ravahn / FFXIV_ACT_Plugin

FFXIV Plugin for Advanced Combat Tracker
715 stars 59 forks source link

Latest AntiVirus patterns block FFXIV_ACT_Plugin -- [ a variant of Win64/HackTool.RustRegion.B application ] #324

Open Neyan-EU opened 3 months ago

Neyan-EU commented 3 months ago

Hey there.

I made an unfortunate discovery. Since my AntiVirus software updated its patterns yesterday it keeps deleting the Plugin for it recognize it as "a variant of Win64/HackTool.RustRegion.B application".

I'm using this Plugin for quite a few years now and asked myself if it's something that changed recently within the Plugin or had always been there. So I downloaded different versions of the Plugin and found out that this change came with Release 2.7.0.6.

All tested version before that are "clean".


Here some technical details:

AntiVirus Software: ESET Internet Security Version: 17.2.7.0 Version of detection engine: 29644 (20240730)

Message with trying to update via ACT: image

Message with trying to update via manual download: C:\Users\*****\Downloads\FFXIV_ACT_Plugin-2.7.1.2.zip » ZIP » FFXIV_ACT_Plugin.dll » COSTURA » machina.ffxiv.dll » EMB » [#0]MSILr1 - a variant of Win64/HackTool.RustRegion.B application - deleted


I also tried to work around it with some excludes (since it had been there for a few versions now and as temporary solution!) but my AntiVirus software keeps adamant - as you'd expect from a good AntiVirus software.

So, is there anything you can do about it?

Biroten commented 3 months ago

I also confirm that it happen to me too with ESET version 17.2.7.0

Screenshot_9
Neyan-EU commented 3 months ago

As it happened, I was able to investigate it further and found out that the root cause lays with the machina.ffxiv.dll "wherein" a script is executed whose matches the detection definition of 'a variant of Win64/HackTool.RustRegion.B application'.

Maybe it helps to solve this problem.


@Biroten: As a measure of temporary solution you can add an detection exclusion with following configuration:

Hash: 35B4CFC0A913D9F0B990C4024860B9D634D00D15 Detection name: Win64/HackTool.RustRegion.B

Comment is optional, but I used it like: Comment: ACT_Plugin-script » COSTURA » machina.ffxiv.dll » EMB » [#0]MSILr1

How to add an exclusion: ESET Help

With that I was able to install/update the FFXIV_ACT_Plugin.


Please note, that this may become a problem again if the Hash value of the 'script' changes. You'd need to edit the Hash value accordingly. BUT that problem should be fixed, so that this exclusion isn't necessary in the future for it is an security issue which is supposed to be addressed.

Neyan-EU commented 3 months ago

image

The 2 other blocks seem to be in dependency of the marked one (Looks like a 'call-hierarchy' to me). That's why they got blocked too. Because, as mentioned above, it was enough to add only the marked one as exclusion.

ravahn commented 3 months ago

ESET flagging FFXIV_ACT_Plugin.dll was reported to the ACT FFXIV Discord when the first beta v2.7.1.1 was posted yesterday morning. there is some additional discussion there, if anyone is interested. invite link is in the github readme.

The root cause appears to be due to Machina.FFXIV using Deucalion.dll, an open source (https://github.com/ff14wed/deucalion) rust dll which is injected into Final Fantasy XIV to directly access network data by hooking game functions. ESET is blocking Deucalion.dll because it uses a rust crate called retour for this hooking, and retour uses a rust crate called region. Region abstracts low-level operating system functions necessary for function hooking. it appears like ESET is scanning for programs that use region crate and flagging them.

I apologize for the problem, and understand the concern that this is suddenly occurring. Unfortunately there is very little I can do to prevent third party anti-virus blocking low-level libraries.

Neyan-EU commented 3 months ago

First of all: Thanks for your response, the insights and the given explanation! Much appreciated!

When I saw the call stack I already assumed as much that you might be unable to really do something about it. Nonetheless, I'll join the Discord to follow this topic further. Maybe the community with their many perspectives is able to figure something out about how to get rid of this - since it wasn't part of the Plugin before release 2.7.0.6.

Meanwhile, what are we supposed to to with this ticket?

ravahn commented 3 months ago

FFXIV plugin v2.7.0.6 is using Machina.ffxiv nuget version 2.3.9.8, which uses Deucalion 1.0.0.

the prior official release to that was 2.7.0.2, which used Deucalion 0.9.5. The differences between the two Deucalion versions can be seen in the github source code history, and they are minor changes like logging, 7.0 memory signatures, etc. The retours dependency was not updated. So this doesn't look like there is a simple way to modify Deucalion and prevent this problem.

Let's leave this github issue open since it is an ongoing problem.