gibaBR / Switch-Backup-Manager

Complete Switch Backups management tool
375 stars 53 forks source link

Antivirus #100

Open DARKFiB3R opened 5 years ago

DARKFiB3R commented 5 years ago

When I choose to "Show in explorer", I get this warning from 360 Total Security...

https://i.imgur.com/Zl9miG9.png

I keep telling it to allow it, but the warning keeps coming back, and if I don't deal with it in time, it causes your app to turn black and then throw an exception error.

I have now had to add it to the trust list.

Edit: OK, that's not working, even if I add the whole directory to the trust list.

Masamune3210 commented 5 years ago

Hate to tell you but the program isn't trying to attack your computer. 360 Total Security is a horrible security program and likes to trip a alarm at almost anything for usually no reason

On Thu, Dec 6, 2018, 1:07 AM FiB3R <notifications@github.com wrote:

When I choose to "Show in explorer", I get this warning from 360 Total Security...

https://i.imgur.com/Zl9miG9.png

I keep telling it to allow it, but the warning keeps coming back, and if I don't deal with it in time, it causes your app to turn black and then throw an exception error.

I have now had to add it to the trust list.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/gibaBR/Switch-Backup-Manager/issues/100, or mute the thread https://github.com/notifications/unsubscribe-auth/ABATQOdpIsFE4OFHS-1x41gvvOm4Fdl0ks5u2MJJgaJpZM4ZF7xk .

TheLastZombie commented 5 years ago

This. Use Malwarebytes or even Windows Defender, but not 360.

DARKFiB3R commented 5 years ago

While I agree that 360 has it's issues, no other app on my system has caused it to react like this, and I have a shit ton of apps, utilities, games, cracks, etc.

I don't think that Switch Backup Manager is trying to do anything bad, just maybe the way it's going about it is unusual?

I've contacted the 360 guys to see if they know what's going on. False positives are one thing, but if I tell it to stfu, it should do as it's told.

Masamune3210 commented 5 years ago

If it is ignoring the fact that it is in the exclusion list, then it is definitely a 360 problem. You/They can see in the code itself, all the program does is open a Common File Dialog and pass the path of the file as the location

DARKFiB3R commented 5 years ago

I know, I agree.

I sent them the file, and they say "The file has been whitened".

I presume they mean white-listed, but I also presume that the next release will not be? So I'll see how that goes.

I do like it's multi engine scanning when I want to check an individual file, (I know there is jotti, virus total, etc.) but still, 360 has always been a pain in the arse for various little reasons, and it's getting worse, with them trying to sell me shitty utilities, etc.

I blocked the worst of it (pop-up notifications) with Glasswire, but there is still in-app stuff that is annoying. The free version does have a bunch of half decent features though, so I suppose that is the price you pay for "free". That, and the fact that they are giving all my info to the Chinese government.

I'll leave it installed for now, just to see what happens with future versions of Switch-Backup-Manager, but I think it's time for it to go.

Masamune3210 commented 5 years ago

Well I can tell you know that it will almost certainly happen again the next release, as whitelists usually work off of signatures which will change when the file changes like with a new version

On Fri, Dec 7, 2018, 4:09 PM FiB3R <notifications@github.com wrote:

I know, I agree.

I sent them the file, and they say "The file has been whitened".

I presume they mean white-listed, but I also presume that the next release will not be? So I'll see how that goes.

I do it's multi engine scanning when I want to check an individual file, (I know there is jotti, virus total, etc.) but 360 has always been a pain in the arse for various little reasons, and it's getting worse, trying to sell me shitty utilities, etc.

I blocked the worst of it (pop-up notifications) with Glasswire, but there is still in-app stuff. The free version does have a bunch of half decent features though, so I suppose that is the price you pay for "free". That, and that they are giving all my info to the Chinese government.

I'll leave it installed for now, just to see what happens with future versions of Switch-Backup-Manager, but I think it's time for it to go.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/gibaBR/Switch-Backup-Manager/issues/100#issuecomment-445381191, or mute the thread https://github.com/notifications/unsubscribe-auth/ABATQE4NMiSgFeydVvKEL3i7HzcRvOw1ks5u2ucTgaJpZM4ZF7xk .

DARKFiB3R commented 5 years ago

Yeah, I thought as much.

It's definitely bug with 360, because I now see that it's intermittent (I haven't updated it yet).

Files shouldn't need to be white-listed back at HQ. If I tell it to add a whole directory to the trust list, it should do so, and leave me the f alone.

Still, I've never seen that particular type of warning before, and I've used lots of obscure utilities over the years when modding consoles, and generally getting up to no good, so that is strange to me. I wonder what is triggering it.

josharmour commented 5 years ago

So I just saw this happen too with bitdefender. What bitdefender is saying is "The Process Switch Backup Manager.exe manifests ransomware behavior and was blocked. Several files were encrypted but we successfully restored all of them. You can find the restored file list below"

That list includes install directory \data\ contents and install directory\nswdb.xml...

I think the app is encrypting its own files and antiransomware software is detecting the encrypting behavior as similar to ransomware behavior.

Masamune3210 commented 5 years ago

The app isn't encrypting anything, if anything it's decrypting the nsp to get the contents. Bitdefender isn't the best software in the world either. All it does is monitor file operations and look and see if there were major changes to a file and if the file made sense to it afterwards. Doesn't work very well if it doesn't understand the file in the first place

josharmour commented 5 years ago

Thanks for sharing ninji. What I'm seeing is that the app starts to encrypt some of its local files and heuristic antivirus programs like Windows Defender and others detect that as suspicious. That is how ransomware works generally. However, if it was ransomware the files would be outside of its install directory and you'd get a notice from to pay bitcoin/ethereum/$SomeCoin to decrypt.

I'm confident this is not malware, but actually a false positive by most antivirus software out there. However, it would be nice if the app did not encrypt its files/folders in a way that set off alarms. I'm not sure what that way is though.

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3AWin32%2FCloxer.D!cl&threatid=2147726003

On Tue, Jan 1, 2019 at 4:47 PM Ninji notifications@github.com wrote:

[image: image] https://user-images.githubusercontent.com/12572974/50577800-119f0800-0dfe-11e9-850c-117925214778.png

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/gibaBR/Switch-Backup-Manager/issues/100#issuecomment-450769350, or mute the thread https://github.com/notifications/unsubscribe-auth/ABLs8seRCAKooCGIZ5rCuzzybwqh03W9ks5u_AGmgaJpZM4ZF7xk .

Masamune3210 commented 5 years ago

Like I said, it's probably just reacting to fast changes in files, as it has to decrypt the nsp to get the information from it.