft\app-11.3.11\resources\app.asar.unpacked\node_modules\@ffxiv-teamcraft\dll-inject\build\Debug, then all is peachy with the A/V.

In ALL of the cases, the developer needs to: A.) Switch to use another library (like using the ACT one); OR B.) Rebuild the library minimizing the offending (combination of) functions that could be interpreted as malicious.

In any case, here are some links for everyone else to submit for (re-)evaluation so it gets delisted as malware and at worst flagged as a PUP:

• https://www.microsoft.com/en-us/wdsi/filesubmission
• https://www.avg.com/en-ww/report-false-positive#
• https://businesshelp.avast.com/Content/Products/General_Help/SampleSubmission/SubmittingFalsePositives.htm#
• https://www.mcafee.com/en-us/consumer-support/dispute-detection-allowlisting.html
• https://symsubmit.symantec.com/
• https://support.eset.com/en/kb141-submit-a-virus-website-or-potential-false-positive-sample-to-the-eset-lab
• https://www.f-secure.com/us-en/support/submit-a-sample
• https://submit.norton.com/

[Supamiu]

The developer is only me and the developer of that injector library is me, too.

As you can see in the package.json and yarn lock, the version didn't change for the injector between 11.3.10 and 11.3.11.

We also had issues reported way before 11.3.11 was released, on our Discord server, which shows that the update isn't the issue.

We can't use ACT's injection method because it's implemented in C# and making it standalone would make it flagged as virus too, just like the previous tests in golang did.

Best we can do is report as false positive, there's not much possible due to the injector library being a nodejs binding of C functions.

[StarkITA]

New version has the deucalion not start and remain blue :)

[Lalalavicious]

New version has the deucalion not start and remain blue :)

Blue = part of the packet capture mechanism got deleted... probably by your antivirus! Now TC is actually able to start at all if packet capture is removed, but next step is adding an error message explaining that you need to allow the latest setup in order for it to install properly. Follow these steps from the wiki + allowing the installer, and all should be well! https://wiki.ffxivteamcraft.com/troubleshooting#i-believe-i-may-have-a-dirty-install-and-need-to-fully-remove-all-remnants-of-older-versions-of-team

[Braxeo]

This is how I've bypassed it with Windows Defender so far

Go to 'Windows Security' Select 'Virus & thread protection' Select 'Manage Settings' under 'Virus & threat protection settings'

Scroll down to 'Add or remove exclusions'

Add entire ffxiv-teamcraft in Local as folder exclusion

You might need to uninstall + reinstall after adding the exclusion, just so that the file isn't already removed. :)

[phoenixx1390]

My desktop Teamcraft suddenly stopped working last night in the middle of a craft. The packet capture turned blue and would not track my inventory.

Today I followed the instructions to do a step-by-step clean install from here: https://wiki.ffxivteamcraft.com/troubleshooting#i-believe-i-may-have-a-dirty-install-and-need-to-fully-remove-all-remnants-of-older-versions-of-team

Now when I go to install, I get an immediate error message:

[Braxeo]

@phoenixx1390 If you're running Windows it is likely anti-virus + windows defender. Please try my comment above (https://github.com/ffxiv-teamcraft/ffxiv-teamcraft/issues/2926#issuecomment-2411469515) about adding the folder into the exclusions group, let me know how it goes!

[09astro27nm]

Just tried running the newest updater to get a look at the error logs and...

Why is it moving around Discord and... the Faceit CSGO client?

[Lalalavicious]

Just tried running the newest updater to get a look at the error logs and... Why is it moving around Discord and... the Faceit CSGO client?

Squirrel Updater, which TC uses for updating, is used for lots of other apps, including Discord. It seems to combine its logs between apps, and sometimes seems to get a bit mixed up between the assorted installs under some conditions (the log you're looking at is also very old, as you see, so you wouldn't think it'd be relevant today). One time a user was trying to update TC and it... opened Microsoft Teams, I think it was? And I've seen that behaviour from other Squirrel-updated apps. Very strange.

[curtmgray]

I've run a scan using hybrid-analysis.com Here's the report... http://hybrid-analysis.com/sample/0ee898c0b3e51212e0d63f761891b1e28dfb544ec5e685d5c5eab979a7bec79b

While I get that we can just add it as an exclusion that's a complex maneuver that can create holes in security for users. I hope this can provide some details as to what might be causing the malware detection.

[AMercy99]

This got flagged so hard my browser won't even let me download the recent version :(

[ClaustrophobicTurtle]

Yeah, it wont let me download the current version. Even if I click all the many 'Yes, I do want to download this' options it just wont let me. I'm not sure how to stop my browser from blocking the download.

[Lalalavicious]

Which browser are you using? The two of you folks having issues downloading it at all, I mean? And do you have any "security" add-ons/extensions enabled for them?

[ClaustrophobicTurtle]

I am using Edge (Don't judge me). It says that it was blocked by "Smartscreen" which after looking it up is apparently "Windows Defender Smartscreen". I click "Keep" and then "Keep Anyway" and it just closes the download window and shows the download as "Removed".

[EterniaLogic]

snippet from virustotal.

It looks like dll-inject.node is supremely hated by antiviruses.

When I try running it, I get the big ol windows box saying its malicious and when I Run anyway, it gets deleted. https://www.virustotal.com/gui/file/d843dbf9593743880fdb9f96b4fb19fe8ba6c1d2cfbcce13fad90ecbbff78681

[derZ-dev]

Same with Norton 360 - 2 threats per teamcraft version:

• resources\app.asar.unpacked\node_modules\@ffxiv-teamcraft\dll-inject\bin\win32-x64-125\dll-inject.node
• resources\app.asar.unpacked\node_modules\@ffxiv-teamcraft\dll-inject\build\Debug\injector.node

[choreutes]

I've had the same issue with Windows Defender and solved it by whitelisting AppData\Local\ffxiv-teamcraft as suggested. Starting today packet capture is once again broken, however, apparently due to some temporary files along the lines of AppData\Local\Temp\<hash-value>.tmp.node. I guess we need to whitelist the Temp Folder as well? Although that feels a tiny bit more sketchy than whitelisting ffxiv-teamcraft.

[jph290]

To say adding AppData\Local\Temp\ is sketchy is an understatement. That is one of the worse folders on your machine to have whitelisted. Is there a reason why it is using the users temp folder? I am seeing this file flagged and there is no way I am going to whitelist the user temp folder. Not throwing shade, just want to make sure that it is noted how dangerous that would be.

[ebyrwa]

No one is saying to do AppData\Local\Temp\, they're saying to do AppData\Local\ffxiv-teamcraft . There is a pretty big difference.

[Krivvan]

No one is saying to do AppData\Local\Temp

It seems like whitelisting AppData\Local\ffxiv-teamcraft isn't enough anymore after a recent update. Whitelisting AppData\Local\Temp\ does end up working, but as previously stated by others that isn't much of a solution.

[ZendyLim]

Right now for me, turning off Windows Defender Real-time Protection when starting the application and turn it back on after the app is open is a workaround that works for me. Not ideal, but it's better than whitelisting whole AppData\Local\Temp\