Jump to content
DJDL

Peg's Brigantine Mod--Norton AV deletes extracted files

29 posts in this topic Last Reply

Recommended Posts

Hello all!

I have downloaded Peg's Brigantine Water Mod, but when I go to extract the files, my Norton AV declares its unsafe and deletes it.  I have downloaded other Peg Mods with no issues (Streams, Ponds, Utopia, SPAM, etc.).

Has anyone else had this happen and do you know a workaround?  Simtropolis has an excellent reputation of keeping viruses and other bad things out of the community, so I find it hard to believe it could be a virus.  If anyone would like to investigate this, here is the file Norton Insight removed and quarantined as a medium risk:  

http:simtropolis.community.com/file/file/11836-peg-water-mod-brigantine/?do=download   

and the .exe file:

peg_watermod_brigantine_205.exe

Thank you so much for your help!

Share this post


Link to post
Share on other sites
  • Original Poster
  • Thanks for the tip, Corina.  So, you've never had a problem installing the file, I take it.  Unfortunately I can't even get the file to test it.  It's a shame because this mod would be just what I need to make a seamless transition from a stream to in-game water.  Well, I guess the search continues . . . .

    Thanks again. *:)

    Share this post


    Link to post
    Share on other sites
  • Original Poster
  • Ah!  I can scan the zip file and Symantec does list this as suspicious.  *:???:  Someone should tell them there is such a thing as being *too* diligent. smh

    Share this post


    Link to post
    Share on other sites

    I always prefer to have every one of the scanners say something is safe. (Which I had not done previously for this file.) I have installed this mod myself when I was creating Cori's Water Shoppe and I didn't notice any ill affects. That was on a stand alone comp with no internet connection. (I copied the .zip over via a flash drive.)

    I'm not an expert here so let's wait for the gurus and see what they say.

    Share this post


    Link to post
    Share on other sites

    I have for some long time been getting the same anti-virus smackdown with the 2015 updated Simtropolis package.  Norton flags the .exe installer as a medium "WS.Reputation.1" threat, meaning it has been used by too few users within Norton's reporting community to gain a trustworthy reputation, and leading Norton to swiftly remove the .exe upon extraction from the .zip download.  This is not a positive detection of any actual threat, only the suspicion of a potential one from a file with a commonly abused file type and which Norton has not cleared as safe by reputation through widespread use.

    There is an option in Norton's details settings as it is taking quarantine action to override the removal and restore the file.  As few people like overriding their own anti-virus software, I wouldn't be surprised if many or most Norton users are simply spooked into avoiding this newer upload altogether, which might then always keep the reputation low.

    Buried away in the hoard I still have an older 2005 upload either from a previous Simtropolis release or straight from Peg's, and it does not have this issue as the downloaded .zip contained a manually installed .dat rather than an .exe installer.  I wouldn't be surprised if many or most of us here still were using this older package such that even though we may now have a more assertive Norton, we never encounter this issue with the newer package.

    This might be something the custodians of Peg's works or the crew looking to tidy up the STEX can look into.

     

    Share this post


    Link to post
    Share on other sites
  • Original Poster
  • Yes, WS.Reputation.1 is exactly what Norton is classifying this file. I am toying with the idea of restoring the file and running it through MalwareBytes, precisely because this file has a low rep only because not many have used it (because they can't).  I've downloaded and installed numerous mod .exe files recently and never had a problem.

    I took a long hiatus from the game so I missed Peg's original release of this mod.  And I was so sorry to learn that his website is no longer in operation.  Thankfully, many of his creations still live here and at SC4Devotion.  Thank you for your help and insight, Odainsaker.  *:)

    Share this post


    Link to post
    Share on other sites

    Another workaround is remove any "downloaded" red flags from the .zip file, which Norton takes into account when assessing new and unfamiliar files.  Move the downloaded .zip file onto a USB flash drive or portable hard drive, remove the drive from the USB port, replace the drive back into the USB port, and move the .zip file from the drive back onto the desktop.  When the .exe is then extracted from the .zip, Norton will no longer red flag it as a mysterious download coming from the hot and wild web, and will allow the .exe file to be placed onto and even run from the desktop.  Directly scanning the file with Norton and Malwarebytes actually then finds the file safe.  I guess having a low use reputation, an often abused file type, and being freshly downloaded off the wild web were just too many initial red flags for Norton.

     

    Share this post


    Link to post
    Share on other sites
    Posted (edited)

    Although added caution is never a bad thing, this in all probability is a false positive.

    Many (if not all) PEG files are bundled using an older version of the Clickteam installer. Now for some reason, some antivirus suites have been known to flag these up on occasions, even though they're in all likelihood perfectly harmless. I've also noticed this previously while using Norton, and it is an extra hassle. While they're intended to make life easier, installers are a pain enough already without having to manually grant each permission to do their job. A laborious task made all the more tedious.


    With threat detection...

    They work by analysing common patterns and trends in the file structure, through a series of (often quick) tests. If these are similar to known threats, it'll mark the file as a potential risk and deal with it accordingly. And generally, they tend to err on the side of caution just in case. One possibility here is since an installer is basically a template containing files, out in the dark corners of the internet, there are likely actual viruses bundled with Clickteam installers.

    So if the AV is aware of these, it could say:

    "Hey look, I've seen something like this before, so I'm taking no chances here."  *:read:


    A thing to consider is these files have been tried & tested over a very long period. PEG Brigantine in particular has been around over 12 years (checking the date modified of the exe proves this). So if there was a legitimate problem, people would have likely complained by now of ill effects after running the installer. Being one of the most reputable creators, @Pegasus would certainly not have stood for actual threats bundled with the content.

    Also, Simtropolis or any moderated SC4 exchange would quickly take down uploads proven to contain malware. The safety of users is taken very seriously.

    So for this reason, I'd be inclined to suggest this and similar files are safe to whitelist in Norton (or other AV).

     

    2 hours ago, CorinaMarie said:

    So, 1 out of 61 of them is concerned about it.

    So the only detection is from "TheHacker". Hmm, I'm a little sceptical in trusting what that reports... :uhm:

    Although some of the less known names may carry benefit, think it's usually best to play safe and rely on the more common AVs. I'd much rather invest trust in a known reputable company, where their software is tried and tested on a larger global scale.

    Choice is always helpful however, which is clearly why VirusTotal uses a wide variety of scans. With more evidence, it's then easier to make a judgement.


    Anyway, I wonder why Norton (Symantec) doesn't flag it there. Maybe because it wasn't executed and only scanned.

     

    1 hour ago, Odainsaker said:

    I have for some long time been getting the same anti-virus smackdown with the 2015 updated Simtropolis package.

    That's interesting, as the actual exe still reports being modified in March 2005:
     

    h20IRn5.png

    (Corresponding to the original upload date)

    I wonder if the installer was simply repackaged in 2015 (in a new zip). This could have occurred during the process when PEG files were moved to the dedicated section on the STEX. Not sure why the zip would be modified though.


    This may explain the low reputation. For me, Norton reported there were only 100's of users:

    n5sQcUv.png

     

    It may not be a large audience. But considering how many users have download the file since 2015 and have Norton as their primary AV, this does seem reasonably plausible.

    (Interestingly I didn't receive a reputation warning or quarantine action, and the file is labelled as "Good". Think I recall previously whitelisting similar installers, which might explain why my config isn't concerned.)


      Edited by Cyclone Boom  

    Added additional info.

    Share this post


    Link to post
    Share on other sites

    Incidentally, the name of the .zip had somewhere changed, from "PEG Water Mod Brigantine.zip" to the current "PEG_WaterMod_Brigantine_205_SU.zip"  My "PEG Water Mod Brigantine.zip" contains a .dat and readme, and no .exe.  I don't recall which exchange it originally came from.

    These comparisons might be helpful, now that I can actually inspect the more recent .zip without Norton flashing red and immediately squirreling the unzipped contents away every time I extract them.  I just downloaded the .zip this evening just for this topic, and I haven't whitelisted anything in Norton.

    AtDYS4m.jpg

    xxPiJI6.jpg

    I wonder why the matured release dating is different, and I wonder if they cast different nets in different regions or for different Norton versions (Internet Security 22.9.0.71 on this machine).  While Insight above didn't like it, outright scanning the executable yields...

    xoolfV2.jpg

     

    Share this post


    Link to post
    Share on other sites
    23 hours ago, Odainsaker said:

    My "PEG Water Mod Brigantine.zip" contains a .dat and readme, and no .exe.  I don't recall which exchange it originally came from.

    I'd guess from the old PLEX at SimPeg. Not 100% on this, but I seen to recall some downloads there didn't include installers.

    After checking my archives, I've found a file I downloaded in 2014 named:  PEG_WATERMOD_Brigantine_205.zip

    This also doesn't include an installer. Just the DAT file modified on Feb 25, 2005, along with a preview image and readme.

     

    23 hours ago, Odainsaker said:

    I wonder why the matured release dating is different, and I wonder if they cast different nets in different regions or for different Norton versions (Internet Security 22.9.0.71 on this machine).

    Yeah, that is rather strange whatever the release date's referring to. o.O

    So counting back, mine says November 2010 and yours reports December 2009. Maybe it's the first time the exe was added to Symantec's database. Although why these are different dates with the same identical file is quite peculiar...

     

    Anyways, just to add something else to the topic...

    For added precaution with opening installers (or any executable files for that matter), one option is to use a sandbox application. These allow files to be opened or run in an isolated area away from your main system. So should there be an actual threat (improbable in this case), it could be contained and not affect your PC.

    In the past, when I was a little unsure dealing with these installers, I generally made a habit of using Sandboxie for this task. Extracting all SC4 content to a contained folder, and then copying them back once the actual files had been manually scanned.

    Share this post


    Link to post
    Share on other sites
    Posted (edited)

    It seems to me that PEGASUS never used the installation exe files. He worked with dat files only. I do not remember about exe and this is not the PEGASUS's style.


      Edited by Silur  

    clarification

    Share this post


    Link to post
    Share on other sites
  • Original Poster
  • Thank you all for your comments.  Sorry I've been absent--busy weekend coupled with a low pressure headache.  Lots of great suggestions!

    As some of you have mentioned, I also ran a scan on the zip file with both Norton and MWB, and they gave it a green light.  The version I downloaded is the 205_SU.zip version.  

    I think I have a spare USB lying around, so I'd like to try your suggestion, @Odainsaker.  Thanks! *:)

    On 3/17/2017 at 10:15 PM, Cyclone Boom said:

    Many (if not all) PEG files are bundled using an older version of the Clickteam installer. Now for some reason, some antivirus suites have been known to flag these up on occasions, even though they're in all likelihood perfectly harmless. I've also noticed this previously while using Norton, and it is an extra hassle. While they're intended to make life easier, installers are a pain enough already without having to manually grant each permission to do their job. A laborious task made all the more tedious.

    On 3/17/2017 at 10:15 PM, Cyclone Boom said:

    A thing to consider is these files have been tried & tested over a very long period. PEG Brigantine in particular has been around over 12 years (checking the date modified of the exe proves this). So if there was a legitimate problem, people would have likely complained by now of ill effects after running the installer. Being one of the most reputable creators, @Pegasus would certainly not have stood for actual threats bundled with the content.

    Also, Simtropolis or any moderated SC4 exchange would quickly take down uploads proven to contain malware. The safety of users is taken very seriously.

    So for this reason, I'd be inclined to suggest this and similar files are safe to whitelist in Norton (or other AV).

    Yes, I absolutely agree.  Just to reiterate, I've recently downloaded and installed other Pegasus files that contain executables through the Clickteam Installer without a problem, which is why I was puzzled about this incidence.  And I absolutely trust everything on this site--I know well the reputation for utmost safety of this site, SC4Devotion, and, of course, Pegasus.  My guess was that this incidence is more of a technical issue rather than a malware issue, and the comments from all of you have verified that.  *:thumb:  Now, of course, I could just scrap the idea of using Brigantine and search for another water mod.  There are lots of good ones.  But I do have my heart set on this one because I really want to use Peg's streams and ponds mods (which I've already installed without a hitch) and have a seamless transition with Maxis water.  :wub:

    On 3/18/2017 at 10:42 PM, Cyclone Boom said:

    For added precaution with opening installers (or any executable files for that matter), one option is to use a sandbox application. These allow files to be opened or run in an isolated area away from your main system. So should there be an actual threat (improbable in this case), it could be contained and not affect your PC.

    That is a very good idea, @Cyclone Boom!  You know, with my propensity bordering near-paranoia about computer security, its amazing I've never explored sandboxing.  A quick search brought up a  number of free software, and I'm leaning toward Sanboxie or a virtual machine such as VirtualBox or Vmware, if they are very user-friendly.  Would you, or anyone reading this thread, have a favorite you can suggestion for someone with some tech knowledge but certainly not expert or even high-middling?  *:P

    Thank you, everyone!  You've eased my mind.  I'll post back once I've tried your suggestions.  

    Share this post


    Link to post
    Share on other sites

    Seriously, there is not a virus in this file, I guarantee it. A false positive is generated because your AV software doesn't have it in its "trusted" whitelist. There are two benefits to this approach for security, firstly it makes you as a user "think" your AV is protecting you. This in turn makes people think they must continue to pay for AV apps to be safe.

    Statistically speaking, free AV apps are often as good if not better than paid ones. However the most commonly used brands are some of the most likely to let real nasties into your system in the first place. Precisely because lazy coding has made them check a list, rather than look for the behaviour that would confirm unwanted behaviour. All you have to do is get certified on the whitelist and your code is free to replicate without issue. Not to mention, hackers etc, target the most commonly used AV/Security suites, precisely because that's their #1 hurdle.

    IMHO Norton is one of the worst pieces of software I've ever come across. Personally I'd save my money and use the one that comes free with Windows.

     

    Share this post


    Link to post
    Share on other sites

    Microsoft's free suite is lousy, but it gives me peace of mind and at least doesn't bother me like Norton, Avast, or McAfee. It also uses almost no resources.

    The best protection against viruses is yourself. If the source is trusted, it's unlikely to be corrupted. If the source isn't trusted, use a sandbox or for goodness sake don't download something from a site you don't trust! The chances of a secure download being corrupted are unlikely, and if it is, then no AV is equipped to deal with the problem, unless they happen to be particularly snappy (which, given the kludge that most AV software behaves like, is highly unlikely).

    Antivirus software recovery after an infection is pathetic as far as my experiences go, so Norton is really useless once the computer is infected. In general, use a basic one to protect against website and email-based malware that you might download in the course of browsing, and ignore the rest.

    It's good to be cautious, but there's caution and then there's foolishness. At worst case, the file is corrupted and won't work. You may lose a city or two, but the computer itself will be OK. This is my experience encountering corrupted files from trusted sources. Untrusted sources went into the sandbox, after which I usually deleted them out of paranoia. Either you trust something or you don't, and the amount of recourse you have if you're not a Computer Whiz is almost nil, so why pick hairs over flags from a site that you've otherwise downloaded potentially hundreds of other files from with zero issue whatsoever, especially if that file has been available for a significant amount of time and the site in question has active admins and moderators whose sole job is to maintain the massive file repository and keep it free from bad files?

    Maybe some of the sites I've DL'ed files from have been questionable, but at the end of the day if I didn't trust a download I didn't grab it, or deleted it soon afterwards. It's not worth the gray hairs that stem from thinking there are gray areas about your otherwise trusted software.

    Share this post


    Link to post
    Share on other sites
    Posted (edited)
    On 21/03/2017 at 0:47 PM, DJDL said:

    A quick search brought up a  number of free software, and I'm leaning toward Sanboxie or a virtual machine such as VirtualBox or Vmware, if they are very user-friendly.  Would you, or anyone reading this thread, have a favorite you can suggestion for someone with some tech knowledge but certainly not expert or even high-middling?

    Sandboxie I've found to be a very handy utility which I would recommend. It is free for personal use, which prevents more than one sandbox being used at once.

    There's some useful info posted in the FAQ (the analogy with paper is a good one).

    My main use nowadays is for trying out applications, prior to a proper install on my system. Actually I made use of it only yesterday for this reason, while testing a desktop wiki application. Or occasionally it comes in useful to diagnose issues with browsers.


    Everything is contained within a mirrored folder structure:

    E.g. For my Applications sandbox:

    "C:\Sandbox\User\Applications"


    So there's folders representing each physical drive, user data folders, and local AppData. These will be created on demand when needed by the program running inside. Each sandbox has its own registry store, so any installations write entries there, and not in the main Windows registry. There are also permission settings which can be tweaked as needed, and there's options to recover (move) files out of the sandbox. But unless you allow it, everything is contained within, and only has read-only access outside.

    It's possible to create multiple sandboxes and configure each how you'd like. For example, to disable internet connectivity, or prevent certain applications from running. Things may be changed here to resolve any compatibility issues. Lots of options, but at the same time is very easy to use.

    The great thing is since everything is contained inside one parent folder, it makes backups very straightforward. Just make a copy of the sandbox (e.g. Applications folder), and they can be seamlessly swapped over.

    By default, starting an executable inside the sandbox folder will run it inside. There can also be an optional right click context menu added (in Windows), where any program or file can be run inside the chosen sandbox. As a visual indication, it's possible to highlight sandboxed applications by adding a yellow border to the window when hovered, or hashes (#) can be shown in the window's title.

     

    A virtual machine is certainly another useful option. Providing the host system isn't linked to the guest OS (e.g. via a file transfer mode or networking), they are technically even more isolated than a Sandbox. Although I haven't used it much recently, VirtualBox has been my preference for this. Sometime I'm planning on trying out Linux Mint.

    Apart from a dedicated environment, a very useful feature is the ability to quickly restore to a snapshot of a saved state. Accidentally deleted your System32 folder? No problem! :whatevs:

    The main drawback to VMs is they need considerably more resources (hardware quotas and of course a separate OS).

     

    Here's a nice article I found explaining the comparative differences between them both:

    http://ask-leo.com/whats_the_difference_between_a_sandbox_and_a_virtual_machine.html

    (And before anyone wonders, I'm not Leo with the 'boom' connection.) *;)

     

    On 23/03/2017 at 6:05 AM, rsc204 said:

    Statistically speaking, free AV apps are often as good if not better than paid ones. However the most commonly used brands are some of the most likely to let real nasties into your system in the first place. Precisely because lazy coding has made them check a list, rather than look for the behaviour that would confirm unwanted behaviour.

    There's no doubt free software can be underestimated. As long as it's from a proven trustworthy entity and is still in active development, open source is never a bad way to go.

    It'd be fascinating if there has been proven research into the detection rates of free vs paid AVs. It's true the Symantec's of security providers hold the majority market share. So if deliberately taking shortcuts, they're not fulfilling their dominant role, which really would be major cause for concern. Flaws on such a scale means they are indeed the larger target for potential exploits.

    I wonder since they are paid services, this promotes laziness on part of the users. By paying for a subscription, you expect clear benefits over a free option. Otherwise why would you simply throw money down the drain? Maybe it provides an artificial assurance that you're paying for better protection. When in actual fact, this is only the brand power, marketing, and the nice flashy GUI & graphics. Under the hood is what really matters with security. The rest is merely superficial.

    As a Norton user myself, I use it because I've always used it. Habits are often hard to break.

    I think on the whole though, the best firewall is your own common sense. Sure no website's immune to risks -- that's the very nature of the internet. The digital world is a fragile, dangerous and often hostile platform. This can't be controlled and will likely never change. What you can control as an individual is by being selective in the sites you trust, what you download, and those emails you open.

    No antivirus is perfect, and protects no one from rash and stupid decisions. *:no:

     

    @APSMS

    Ha, looks like we basically said the same thing!


      Edited by Cyclone Boom  

    Share this post


    Link to post
    Share on other sites
    13 hours ago, Cyclone Boom said:

    It'd be fascinating if there has been proven research into the detection rates of free vs paid AVs.

    http://www.zdnet.com/article/is-paying-for-antivirus-a-waste-of-money/

    Quote

    At least for many years, perhaps more than ten, they've found no malware on my computers. None.

    Perhaps I'm a more sophisticated user and I'm less likely to be taken off guard, but that can't be the whole answer. By the same token of expertise I take certain risks with dangerous files and sites that I would urge others to avoid like the plague.

    This... I have the exact same experience. Sometimes I get the feeling AV is just unnecessary in today's world. Far more important is ensuring you have Windows, your browser and other apps fully updated to protect you from threats. But if you don't mess around the dark parts of the internet, your odds of having a problem are very slim. Similarly being careful with what you download and click is far more important too.

    http://www.moneysavingexpert.com/utilities/free-anti-virus-software

    Of course some articles are clearly written from a perspective that knocks free AV systems. In my experience that means they are simply biased, because I find Paid AV to be more trouble than it's worth. Generally far more intrusive, more likely to get things wrong (false positives) and using far more system resources. I also don't like a free AV app to be bugging me constantly with ads or to pay for a subscription either.

    Frankly the MS free software is more than most users should ever need. Paranoia fuels the AV market, but if you see things for what they are and take sensible precautions. There is simply no reason to pay upwards of $50 a year to 'protect' your PC. Ask yourself, have you ever had a virus, trojan or other malware? I mean a real one, not a false positive? I bet most of you have not, so what exactly are you paying to be protected from? AV is a form of insurance, but if the policy costs more in 10 years than your computer did, that's simply madness.

    When I do see virus-ridden machines, the #1 culprit is the user. Because it's always someone who mindlessly clicks about on the internet. Opens the attachments they shouldn't, reads the suspicious e-mails the rest of us delete. AV is about as useful as a chocolate teapot for these users. But for sensible folk who can resist the urge to run around the internet with reckless abandon. You need the equivalent of a door lock, just a sensible precaution to stop it being open access for all. Free AV gives you this, in many cases all you are paying for is fancy features, the free versions have an identical scanning/protection system. Personally I like the MS free AV, even if it is the worst one out there, it's still been as much protection as I've ever needed.

    The one recent occasion I had to deal with a virus at home was on my wifes PC. She tried to get rid of a pop up window that wouldn't close and noticed something odd. She turned the PC off and came to me. Because of this, I was able to clean the infection in minutes. It was nothing complicated to do. You can download a bootable CD from the Web that runs on Linux/Unix, so a Windows virus won't work in that system. So you can safely run scanning/removal tools to find and remove the threat. Sure, if you are a little non-technical you might need assistance here. But even in such an event, the cost shouldn't be more than a yearly subscription to AV. Not to mention, most people know someone who will help them fix problems should they run into them.

    Share this post


    Link to post
    Share on other sites
    8 hours ago, rsc204 said:

    Ask yourself, have you ever had a virus, trojan or other malware? I mean a real one, not a false positive? I bet most of you have not, so what exactly are you paying to be protected from? AV is a form of insurance, but if the policy costs more in 10 years than your computer did, that's simply madness.

    When I do see virus-ridden machines, the #1 culprit is the user.

    I had this on my family's home computer. Many, many photos were lost in an attempted recovery (we were fools wandering around systems we didn't understand).

    The culprit was my brother (who was 10?) at the time. The AV software we had did absolutely nothing. The file was an innocuous music file, but the AV failed to detect it, and also failed to get the virus off of the computer. The site was not reputable. The AV was Norton at the time.

    We still have the computer. We did a system reset not knowing it would wipe the hard drive (in theory). We stopped using it in the hopes that we could have the data restored somehow (after reading how Windows "wipes" drives, I'm a little more optimistic than I used to be, but not much), and ended up buying new computers entirely (another one went down at the same time for apparently an entirely different reason).

    Share this post


    Link to post
    Share on other sites
    On 3/25/2017 at 4:34 AM, rsc204 said:

    Frankly the MS free software is more than most users should ever need.

    As it happens I'm using the MS Essentials that came installed on this comp when I bought it. I'm puzzled about this:

    5965668955748_02_01MSE.jpg.e74845ab6ec163966d83dcbec6361a45.jpg

    The current Item appeared to be svchost when that popped up. It was, ofc, past that by the time I got the screenshot.

    The weird part tho is nothing shows up after the scan:

    5965668a0ef80_03_02MSE.jpg.596b1b9e20452aec59f7107360ef5cf5.jpg

    And it's not under either of the two other options either.

    So, is that preliminary part saying we think there might be something, but upon completion we decided we have no idea what we are talking about?

    Share this post


    Link to post
    Share on other sites

    I could be that the virus deletes virus reports so you can't read them. Beyond that, it's best to search for Windoze help for Windoze tools and symptoms. The odds are that others have seen this behavior and have been told what it means.

    You might also search for reviews of the "Essentials" tool to learn how much to rely on it.

    PS:

    In my 25 years of PC ownership, I've gotten one real virus (c1994). It happened when my PC had a hardware issue under warranty, and the service center finished its repair by booting some diagnostics floppy... That they used on every PC they serviced... and which wasn't write protected. When I got home and booted from the HD, my AV interrupted the DOS startup and red-flagged the Michelangelo virus in my boot sector, which I then cleaned using my clean (and write-protected) rescue floppy.

    The service center's diagnostics disk had probably picked up the virus from one malfunctioning PC sometime in its past, and the service center spread it to every customer they had for who knows how long (I called them immediately, but they refused to believe that they had a problem). It's like the risk of infection if you are forced to stay in a hospital: You go in for something minor like heat exhaustion and then die from MRSA that you catch there.

    Share this post


    Link to post
    Share on other sites
    On 31/03/2017 at 0:10 PM, CorinaMarie said:

    The current Item appeared to be svchost when that popped up. It was, ofc, past that by the time I got the screenshot.

    A svchost virus should be pretty easy to spot. Check Task Manager, is one of the SVCHOST processes at 100% CPU constantly? The problem is you will have many such named services, which in essence simply mean something connecting to the internet/network. If you see this behaviour, install and scan the PC with the free edition of MalwareBytes. That should be able to fix it for you.

    Share this post


    Link to post
    Share on other sites
    On 4/3/2017 at 9:27 AM, rsc204 said:

    A svchost virus should be pretty easy to spot. Check Task Manager, is one of the SVCHOST processes at 100% CPU constantly?

    Nope. While just watching it the most used was Firefox and it hovered around 2 or 3 to 5 percent with one spike of 19%.

    596566a04bd87_04_Tasks5-19.jpg.3926d7eab0f167e9ecdf6ed0bc14fdbb.jpg

     

    See, it's not that MSE said it was SVCHOST. Just that's what it looked like in the blur of files going by. I searched via Google and every single thing I found says if MSE finds a potential threat it'll then be in the list for me to decide what to do about it. (Or that it was handled by the settings I'd given.) No such items are appearing after the scan and the message goes away when the scan has finished.

    Share this post


    Link to post
    Share on other sites

    You won't see SVCHOST unless you select "Show processes from all users", since it's run from the Admin account typically. Although the CPU usage doesn't suggest a problem. That said, if you just saw that whiz by, it's probably a red herring. It may be that the software saw something untoward, then forwarded it for analysis to MS, which came back as safe after all. Depending on your settings, the software can do that. Although I can't say I've come across similar behaviour myself and I've used the software pretty much since it was released.

    Share this post


    Link to post
    Share on other sites
    On 4/4/2017 at 6:18 AM, rsc204 said:

    You won't see SVCHOST unless you select "Show processes from all users", since it's run from the Admin account typically.

    Ah. Here it is then:

    596566b69f3f0_05_TasksAllUsers.jpg.f4b7dca2faa4ec81a1d8e644244d3f02.jpg

     

    On 4/4/2017 at 6:18 AM, rsc204 said:

    Depending on your settings, ...

    These settings?

    596566b785788_06_MSEMAPSBasic.jpg.a689352008c053d18b3cf3d3167c5484.jpg

     

    On 4/4/2017 at 6:18 AM, rsc204 said:

    Although I can't say I've come across similar behaviour myself and I've used the software pretty much since it was released.

    That's why I presumed you'd know exactly what was going on. *:)

    I do have the option to restore my comp to day one that I got it. Which is how it came from the store plus Firefox and Macrium Reflect installed. That latter being what I use to make a complete hard drive image to an external hard drive. However, if this is just a We Think Something is Goofy, but We Checked with Headquarters and There's Really No Problem then I'd rather not start over.

    Edit: So, I just ran another scan and the warning did not even come up this time.

    Edit Too: However, running the scan on my other Win7 comp and it does show the warning, but then still nothing in the detected list.

    Edit Three: And I ran it on the other comp again minutes later and now no warning.

    Share this post


    Link to post
    Share on other sites

    I don't know if I'd go to the effort of restoring my system over this personally. Probably not an issue, check the software/definitions are up to date on both. If there is any doubt, I'd run a scan using a third party tool. If that gave the all clear and there was nothing unusual going on in the system, I'd not worry about it.

    All kinds of malware are designed to do something. Be it stealing info from the PC, messing with it's operation or some other nefarious thing. In all cases I've seen, system performance is the first thing that alerts you to the problem. I have seen a couple very subtle ones that will sit and wait, but most are really obvious that something isn't right. Given your technical know-how, I'm pretty sure you'd notice if something was amiss.

    Share this post


    Link to post
    Share on other sites
    Posted (edited)

    I don't know for sure since I'm not a MSE user, but perhaps the preliminary scan is using a "guilty until proven innocent" approach. In other words, it thinks there's a suspected risk as a precaution (as established, antivirus suites tend to take the cautious route). Then once the full scan takes place, it rules out the issue in the final results. Just speculating however...

    Is there any other unusual behaviour apart from the fluctuating CPU usage?  With SvcHost housing key system services, there are a multitude of things which could cause this, not necessarily malware. For me, the Windows Updates caused the process to consume a fixed quota of the CPU (around 25%), and also a significant bloat on RAM. This now seems fixed since the change was made to restructure how updates are packaged.

    As rsc204 suggested, maybe it's worth running a MalwareBytes scan and see if that spots anything. This works fine alongside an antivirus, and I've found the free version runs well (though it's not detected anything thus far).


    EDIT:

    21 hours ago, CorinaMarie said:

    I searched via Google and every single thing I found says if MSE finds a potential threat it'll then be in the list for me to decide what to do about it.

    I did try a recent Google search for the message if that's any help (quoted for exact hits & descending order by date). Since recent software changes can cause bugs or conflicts, do these results reveal anything else?


      Edited by Cyclone Boom  

    Share this post


    Link to post
    Share on other sites
    2 hours ago, Cyclone Boom said:

    ... do these results reveal anything else?

    Nice list. I should've done the message in quotes like you did when I Googled. *:blush:

    So, the bottom line seems to be patch KB4012215 borked something. It's just throwing a false message. One of the links had the person scan with a half a dozen different programs and all said clean. The Trusted helper then concluded there was no problem to begin with.

    While I have installed some of my basic tools like 7-Zip, DosBox, Kat Mouse, PDF Redirect, and a few others, I have absolutely no unusual slow down or pop ups or anything which would lead me to believe I had a problem other than that message in MSE.

    Share this post


    Link to post
    Share on other sites
    1 hour ago, CorinaMarie said:

    So, the bottom line seems to be patch KB4012215 borked something.

    Wait a second... a Microsoft security program thinks a Microsoft security fix is a virus?  That doesn't quite add up. *:P

    Herein lies the problem with these rollup bundles. They're easier to manage and include numerous fixes, but if there's something slightly out of line, it can't be isolated from the package. It's either yes or no to the entire thing.

    At least it sounds like nothing to be concerned about then. I'm sure they'll eventually do something (it'd make more sense to update MSE if it's application specific).

    Sure enough, this nicely ties back to the theme of false positives. *:yes:

    Share this post


    Link to post
    Share on other sites
    On 4.4.2017 at 6:19 PM, Cyclone Boom said:

    Wait a second... a Microsoft security program thinks a Microsoft security fix is a virus?  That doesn't quite add up. *:P

    Well, actually this doesn't surprise me at all.... Ha-ha-ha... *:rofl: Since Microsoft changed the Windows Update policy last year, it gets worse every month. I've turned OFF my Windows Update at all and check on every single update manually and with at least a month delay! Hoping, that in between somebody found the bugs and fixed them and if not, I simply don't install it...

    Kind regards!

    Share this post


    Link to post
    Share on other sites

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an Account  

    Sign up to join our friendly community. It's easy!  

    Register a New Account

    Sign In  

    Already have an account? Sign in here.

    Sign In Now


    • Recently Browsing   0 members

      No registered users viewing this page.

    ×

    Help Keep Simtropolis Online, Open & Free!

    stexcollection-header.png

    Would you be able to help us catch up after a bit of a shortfall?

    We had a small shortfall last month. Your donation today would help us catch up for this month.

    Make a Donation, Get a Gift!

    We need to continue to raise enough money each month to pay for expenses which includes hardware, bandwidth, software licenses, support licenses and other necessary 3rd party costs.

    By way of a "Thank You" gift, we'd like to send you our STEX Collector's DVD. It's some of the best buildings, lots, maps and mods collected for you over the years. Check out the STEX Collections for more info.

    Each donation helps keep Simtropolis online, open and free!

    Thank you for reading and enjoy the site!

    More About STEX Collections