Trojan detected Win.MxResIcn.Heur.Gen + suspicious behavior on 0266 windows version binaries (mame0266b_64bit.exe).

[Eye-01]

MAME version

0266

System information

Windows 64bits

INI configuration details

No response

Emulated system/software

No response

Incorrect behaviour

Hello. Virustotal check shows a trojan detected on mame0266b_64bit https://www.virustotal.com/gui/file/d82402f59f2898696461bee8981cc01635b58259018d352c1402e1e042c310fc I could consider this as false positive if there wasn't a suspicious behavior killing the windows service group WerSvcGroup and interfering with WMI :

%windir%\System32\svchost.exe -k WerSvcGroup wmiadap.exe /F /T /R

Expected behaviour

should be clean on virustotal and whatever the reasons are, it shoudln't deactivate any service group or patch anything on windows system.

Steps to reproduce

No response

Additional details

No response

[cuavas]

This is a common false positive, for example see clsid2/mpc-hc#2849

Official MAME binaries do not interfere with WMI for me. MAME uses WMI to identify the XInput controllers (based on Microsoft sample code). If you’re treating WMI queries from applications that aren’t whitelisted as suspicious or something, you’ll get false positives.

[Eye-01]

But what about killing WerSvcGroup (svchost.exe -k WerSvcGroup) ? It's not normal The pc who generated (or the one that just published) the windows binaries could be infected even if nothing is in the source.

[cuavas]

MAME does not kill any service groups. If this is happening, it’s caused by something else on your system, not MAME. We’d have a deluge of issue reports if this was happening.

Also, Win.MxResIcn.Heur.Gen isn’t actually identifying known malware. It’s a heuristic. Since around 14 June it has been causing massive numbers of false positives: https://gridinsoft.com/blogs/win-mxresicn-heur-gen-false-positive/

It’s been problematic for years – here’s a report of a false positive from 2018: https://support.mozilla.org/en-US/questions/1205467

[Eye-01]

This is not on "my system", the hash of executable is the same for all people already sending the binaries that were published on the Mame github (you can try too by yourself by sending the exe to Virustotal). Concerning the behavior, this executable really kills the service group, even if nothing is in the sources about it. Virustotal behavior analysis is observing in a sandbox. I believe it's seriously made. Please, check the "behavior analysis" section. on the virustotal link I provided. For the trojan detection, it's something different, this is based not on the behavior but from each of the antivirus. So this is more open to mistakes. Also the "white lists" from virustotal antivirus companies, are over permissive. It allows for example all windows security deactivation + open backdoors from Absolute Software Corp spywares to be invisible... So, just one detection should be looked with cautious.

[cuavas]

Please think about this for a second:

• The Windows Error Reporting Service is configured for Manual (Trigger Start) by default and will not be running initially.
• MAME is the first thing in the sandbox to access WMI (looking for XInput controllers), so the WMI Provider Host (wmiprvse.exe) is started on demand.
• The WMI server starts wmiadap.exe to populate objects. This requires the Windows Error Reporting Service, causing it to start.
• When wmiadap.exe finishes populating objects, it terminates. Since the Windows Error Reporting Service is no longer required, it is also terminated automatically.

You have not described any suspicious behaviour.

[balr0g]

Note that the report linked above is for the 7-Zip self extracting archive. The 7-Zip self-extracting code, which is bundled with 7-Zip and included in self-extracting archives, may very well be calling into WMI to access the performance counters — you'd have to look at its source code.

It is common for self-extracting archives and packers to get falsely flagged by anti-malware software.

Scanning the MAME executable itself does not show these behaviors.

[Eye-01]

@balr0g Nope. Same trojan detection Win.MxResIcn.Heur.Gen for just mame.exe : https://www.virustotal.com/gui/file/b77acc82221fffea260114d6a64f5b6128346395b1330c4403cf20a760853223

I'm now uploading a full zip (big) archive to Virustotal to check the whole behavior without the self-extractor. And will tell the result.

[cuavas]

You’re just wasting everyone’s time.

[rb6502]

Yeah, this is ridiculous. 100% of MAME's code in a Windows build is from the source in our repo. There's no obfuscation, nothing is touching any Windows services, and 30 other virus scanners think MAME is fine.