OnCourse Software

Welcome to our Product Support Forums

PF3 flagged as malware infected by Norton, Malwarebytes and Grindinsoft

PLEASE NOTE:

If you are reporting an issue with PF3 please remember to Zip and attach the Debug_Monitor.log file from your PF3\Logs folder. Thank you.

Post Reply   Page 1 of 1  [ 10 posts ]
Author Message
ralf_maeder
Post subject: PF3 flagged as malware infected by Norton, Malwarebytes and Grindinsoft
Posted: Mon Jun 21, 2021 7:54 pm
Offline
 
Posts: 9
Joined: Sun Jun 20, 2021 8:16 pm
 
I asked for a trial of PF3 and was sent the official automated email, instructing to enter a link to download the trial software. After unpacking the Zip-file, I get the first blocking and warning of Norton Security, moving the exe file to the vault. I instruct Norton that the file should be fine and so I execute the installer. Next in the line was Malwarebytes Premium, stopping the process and moving the file to the vault. I repeat to instruct Malwarebytes that the file is fine. Almost finishing the installation, Norton stops the installation process when the file "10Tec_Tooltip_100.dll" is being installed into the Windows System folder. I instruct it's ok. After restarting the computer, Grindinsoft (Anti-malware software) finds 7 suspicious new registry entries, flagging them as "PUP.RPL.Systemoptimizer.dd", "Rogue.RPL.Gen.bot" and "A part of PUP.RPL.Systemoptimizer.dd".

That last step with the registry changes was the part that was most troubling to me, hence I opted to ask the developer. His answer was that all were false positives.

I would like to ask you guys if anybody has run into this kind of agressive adversary of anti-malware and antivirus software against the files related to PF3 and if even so you have come to the conviction that the software is 100% safe even when all anti-malware software packages say otherwise and find evidence with supposedly suspicious registry changes?

Ralf Maeder

PS: If you wonder about the different dates of the both screenshots, I tried the download and installations two times, both with a similar outcome.

Attachments
[ attachment ]
PF3 Norton.jpg (130.15 KiB) Viewed 1846 times
[ attachment ]
PF3 Grindinsoft.jpg (155.06 KiB) Viewed 1846 times


Top
Profile Quote
Dave Leesley
Post subject: Re: PF3 flagged as malware infected by Norton, Malwarebytes and Grindinsoft
Posted: Mon Jun 21, 2021 9:18 pm
Offline
 
Posts: 1325
Joined: Fri May 22, 2009 8:27 pm
Location: Yorkshire
 
I have this kind of trouble with CS 757 ace,so this is nothing new.

Some Anti virus software reads some of the code as suspicious,so ends up blocking your install...hence the reason you need to turn this off and then tell your AV to trust it.

_________________

Regards Dave
Forum Moderator

[ img ]
[ img ]


Top
Profile Quote
johnhinson
Post subject: Re: PF3 flagged as malware infected by Norton, Malwarebytes and Grindinsoft
Posted: Tue Jun 22, 2021 10:17 am
Offline
 
Posts: 256
Joined: Fri Dec 03, 2010 2:54 pm
 
Modern anti-virus programmes will often "guess" at software unknown to it, to try and stay ahead of the game. They are often wrong. I never turn off my antivirus during an installation, but on the few occasions alarms occur I submit the file to my provider (Norton) who will analyse it and identify it as clean within 24 hours, updating their definitions to allow for it. I guess I am doing a favour for others who don't bother!

The registry entries are perhaps of more concern. Anything labelled "PUP" is a "Potentially Unwanted Programme" and isn't necessarily malicious but it could be. It indicates something extra to the installed software that you haven't been asked about before installing. "Rogue.RPL.Gen.bot" is definitely dodgy. If it has been correctly identified it is adware that installs itself into your web browser to take control of it.

I've not come across dodgy registry entries but surely they cannot surely be false positives? Are you certain they were installed with the demo software and not on some other previous occasion? Maybe you could disprove this by uninstalling the demo, and cleaning up with Norton Power Eraser (https://support.norton.com/sp/static/ex ... s/npe.html) which should reliably remove it. Then test with your anti-malware and if all is good re-install and test again.

I can't vouch for the smooth installation of the demo as I have the full version (but that didn't raise any alarms), but I have used Dave's products for a good twenty years and I cannot believe he would be the type to drop nasty tricks into his files.

Best regards,

John

_________________

My co-pilot is called Sid and he's a real Star!


Top
Profile Quote
cmg344
Post subject: Re: PF3 flagged as malware infected by Norton, Malwarebytes and Grindinsoft
Posted: Wed Jun 23, 2021 11:52 am
Offline
 
Posts: 68
Joined: Sat Apr 02, 2016 11:39 am
Location: LEMD
 
Hello,

If your Anti Virus and Malwarebytes are bothering you during the installation, you can always turn them off, and retry the installation.

After the installation, you can turn both on (AV and MB), and examine your rig. They won't find any virus.

_________________

Kind regards,

Carlos

[ img ]


Top
Profile Quote
ralf_maeder
Post subject: Re: PF3 flagged as malware infected by Norton, Malwarebytes and Grindinsoft
Posted: Wed Jun 23, 2021 8:27 pm
Offline
 
Posts: 9
Joined: Sun Jun 20, 2021 8:16 pm
 
johnhinson, thank you for your tips.

I analyzed the computer with Norton Eraser and it didn't find any problem.

Then I did a few more steps to be sure that the computer is totally free of malware (restarts, checking with Grindinsoft which scans after every start of Windows, scans with Malwarebytes and a complete scan with Norton Security).

After that I downloaded once again the trial and before the unpacking and installation I disabled the internet, disabled Norton Security and Malwarebytes Premium. The installation of PF3 was without incident obviously, since I disabled both Antivirus/Malware apps.

Then I reactivated Norton and Malwarebytes and restarted Windows. During the startup scan of Grindinsoft once again were flagged the seven registry changes, the exact same entries that were observed after my previous attempts to install PF3. During all other restarts prior to the installation of PF3, none of these entries or other problems were reported by Grindinsoft.

This time I opted to let Grindinsoft repair the changes and left the installation of PF3 ontouched. I have started PF3 (without Flightsimulator yet) and it started without error.

My theories about the flagged registry entries are :
1. The Antimalware software identifies harmless registry entries made by the installation process of PF3 as harmful and gives them fancy names like "Rogue.RPL.Gen.bot" in order to sound more sofisticated. If this case is true, I would expect some malfuncioning of PF3 because I instructed Grindinsoft to undo the registry changes.
2. Another less probable possibility is that during the installation process some malicious registry changes were triggered. In this case PF3 should work without any problem.

For the time being, I will try the software PF3 with Flightsimulator 2020 and see if it works as expected and of course that no more malware issues arise.

Ralf Maeder


Top
Profile Quote
ralf_maeder
Post subject: Re: PF3 flagged as malware infected by Norton, Malwarebytes and Grindinsoft
Posted: Thu Jun 24, 2021 12:07 am
Offline
 
Posts: 9
Joined: Sun Jun 20, 2021 8:16 pm
 
After a couple of more restarts, I just wanted to run PF3 when Malwarebytes Premium intercepted the execution of the exe-file:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 6/23/21
Protection Event Time: 4:59 PM
Log File: af934922-d476-11eb-95df-001986001611.json

-Software Information-
Version: 4.4.0.117
Components Version: 1.0.1344
Update Package Version: 1.0.42147
License: Premium

-System Information-
OS: Windows 10 (Build 19043.1023)
CPU: x64
File System: NTFS
User: System

-Blocked Malware Details-
File: 1
Malware.Heuristic.1003, E:\Games\Microsoft Flight Simulator\PF3 DEMO\PF3.exe, Quarantined, 1000001, 0, 1.0.42147, 0000000000000000000003EB, dds, 01303030, 1A162DE25D9B9690E534354BEDD234CC, F009DFC61201DA9DD608307101B5588AC2455E325A838A1C1847F8BBC628378B


(end)



I guess the computer is trying to tell me somewthing!?

Ralf Maeder


Top
Profile Quote
ralf_maeder
Post subject: Re: PF3 flagged as malware infected by Norton, Malwarebytes and Grindinsoft
Posted: Thu Jun 24, 2021 12:59 am
Offline
 
Posts: 9
Joined: Sun Jun 20, 2021 8:16 pm
 
Update: I searched for this Malware.Heuristic.1003 and found a couple of users who were claiming that the flagged files were false-positives. In one case a user was recommended to disable a setting in Malwarebytes Premium "Use expert system algorithms to identify malicious files" and that solved the false identification.

I repeated this action and now PF3.exe is not anymore identified as malware and starts up without being intercepted. That's an advance.

I would recommend the developer to look into ways how to avoid his software being identified as malware or malware-infected.

Ralf Maeder


Top
Profile Quote
johnhinson
Post subject: Re: PF3 flagged as malware infected by Norton, Malwarebytes and Grindinsoft
Posted: Thu Jun 24, 2021 1:32 am
Offline
 
Posts: 256
Joined: Fri Dec 03, 2010 2:54 pm
 
ralf_maeder wrote: *  Thu Jun 24, 2021 12:59 am
Update: I searched for this Malware.Heuristic.1003 and found a couple of users who were claiming that the flagged files were false-positives. In one case a user was recommended to disable a setting in Malwarebytes Premium "Use expert system algorithms to identify malicious files" and that solved the false identification.

I repeated this action and now PF3.exe is not anymore identified as malware and starts up without being intercepted. That's an advance.

I would recommend the developer to look into ways how to avoid his software being identified as malware or malware-infected.

Ralf Maeder
Hi Ralf,

"Heuristic" is the key word here.

Heuristic means guesswork. So-called "expert system algorithms" often means simply coming across a file not recognised, which is often the case with software from smaller developers.

It isn't their fault, it is the developer of the software (Malwarebytes in this instance) that wrongly detects perfectly safe software by guesswork that should put things right at their end. As I said earlier, most such services provide a means to advise of safe files, in this instance https://support.malwarebytes.com/hc/en- ... es-Support seems to be the place.

John

_________________

My co-pilot is called Sid and he's a real Star!


Top
Profile Quote
Dave March
Post subject: Re: PF3 flagged as malware infected by Norton, Malwarebytes and Grindinsoft
Posted: Thu Jun 24, 2021 7:22 am
Site Admin
Offline
 
Posts: 6095
Joined: Mon May 18, 2009 6:22 pm
Location: Sawtry, Cambridgeshire. UK
Contact: Website
 
Hi Ralf

As I mentioned in my email to you, these security programs look for certain footprints in the EXEcutable. My software is first compiled and then compressed and during those procedures it is highly probable such footprints are partly replicated, resulting in a false positive.

_________________

Cheers

Dave March

Email: dmarch@oncourse-software.co.uk

I don't know if my memory is getting worse as I get older...
...I just can't remember how it used to be!

[ img ]


Top
Profile Quote
ralf_maeder
Post subject: Re: PF3 flagged as malware infected by Norton, Malwarebytes and Grindinsoft
Posted: Sat Jun 26, 2021 12:18 am
Offline
 
Posts: 9
Joined: Sun Jun 20, 2021 8:16 pm
 
Thanks to everybody for giving tips and support. As you can imagine, if several Antivirus and Malware packages run havoc over a specific file, the user might get nervous (me). Seems that we got this sorted out at last and PF3 is trustworthy, despite all the warnings of Norton, Malwarebytes and Grindinsoft.

I already was able to run the software and connect to the sim. A first humble step to master the complexity of the software.

Ralf Maeder


Top
Profile Quote
Display: Sort by: Direction:
Post Reply   Page 1 of 1  [ 10 posts ]
Return to “PF3-ATC at its best”
Jump to: