Windows Defender identifies V2.18.2 as a trojan

[the1glorfindel]

[theonlypwner]

I notice that many anti-virus scanners detect the ACR v2.18.2 Windows client executable as a virus. When I download the release, I see Windows Defender detects it as TrojanDropper:Win32/OverJoiner!rfn. It's either a lot of false positives, or GitHub's hosted runner environment was compromised.

Unlike previous releases, where I compiled the binaries manually, the v2.18.2 executables were compiled in GitHub Actions (https://github.com/acreloaded/acr/actions/runs/470292606). GitHub's machines run the workflow file and generate the release.

I have submitted a support request to GitHub about the potential security issue. Until this is resolved, I recommend compiling the source code yourself.

I just compiled my own executable (acr_client.zip), and Windows Defender shows it as clean. It seems like there are some false positives, but not like 50% detecting it as a virus: https://www.virustotal.com/gui/file/225b98ffa65d1387350bc6928db695be05f6e0156a9b3fdcf058e4de84fc8391

[Duckrinium]

Installed through choco, detected as Trojan but different name.

I just compiled my own executable (acr_client.zip), and Windows Defender shows it as clean.

This one detects as Ymacco.AA22, I guess it's GitHub.

[dillfrescott]

I'm currently running a hybrid analysis on it. Avast blocked it. Firefox blocked it, and nearly half of the virus total results marked it as malicious. Something isn't right here...

I haven't tried to compile it myself though.

[dillfrescott]

Here are the results of the Hybrid Analysis:

https://www.hybrid-analysis.com/sample/805a2d3969af315f4c47c9299b565dc44ba2f6493509b79b83d139ce4a8d4ca8/615764121f4402747a1d8907

[Manerr]

Hello, I donwloaded yesterday ACR, without reading that issue sadly
Defender warned me, ( TrojanDropper:Win32/OverJoiner!rfn ) , and I deleted manually all the files. Do you think I risk something, I'm a bit worried about my PC ... And my internet accounts thus
Any suggestion or help , thanks in advance :/

[theonlypwner]

As mentioned before, compile ACR yourself if you do not trust the executables created by GitHub's machines.

It is possible that there is something in the ACR code that anti-virus software does not like. For example, bugs that cause memory overreads or corruption would possibly trigger detections. If we can find and fix those issues, it would help to resolve this.

I don't have time to investigate right now, but if someone finds and reports what's causing the detections, I can make the fixes and release a new version.

[kabeeki]

Could this possibly be related to it using registry keys and services for the server?

Hybrid analysis says that it imports suspicious APIs , namely
RegCloseKey
StartServiceCtrlDispatcherA
RegOpenKeyExA
GetDriveTypeW
GetFileAttributesA
UnhandledExceptionFilter
WriteFile
GetModuleFileNameW
IsDebuggerPresent
LoadLibraryExW
CreateThread
ExitThread
TerminateProcess

Some of which I don't see why assualtcube uses, like the registry related ones. Maybe they are for saving the resolution and game settings?

Hope this helps,
Levi

[theonlypwner]

@kabeeki AssaultCube and AssaultCube Reloaded both read the registry:

https://github.com/acreloaded/acr/blob/v2.18.2/source/src/stream.cpp#L147-L170

https://github.com/assaultcube/AC/blob/v1.3.0.2/source/src/stream.cpp#L151-L174

AC and ACR use the registry to substitute ?MYDOCUMENTS? with the My Documents folder path. Also, ACR uses the registry to read MachineGuid to get a unique machine ID.