Jump to content
SacredWiki

Steam 140 version of Community patch

siddham

By siddham,
in Sacred 2 General Discussion

Recommended Posts

  • Replies 57
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

siddham
siddham

There is a thread over on Steam to the effect there is a Korean virus in the 140 version of the community patch. Anyone know anything about that?

BigBodZod
BigBodZod

I have the Steam version of Sacred 2 Gold.   I have also applied the community patch v1.4xx that was posted and I too have scanned with MS Security Essentials/Spybot/Malwarebytes without any errors.

wolfie2kX
wolfie2kX

Thinking it might be a good idea to update the version of the CM Patch on FDM to the 140HF version. Currently, we only got the 130 build up.     That would tend to make the most sense.   If we r

wolfie2kX

wolfie2kX 528

Posted
Posted (edited)

OK... Just for grins and giggles, I took a look at the metascan site's results.

 

And for even more fun, I uploaded the Sacred2Updater.exe from my Sacred 2 program tree. It produced identical results to the one done on the diff_000126.dif file. Ergo, we can assume with confidence that they are one and the same file. That is, the same AV products found the same malware.

 

So yeah, we can reproduce it with confidence.

 

The problems I have with this whole result - the names of the AV products that did yield a positive result - only one of them has a name that is recognizable - namely FProt. They're a small outfit that's been around for quite a while. Most of the other names - I've never heard of. This is not to say, they all suck or something, but I gotta wonder just what portion of the file are they using as the "signature" to determine it's a 'virus'..

 

The first three results call the 'infection' a downloader. Two of them identify it as W32/Downloader.L.gen/ElDorado. The third reports Trojan.downloader with some number or other.

 

The first thing to consider about programming these days. There are a lot of canned modules - prewritten code that executes a fixed function. A lot of modern programming is about COPY and PASTE. Why reinvent the wheel when someone's already got a perfectly good piece of code already cooked up and made it freely available? Many programming languages already come with such things baked into the package. You tell it what you want, it inserts the appropriate code and it's ready to go that much quicker.

 

Secondly, the function of the Sacred2Updater.exe file is to - UPDATE the CM Patch. Since Sacred 2 - at least as far as Deep Silver is concerned - is pretty much history - and NO further updates are coming from them. The CM Patch guys repurposed the name - Sacred2Updater.exe to automatically download and update the CM Patch. It checks the installed version against the version available on the web and automatically downloads the file in the background when you launch the game.

 

Third, these "downloaders" - as the name suggests - download other files based on the files the author wants his targets infested with.

 

So.. What can we infer from all of this? It's entirely possible that these are false positives. It's entirely possible that the author(s) of the trojan downloader used a canned download routine or another canned routine to identify files that need to be downloaded - the same routines used by the CM Patch guys to build their downloader. The thing is - BOTH programs have very similar functions. The difference is that the CM Patch updater is legit while the TrojanDownloader thing is not.

 

It is also possible that the 5 positives happened because the people who do the definitions only looked at very limited bits of code while the other 35 scanners used more sophisticated techniques that vetted the Sacred2Updater.

 

It's also important to note - NONE of the major players in the AV market - Symantec/Norton, McAfee, Trend Micro, Panda, AVG, ESET, Sophos, Kaspersky and so forth - identified the file as being a threat. You'd think at least ONE of them would have had a problem if there was something to this.

Edited by wolfie2kX
Link to comment
Orion Star God

Orion Star God 2

Posted
Posted (edited)

Hey guys, I am Orion from the initial steam posting. Just wanted to clarify what happened and not raise a bunch of smoke. I ran a full (not quick) malwarebytes scan from the full version of the product, with the memory scan function. It came back with the result of the sacred 2 community patch updater (nothing else in the program) as the adware kraddare. It quarentined the file.

WHen I treid to uninstall the patch with the provided uninstaller, it just gave a missing file error (don't remember which one, but it had nothing to do with the updater) and failed to initialize. THis is where I got concerned. A couple of other steam users have had the same problem with teh uninstaller not working.

As I said in the initial post, this could be a false positive. What really concerned me was that it failed to uninstall. One thing I remember was that the download was extemely slow, like only a few kb/s, so mabye something didn't tranfer correctly or something. Just to clear things up, I have never had any other spyware or malware issue, nor virus. The sickest my PC ever got was a tracking cookie.

Edited by Orion Star God
  • Like! 1
Link to comment
wolfie2kX

wolfie2kX 528

Posted
Posted

Note: I do believe I saw a post on the MantisBT that says there's an issue with the uninstaller. There even seems to be a 'fix' for it - the S2Reset tool - which, if I'm not mistaken is also posted in the Post covering the CM Patch on DM...

 

Hi Orion, welcome to DarkMatters!

 

Now then... As I posted previously, there's a thread on the Uninstaller issue - it's a known bug and it's been reported. There's no immediate fix in sight for the file in question - at least not until the NEXT version of the patch.

 

There is, already a fix available - the Sacred 2 Reset Tool - which can be found in the 2nd link I posted.

 

What likely happened... The CM Patch guys found a bug in the original 140 release and immediately released the 140 HotFix version which took care of that problem. What they likely forgot to do was take into account the changes made to 140 to get to the 140 HF version and didn't recompile the uninstaller with the correct instructions - which then choked on a file that wasn't there.

 

This is the sort of thing that happens when you release something in the heat of the moment and don't have the time to FULLY test everything.

  • Like! 1
Link to comment
Winterfylleth

Winterfylleth 1

Posted
Posted

Greetings,

 

Nidhoggr from Steam here. I do agree with what Wolfie had to say about this issue. Thanks for the clarification! I've seem anti virus software report many false positives because of identical coding techniques. I've even had store bought games come up as trojans upon installation.

 

How I got this mysterious diff_000126.dif file reported as malware was due to my Avast! catching it as I was installing the 140hf. It took that file right out of the installation process and put it in the virus chest. Whan I took Avast! down to properly install the 140hf I got the same malware warning upon launching Sacred 2. It is likely that the .dif file is part of the Sacred2Updater.exe, which is why noone could find it.

 

So far after tampering with the Sacred2Updater, I'm not seeing any system instability or Koream pop ups. I'll conclude it's safe.

 

~Winterfylleth

 

  • Like! 1
Link to comment
wolfie2kX

wolfie2kX 528

Posted
Posted

Greetings! Nidhoggr! Welcome to DarkMatters..

 

That's just it. I searched my entire Sacred 2 tree under Program Files for the Dif file in question - and it just ain't there.

 

I'm thinking that the file MAY have been Avast that renamed the file in question. I've seen a number of AV programs do stuff like that when they throw a file into quarentine. Of course, you go looking for it - and you don't find the EXE - you find some weirdly named file.

  • Like! 1
Link to comment
  • 3 weeks later...
Ysne58

Ysne58 236

Posted
Posted (edited)

Ok, I have McAffee. I just downloaded the file and tried to install it and McAfee is now isolating that file as a trojan. Which means I am unable to install.

Did anyone figure out a work around for this (other than temporarily disabling McAfee)?

 

I just purchased the Steam version of Sacred 2 Gold.

Edited by Ysne58
Link to comment
Ysne58

Ysne58 236

Posted
Posted (edited)

Here is the bug report link.

http://www.frankrentmeister.info/mantisbt/view.php?id=1043

Another interesting piece of info.

I have no problem installingoin my desktop, which still has Windows Vista. But when I move to my laptop, I get the error. I have the same antivirus installed on both computers.

Edited by Ysne58
Link to comment
Ysne58

Ysne58 236

Posted
Posted (edited)

Yes it is a false positive. I quoted your post 27 in my bug report. It is an issue that sometimes causes a false positive. I hope that the CM patch team can figure out a fix or work around.

Edited by Ysne58
Link to comment
wolfie2kX

wolfie2kX 528

Posted
Posted

Well... I suppose they might go through the hassle of trying to fix it. Though quite honestly, there's no really good reason to fix something that isn't broken.

 

Then again, they didn't do anything about the uninstaller for the CM Patch - which is actually broken. Likely scenario would be to move the file to a safe location, and then simply zip the file up. I don't think Sacred 2 will have a cow if the file isn't available.

 

Of course, that would mean that you'll likely have to do a manual update to the next version of the CM Patch.

 

Oh. and it's entirely possible that the desktop and laptop are not on the same update.

Link to comment
Ysne58

Ysne58 236

Posted
Posted

1. Anything that doesn't work as intended qualifies as a bug.

2. What makes you think the desktop and the laptop are not on the same update? It is the same file and the gold is fully patched with the official patches, while the desktop is manually patched.

3. Whether they fix it or not is up to them. Since it is an issue and for those who have it, it does qualify as broken.

Link to comment
wolfie2kX

wolfie2kX 528

Posted
Posted

That's just it. We don't know if there's a bug or not. For the 130 -> 140 patch cycle, the downloader module DID work and worked properly. But since there aren't regular updates to the CM Patch, we won't quite know until the 150 patch is released.

 

Just because some AV products say it's infected with a trojan downloader doesn't mean it actually is. As I said before, programming code these days is done up with an AWFUL lot of copy/paste. Why reinvent the wheel if you don't need to? For all we know Someone wrote a routine - and published it and both the hackers who cooked up the trojan downloader kit (yes, they make kits so you too can build your own malware and attempt to take over the world) used that same bit of code that Marcus and Czevak did to build their perfectly legit program.

 

Additionally, today is Feb 22nd. Don't you find it odd that it's taken McAfee TWENTY DAYS to "identify" the CM Patch updater as malware? Sounds to me like an EPIC FAIL if you ask me. One reason I trust McAfee about as far as I can throw their corporate HQ...

 

Secondly, I'm thinking that since one machine flags the file as being malware while the other does not, and everything else being equal, the definitions must not be on the same update.

 

Try this: Go to the machine where the CM Patch updater is NOT flagged as malware and insert a USB memory stick into a port and copy the file to it. Remove the stick (SAFELY of course) and take it to the machine where it's being flagged. Insert the USB stick into a port and scan the drive for viruses.

 

Odds are, the file will be flagged as having the same infection as the file already on the laptop. That should be enough to prove to you that they're not on the same page.

 

Third, there's no reason for them to rewrite their code. Yes, they could go out and come up with another bit of code that does the downloading. It may or may not work any better - and as such, it may or may not actually be previously used by someone else to build another virus kit and been flagged as a virus as well.

 

The thing to do would be to contact the AV companies that are flagging their product as malware and tell them to put the crack pipe down.

 

Unless you've seen something weird - pop ups, or other malware type activity that a Trojan Downloader would introduce on your system, the odds are it's not infected.

Link to comment
wolfie2kX

wolfie2kX 528

Posted
Posted

Well... I suppose they might go through the hassle of trying to fix it. Though quite honestly, there's no really good reason to fix something that isn't broken.

 

Then again, they didn't do anything about the uninstaller for the CM Patch - which is actually broken. Likely scenario would be to move the file to a safe location, and then simply zip the file up. I don't think Sacred 2 will have a cow if the file isn't available.

 

Of course, that would mean that you'll likely have to do a manual update to the next version of the CM Patch.

 

Oh. and it's entirely possible that the desktop and laptop are not on the same update.

 

 

Getting back to my question -- does anyone have a work around figured out that does not involve disabling the antivirus software?

 

Um.. I already posted a work-around... See the bold parts of the top post...

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...
Please Sign In or Sign Up