Products Support > GSX Support FSX/P3D
liveUpdater issue...
flySWISS:
--- Quote from: virtuali on July 17, 2021, 12:25:29 pm ---
Now, this in theory but, we have seen all sort of weird behavior when defective antivirus that mistakenly flag the executables as threats, even if they are digitally signed with TWO digital signatures ( our own authenticode AND the "software taggant", which is a standard to help the antivirus not catch false positives ) so, I wouldn't be surprised if your antivirus made starting the SAME program from the Icon shortcut or manually somewhat different, when there shouldn't be any difference.
--- End quote ---
What we both are assuming here is that a breach can and will occur, which is the correct position to take. No security solution is perfect, and if a threat has made it past other lines of defence, you need something that can alert you to the breach so that you can begin to investigate. AND A software taggant is JUST a cryptographic signature added to software that enables positive origin identification and integrity of programs somewhat similar to Microsoft's Authenticode. Also, a software taggant may cover ONLY small critical areas of the program to minimize the cost of software integrity checking.
You know, there is NO user who does not encounter the problem of false antivirus triggering. The reaction of an ordinary person most often comes down to deleting a “suspicious” file, which is often not only not harmful, but rather useful and sometimes valuable. In turn, programmers, knowing about such jokes, can fall into irritation close to stress. Neither one nor the other contributes to effective work. A few years ago, a real battle broke out between antivirus companies and protectors. Losing, antiviruses decided to ban all packers that are not used in commercial and widespread software. Then even several well-known packers were banned. Over time, the situation returned to normal, but there is still no complete solution to the problem!!!
And YES Sir, FSDT GSX /GSXL2 is definitely one of my favorites for Flight Simulation! You haven’t missed a thing! WOW! Highly recommended. Nothing can stop you now. You’ve got your brain in gear today. However, next I will visit your Onlineshop because I need some nice airport textures for the MSFS20.
REGARDS from LSZH
virtuali:
--- Quote from: flySWISS on July 17, 2021, 07:18:41 pm ---What we both are assuming here is that a breach can and will occur, which is the correct position to take. No security solution is perfect, and if a threat has made it past other lines of defence, you need something that can alert you to the breach so that you can begin to investigate. AND A software taggant is JUST a cryptographic signature added to software that enables positive origin identification and integrity of programs somewhat similar to Microsoft's Authenticode. Also, a software taggant may cover ONLY small critical areas of the program to minimize the cost of software integrity checking.
--- End quote ---
Sorry no. There's nothing we should do or investigate, because we KNOWN our product doesn't do anything wrong. We already do more than enough by:
- paying our yearly fees for Authenticode certificate, which is the FIRST thing antivirus vendors suggest to prevent false positives.
- paying our yearly fees to license the Software Taggant signature, which is an IEEE standard that antivirus vendors are SUPPOSED to trust.
Assuming a false positive was indeed the cause of your problem, the only thing at fault here is the antivirus itself, which is trusting its own questionable heuristics more than the double digital signature that is supposed to prevent that.
The problem is, antivirus need to boast the ability to catch threats that "hasn't been discovered yet" or catch more threats than the competition, otherwise they couldn't possibly differentiate from each other and, most importantly, from the one included by default in Windows.
So they use heuristic trying to judge behavioural patterns, because they don't really KNOW if something it's a threat or use the despicable "reputation" method so, a new executable that has never been encountered before, is by default flagged suspicious.
That, of course, clashes completely with the very concept of a Live Updater because:
- it's able to "update itself". The 2nd stage .exe gets updated very often so, it never gets enough "reputation".
- it "downloads stuff", which is a behavior that might be associated with trojans, for example
These two combined are seen as dangerous, even if they obviously aren't but, if we had to check EVERY antivirus product out there, EVERY time they have an update, if ANY of them got a false positive, and report it to the antivirus developers, we wouldn't have any time left to do...actual Flight sim products!
flySWISS:
--- Quote from: virtuali on July 18, 2021, 01:39:23 pm ---
Assuming a false positive was indeed the cause of your problem...
--- End quote ---
That is definitely the case here, despite the "tireless" efforts of a friendly cast.
--- Quote from: virtuali on July 18, 2021, 01:39:23 pm ---
The problem is, antivirus need to boast the ability to catch threats that "hasn't been discovered yet" or catch more threats than the competition, otherwise they couldn't possibly differentiate from each other and, most importantly, from the one included by default in Windows.
So they use heuristic trying to judge behavioural patterns, because they don't really KNOW if something it's a threat or use the despicable "reputation" method so, a new executable that has never been encountered before, is by default flagged suspicious.
--- End quote ---
Hey listen...! Heuristic analysis was INVENTED by antivirus companies to detect new threats and is partly necessary for them to collect suspicious files. The probability of false positives in our case is much GREATER, therefore, antiviruses maintain a “white” list of signatures for commercial packers. This partly helps to improve the situation, but it still leaves the opportunity for antiviruses to feel "with impunity." Like "gods" playing dice, they are able to give out a harmless file for a virus. To justify their existence, antiviruses are forced to complicate the analysis and come up with additional control schemes. For protectors, they decided to implement a system of complete control over the distribution of protected files. The system allows you to block only files from unreliable publishers of protected software and show loyalty to files from trusted sources.
Antivirus intensively use digital signatures to authenticate a file! VALIDATETED by reputable organizations, digital signatures provide a reliable way to track the source of a file. Such organizations are unlikely to sign malicious code with their certificate. But not always a digital signature is enough. There are known cases of "INFECTION" when the file contained a valid digital signature, because the virus was introduced at the compilation stage of the program. However, the responsibility for applying the digital signature lies with the tread user, and a high level of trust is required for the publisher of the certificate.
BEFORE releasing a new tread, VENDORS are advised to protect a representative sample of 10-20 files with various protection parameters and put it on public display. Antiviruses, in turn, must make sure that there are no false positives from the heuristic analyzer. The reputation of the file with the Software Taggant marker should be higher than that of the file without it. When a protected malware with the Software Taggant marker is detected, the license with which the malware was protected becomes a candidate for blacklisting. The COMMUNITY recommends that antiviruses quickly share information to create a complete list of blocked licenses.
And that's it!!!
Regards from LSZH (Switzerland)
Paul
virtuali:
--- Quote from: flySWISS on July 18, 2021, 03:32:18 pm ---Hey listen...! Heuristic analysis was INVENTED by antivirus companies to detect new threats and is partly necessary for them to collect suspicious files.
--- End quote ---
Heuristic is the OPPOSITE of "collection". Is a way to TRY to detect something that has NOT collected or proved to be dangerous.
--- Quote --- The probability of false positives in our case is much GREATER, therefore, antiviruses maintain a “white” list of signatures for commercial packers.
--- End quote ---
And their mistake is they trust the heuristic more than the white list.
--- Quote ---There are known cases of "INFECTION" when the file contained a valid digital signature, because the virus was introduced at the compilation stage of the program.
--- End quote ---
Yes, that's possible, of course, in this case, antivirus vendors should just simply admit they don't trust digital signatures, instead of always replying ( when we report a False Positive ) with the mantra "have you digitally signed your executable" ?
--- Quote ---When a protected malware with the Software Taggant marker is detected, the license with which the malware was protected becomes a candidate for blacklisting. The COMMUNITY recommends that antiviruses quickly share information to create a complete list of blocked licenses.
--- End quote ---
But done correctly, it should affect only a *specific* license of a packer. Which is not always the case or, more precisely, is never the case because, it seems highly unlikely that antivirus vendors could check *themselves* a license of a commercial packer that has its own methods of storing the license, which are probably never shared.
So, what *really* happens in the real world, is they blacklist a whole packer entirely, which is way easier for them to recognize, rather than trying to verify the developer license.
And that's what makes the method so unreliable.
The only method that really works, is whitelisting ( or blacklisting ) the ACTUAL executable being executed, not the packer used.
Which as I've sad, it would require contacting ALL the antivirus vendors to submit a white listing request every single time we change a single executable, which is exactly what the "Software Taggant" idea was designed to PREVENT.
flySWISS:
Dude, You don't know what you're talking about, do you? Sorry, NOOO, you definitely don't. If so, you will NEED to combine broad technical skills with specific SECURITY KNOWLEDGE along with various SOFT skills like I do!!!!
Though YOUR PRODUCT is using this encryption and obfuscation via packers in an attempt to protect the executable code from malware, there's simply NO WAY that the behavioral and other security product detection modules can know this, so it will of course be treated exactly like any unknown, POTENTIALLY MALICIOUS PIECE OF SOFTWARE. And this is the point. The additional problem is that virtually ALL software that obfuscates or uses otherwise QUESTIONABLE PRACTICES for whatever possibly valid reason, has later been abused by malware purveyors in an attempt to circumvent the Microsoft and other security product detection systems. This is part of the reason that Microsoft indicates in its resources for developers, Software Developers FAQ that they don't accept files for a known list (e.g. whitelist) or false-positive prevention program or any CRAP like that.
If you think logically about this situation, you quickly realize that it's not possible for Microsoft or whatever Antivirus Software to scale the operation of a whitelist for the large numbers of individual software applications that are created in order to remain vigilant against the much larger numbers of individual malware now created daily. The automation of this malware creation and packaging means that such a whitelist would quickly become unmanageable no matter how efficient the system operating it might seem initially.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version