False positive in demo of game Death Trash on Steam

[talecrafter]

Hello.

A false positive was detected in the GameAssembly.dll of the Steam Demo of the game Death Trash.

I'm the developer of the game and not sure what would cause this.
Other variants of our game with slight differences in each GameAssembly.dll, e.g. the full version, seem to get triggered, too.
If it's helpful, I can add upload more variants of the GameAssembly.dll.

- Stephan Hövelbrinks

deathtrash_demo_log.txt GameAssembly.zip

[Porthos]

1 hour ago, talecrafter said:

A false positive was detected in the GameAssembly.dll of the Steam Demo of the game Death Trash.

Hi,

Do you have "Use expert system algorithms to identify malicious files" enabled? It is located in Settings > Security> Scan option.

This is normally disabled by default.

In either way, Staff will investigate this and get this fixed.

Thanks for reporting!

Please turn off "Use expert system algorithms to identify malicious files” It is located in Settings > Security> Scan option to avoid these detection's

 

[Atribune]

Thanks, this should be resolved.

[cli]

Thanks for reporting, this has been fixed.

[talecrafter]

Hello. For the demo it seems to be resolved now.

For the main game there's still a false flag. I attached the files here.

Due to the Early Access state of the game we'll be updating the game and the demo every few days. Will each of these have to be whitelisted again?

We have three more binaries in other stores, too, which seem to be affected. I would appreciate a lot if we could find a general solution for this instead of a per binary solution.

deathtrash_log.txt GameAssembly.zip

[talecrafter]

Just a short bump for this. Or should I make a new topic?

[Porthos]

On 9/3/2021 at 4:04 AM, talecrafter said:

For the main game there's still a false flag. I attached the files here.

Again, Please turn off "Use expert system algorithms to identify malicious files” It is located in Settings > Security> Scan option to avoid these detection's

Edited September 8, 2021 by Porthos

[talecrafter]

This is not about me having a personal problem on my own computer. This is about customers buying my game on Steam etc. and potentially having that option enabled. I want it to be solved for them, not for myself.

[Porthos]

3 minutes ago, talecrafter said:

This is not about me having a personal problem on my own computer. This is about customers buying my game on Steam etc. and potentially having that option enabled. I want it to be solved for them, not for myself.

Understood. Staff will be around to whitelist this one as well.

[shadowwar]

This has been whitelisted. 

[talecrafter]

A new version of the game is flagged again. This is the Steam version. I attached the files.

Please tell me how we can fix this situation permanently. We're uploading three different Windows binaries for every game update. We update the game about once per week.
What is causing these warnings? What can I do on my side to fix it?

The current situation is damaging our business. People are returning copies of the game because they think it contains Malware, and people are making forum posts to warn about the game.

deathtrash_log.txt GameAssembly.zip

[talecrafter]

This is the GOG version.

deathtrash_gog_log.txt GameAssembly.zip

[talecrafter]

This is our third version from the same game update, the itch version.

As mentioned above, I would really appreciate a long-term solution here.

deathtrash_itch.txt GameAssembly.zip

[shadowwar]

Well for one the files aren't digitally signed. 

Also there is no version info. 

A weird packer seems to be used. 

All these can trip up the heuristics. 

The files above are whitelisted. 

[talecrafter]

Will investigate. Thank you for the hints.

The GameAssembly.dll is created by the Unity Engine by the way, when using their IL2CPP workflow. Most games are using the other workflow Mono, but there should be some other games, too, with similar structured GameAssembly.dll files.

[shadowwar]

Ok thank you for the tips. going to see if there is someway i can whitelist for more future looking. 

[talecrafter]

Further investigation:

Adding the version meta info and digitally signing doesn't make a difference. The GameAssembly.dll still gets detected. (We don't have experience with signing process and didn't buy one yet from a known source, so not 100% sure if this could be considered a full test.)

One interesting observation: As long as the GameAssembly.dll is located in the Applications Folder of Windows ("C:\\Program Files...") it doesn't get detected, but if the file is outside of that it does get detected. So I assume files in the Applications Folder generally just get a pass from the heuristic algorithm? Steam is installed there by the default and also the games it installs. Otherwise we would probably see a lot more of these false flags.

Another test: We created an empty Unity project, set it to the aforementioned IL2CPP workflow, just added a test script and built it, and it also was detected. I attached it here.
So we can at least exclude anything specific in our game triggering these detections.

How do we solve this now?

GameAssembly.zip GameAssemblyResults.txt

[shadowwar]

There is a fix in the works for the heuristic detections. I dont have an eta at this time but should be within a month at most. Its in testing at the moment.  If you decide to purchase a valid signature that should solve the issue in the future as we can whitelist a valid signature for all validly signed files. 

[talecrafter]

Thank you for the info update. I appreciate that.

Will have to ponder about purchasing a valid signature. In our case it would just be for fixing this specific case. The general use case of being able for customers to correctly identify the software seems to be mostly needless in our case as the software is downloaded, installed and launched through a trusted client, e.g. the Steam client.