Problem with 0.9.167.1 because cf_bypass is missing

fmd-project-team / FMD

The new FMD fork! Join our community on Discord!

https://discord.gg/cXKKgw3

GNU General Public License v2.0

263 stars 33 forks source link

Problem with 0.9.167.1 because cf_bypass is missing #514

Open Metallingus7 opened 5 years ago

Metallingus7 commented 5 years ago

Program exception! Application : Free Manga Downloader Version : 0.9.167.1 Product Version : Win64 Host Machine : Windows 10 64-bit FPC Version : 3.0.4 LCL Version : 1.8.4.0 WidgetSet : Win32/Win64 Target CPU-OS : x86_64-Win64 Build Time : 2019/09/21 15:54:42 Path : D:\fmd.exe Process ID : 9324 MainThread ID : 6088 Thread ID : 7184 Time : 23-09-2019 20.47.37.589 Sender Class : TFavoriteThread Exception Class : EInOutError Message : File not open $0000000100462F9D $00000001004658FB $0000000100465C79 $000000010027E98B $00000001000542ED $0000000100003B96 $0000000100015067 $00007FFD390C7974 $00007FFD3A13A271

SDXC commented 5 years ago

Please check 2 things:

Verify that cf_bypass.exe is in your folder.
Move the FMD files into a subfolder -> D:\FMD\

SgtSagaria commented 5 years ago

I am having the same issue, it appears that windows defender is detecting cf_bybass.exe as a trojan, Ludicrouz.V

SDXC commented 5 years ago

It seems Windows Defender (or the Antivirus you're using) doesn't like cf_bypass.exe which ships with FMD. Because of some changes to support HTTP proxies in cf_bypass, the Antivirus reacts by removing the file.

You can either go back to 166.1 until I find/implement a better solution for cf_bypass or you can set exceptions in the antivirus so it doesn't block/remove the file.

Tmp341 commented 5 years ago

I have Windows Defender too but didn't get that error. How can i reproduce this?

SDXC commented 5 years ago

It's possible that it only happens with some specific configurations or signature versions.

ChocolateOtaku commented 5 years ago

Not everything must false positive... Was your system already infected? Did you download by a proxy that could be infected? The file may contain virus?

SDXC commented 5 years ago

If someone wants to verify the hashes (SHA-256):

x64: 14 7a b2 48 75 88 f6 cd 95 f4 a0 54 8d d3 06 44 88 ec 18 b4 d8 e4 cf 77 10 8f f0 a2 dd 77 c5 09

x86: 3f 77 8c 01 11 66 dc 51 95 56 29 ac e9 4d 2c b6 2a ea e7 c6 63 77 18 7f 4f b9 13 12 6a ab 5c ad

I used the built-in certutil from Windows:

certutil -hashfile cf_bypass.exe sha256

Tmp341 commented 5 years ago

https://www.virustotal.com/gui/file/147ab2487588f6cd95f4a0548dd3064488ec18b4d8e4cf77108ff0a2dd77c509/detection

TeepoLurking commented 5 years ago

https://www.virustotal.com/gui/file/147ab2487588f6cd95f4a0548dd3064488ec18b4d8e4cf77108ff0a2dd77c509/detection

Yep, got same results here and MS Defender AV removed the file yesterday, but today it seems that Defender is no longer flagging it.

Windows Defender Antivirus has detected malware or other potentially unwanted software.
 For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Ludicrouz.V&threatid=2147723191&enterprise=0
    Name: Trojan:Win32/Ludicrouz.V

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          147AB2487588F6CD95F4A0548DD3064488EC18B4D8E4CF77108FF0A2DD77C509       C:\fmd\cf_bypass.exe

SgtSagaria commented 5 years ago

x64 hash checks out for the file I have. Malware bytes and defender both seem to be checking negative on it when scanned now, still seems concerning it triggered at all though.

SDXC commented 5 years ago

Many antivirus applications have cloud features. Some of them allow suspicious files to be automatically uploaded to their cloud services where the files will be checked again.

If they verify the file as a false positive, your antivir will know about that too at some point (after signature updates or also by using the cloud features).

At the very beginning when I introduced cf_bypass, some other users also reported false positives. But only for a short time. I guess it was the same scenario then.

shimizurei commented 5 years ago

So, what is being done to fix this? I don't feel comfortable installing anything that has been detected as a trojan (especially on more than 1 engine). Why is it being seen as a trojan and will there be a fix for that?

TeepoLurking commented 5 years ago

Looks like Windows Defender flagged it again.

Windows Defender Antivirus has detected malware or other potentially unwanted software.
 For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Ludicrouz.V&threatid=2147723191&enterprise=0
    Name: Trojan:Win32/Ludicrouz.V
    ID: 2147723191
    Severity: Severe
    Category: Trojan
    Path: file:_C:\fmd\cf_bypass.exe

Tmp341 commented 5 years ago

Maybe packer makes it flagged:

Source

SDXC commented 5 years ago

As a temporary alternative you can use the cf_bypass from the old 166.1 package. The small improvements of 167.1 will be missing of course.