Misty Moorings Forums
Return to Misty Moorings (FSX/P3D/MSFS2020) => General Discussion => Topic started by: BBQSteve on July 30, 2018, 09:41:00 AM
-
Windows Defender has found the win32/Tilkeen.B!cl Trojan in the recently downloaded Season Switcher. Anyone else experienced this?
-
Yes the season switcher exe triggers the windows 10 virus scanner and deletes the file.
You have to add an exception entry for the Season Switcher scenery folder.. then the extract the season switcher zip in that folder and it will work with no exceptions: cause the windows 10 virus scanner will not eat the RTMM Season Switcher v3.3.exe file).
Norm
-
Thanks, but does it actually contain a Trojan?
-
Lol no.. of course not.. just a executable that changes the rtmm seasonal scenery files and doesn't contain any virus.
Norm
-
I know what it is, question is why does it come up as containing a trojan. I googled it and it is in fact a trojan.
-
Come on, do you think we'd host a file for several years that is infected with a Trojan? This issue has been put to rest in the past. Read the FAQ page under Season Switcher. Google obviously lied.
Steve
-
8)
ESET says it is clean. I trust ESET a lot more than Microsnot.
LOL
Sue
-
I trust Rod, Jeff and Doug on things like this more than Google, MS and ESET combined.
Steve
-
There are NO viruses in the RTMM Season Switcher v3.3. I have used it since its inception, with no issues. I've never seen a virus warning for it on my system. Works just fine. Thanks Rod. ;) 8)
-
Please post the link that claims it's a trojan.
Steve
-
https://forums.malwarebytes.com/topic/213572-trojanwin32tilkenbcl/
https://www.remoteutilities.com/support/forums/forum5/817-mse-false-positive-detection_-trojan_win32_tilken.b_cl
https://www.pcmalwaresecurity.com/trojan/delete-trojanwin32-tilken-bcl-virus-completely-windows-pc/
https://forum.dji.com/thread-129351-1-1.html
Thought you guys knew how to Google. Why do you always try to slay the messenger?
-
Hi BBQSteve,
Three members of the RTMM Staff have told you that the file does not contain a Trojan.
Right after your initial post you were advised by Norm of this "false postive" problem and told how to bypass the false positive But yet you then posted this statement asking why does it happen right after Norm told you:
I know what it is, question is why does it come up as containing a trojan. I googled it and it is in fact a trojan.
You were also directed by ualani to look at the FAQ on The Season Switcher that states quite clearly (in red at the top) that downloading the RTMM Season Switcher can trigger your anti-virus to give a false positive response. Here is the link if you are unable to find the correct FAQ:
http://return.mistymoorings.com/faq/#s (http://return.mistymoorings.com/faq/#s)
So, there is no question that the error you got was a "false positive" which happens sometimes with virus scanners. My question to you at this point is, now that you have checked with RTMM and verified that it is a false positive, were you then able to bypass the virus scanner block and download the file?
It is important that you have a working RTMM Season Switcher because the upcoming release of The Western Chugach - Part 2 is very seasonal and really shines when the Season Switcher is used properly.
Let us know.
Rod
-
Thanks Rod, yes I was able to unzip and utilize the switcher and it worked well. You may not recall that this isn't my first problem with the switcher and W10. The first time, 10 would not allow me to run the switcher at all. I had to install the switcher on a W7 computer and move all the files, run the switcher and move them back in order to utilize the switcher file. So when I upgraded this computer and loaded W10 Pro and came up with second proble, this one, perhaps you can see my apprehension. Reading the undated FAQ NOTAM did not give me that warm and fuzzy feeling, added to the Google info, so I posted.
Sorry if these posts got some peoples pants in a wad, but better safe than sorry. I spent a month on this build and reloading everything and not wanting to jeopardize it all, I questioned.
-
Uhhh Steve......I asked you to provide a link that claims it, the Season Switcher, is or contains a Trojan. However, not one of your links says anything that your Trojan was found in the Switcher, or anything related to RTMM for that matter. All you did was provide some links describing that Trojan, or that someone had found that particular one infecting their system. Again I ask, why would we purposely and knowingly host a file for several years containing a virus? No one is slaying the messenger here, just trying to inform what has already proven to be wrong, discussed and posted multiple times.
Steve
-
Misunderstood you. Here you go big guy:
http://i.prntscr.com/OxFAl-JtSpKbnRMjdtamkw.png
-
And always run stuff in windows 10 as administrator. I guess this OS needs to be told whose Boss even if it is the boss running and signed onto the OS.!!
-
Thanks Rod, yes I was able to unzip and utilize the switcher and it worked well. You may not recall that this isn't my first problem with the switcher and W10. The first time, 10 would not allow me to run the switcher at all. I had to install the switcher on a W7 computer and move all the files, run the switcher and move them back in order to utilize the switcher file. So when I upgraded this computer and loaded W10 Pro and came up with second proble, this one, perhaps you can see my apprehension. Reading the undated FAQ NOTAM did not give me that warm and fuzzy feeling, added to the Google info, so I posted.
Hi BBQSteve,
I absolutely remembered that you were the one that was unable to execute the switcher. We had quite a few posts back and forth. That is one of the reasons that I wanted to know if you got the switcher loaded okay. I was hopeful that you were able to put the switcher problem behind you and....the good news is that now it works as advertised. That's great!
Rod
-
Misunderstood you. Here you go big guy:
http://i.prntscr.com/OxFAl-JtSpKbnRMjdtamkw.png
This link doesn't work. ;) This is what I get instead:
(http://i1130.photobucket.com/albums/m531/jeff3163/MOON/Flight%20Simulator%20X%20Files/2018/BBQStevePNGerror.png~original)
-
Works fine for me. It is a screen shot of Defender telling me of the trojan tells me that is severe and gives me a pid for action. Unfortunatley I can not copy the data and post it in either defend r or iprint so you'll kust have to take my word.
-
So this one's been resolved and I don't mean to keep it going, but for future reference, when unsure about a file's safety, this is a useful site:
https://www.virustotal.com/
It allows you to upload a file, then will scan it with like 40 different anti-virus tools (including all the big names) and will show you all the results. It's completely web based, so you don't download anything, so it's entirely safe.
The thing to understand is, almost ANY executable-type file will be flagged as a virus by at least a few of the tools; these are the "false positives" and are what make a meta-analysis like this so useful. A true piece of malware will probably return at least around 80% positive results.
If I were home at a computer, I'd run the season switcher through and post the results. Maybe someone else wants to.
-
Results are in:
http://prntscr.com/kdt64f
-
9/69 positive hits. It all comes down to who do you trust and believe: Rod, the developer of the Switcher, or a generic anti-virus scanner? Your call. Ironically, the scanner also says that Windows reports it as clean. Also, it's interesting that the positives all report it as different viruses.
Steve
-
Yes, very interesting in which scans find it and how it gets reported. Does not show Defender in the list which keeps deleting it even after I allow it. Retried the exclusion again. My concern was not that I did not trust the file, but that it was being reported as a trojan. Wonder if it is due to the compiler. If left as a .bat file, wonder if it would have the same hits?
-
Beat it, just beat it, just get a dead horse and beat it...
-
It's not beating a dead horse, it's called learning. Learning why some items trigger a false positive and why some escape them all.
Ya know, you don't have to read it if your not interested.
-
Yeah, any file that is capable of changing anything about another program will be flagged by a few antivirus tools. They all use different, proprietary detection criteria so it's hard to say for sure what an individual tool doesn't like about an individual file.
9 out of 6 is really nothing though. I think if you run some other trusted files through, you'll be surprised at the results (I'm talking executables or scripts, not like images obviously). I don't even get suspicious until the detection rate approaches 50%.
Steve also makes a good point that every tool that flagged it recognized it as a different piece of malware. There's much more concurrence on a true piece of malware.
It's also worth noting that the only positives were no-name virus scanners. The big names like Kaspersky, Norton, Malwarebytes etc are very over-cautious and will therfore often return false positives... But they won't often ALL miss something if it's real. In fact, I'd say that's almost impossible.
So, this file is definitely clean... Which I know we'd already established, I'm just offering tips on a useful tool for future reference.
-
Good information, thanks.
-
The discussion really does not contain a solution that I can understand anyhow. BBQSteve in his post on Aug 02 states that defender deletes the file even after it has been added to ok list That is what is happening with me also. I have tried turning defender off and it still deletes it. Am I going to have to get rid of defender altogether to get it to work or is there a work around some of you compluter guru's can help me with. It would be very much appreciated.
Jim Smith
-
I am slightly confused. You can't download the zip, or you can't run the switcher in windows? :-\
Do you have defender set to "Block" or "Warn" of threats? :-\ Sometimes I get a file download that windows thinks is bad. I have the option to keep it anyway, or discard. Do you have that option? Choose to keep it.
I do have Defender active on my system, and I just downloaded and opened the zip. No issues at all. I have not "excluded" the file either. My system is just ok with it. Weird.
-
Jim do this step-by-step:
1. Download the file.
2. Uzip and let defender quarantine/delete the file
3. Open windows Defender and Open Virus & Threat Protection
4. Open Threat History
5. Look at Quarantined Threats the file should be in there
6. Restore or allow it.
7. back up to Threat History and then select Allowed Threats
8. Select the file and hit allow
9. Back to Virus & Threat Protection
10. Select Virus and Threat Protection Settings
11. Scroll down to Exclusions and hit Add or Remove
12. Hit Add an exclusion and find the file and add it
Back out and you should be good to go.
-
Thanks to BBQSteve problem solved. I also found some duplicate files in punchbowl lake scenery. All is up and running now. Thanks again.
Jim Smith
-
Glad to be of assistance. Always a pleasure to help a fellow pilot. 8)