Fallout 2 utility ProtoManager virus?

Discussion in 'Fallout General Modding' started by QuantumApprentice, Jun 21, 2021.

  1. QuantumApprentice

    QuantumApprentice Look, Ma! Two Heads!

    365
    Feb 9, 2018
    awesome, I wasn't able to get this one when I made my video
     
  2. max demaio

    max demaio First time out of the vault

    10
    Mar 14, 2022
  3. NovaRain

    NovaRain Casual Modder Modder Moderator

    Mar 10, 2007
    False positive, either you put the proto manager in the exclusion list of your antivirus or don't trust/use it. Use Cubik2k's critter editor instead, and a hex editor if you want to edit some flags or other fields that are not available in the critter editor.
     
  4. max demaio

    max demaio First time out of the vault

    10
    Mar 14, 2022
    ah yes i got that tool but i cant add my critter into,thats why i was looking for the proto manager
     
  5. NovaRain

    NovaRain Casual Modder Modder Moderator

    Mar 10, 2007
    I took the source code and made a few changes to try to fix the false positive from antivirus, here's my test build. The test build (1.3.0.4) has NO functional difference from the original 1.3.0.3, it's merely for trying to solve the false positive.

    At least now the up-to-date Microsoft Defender in my Win10 VM (in 21H2) doesn't report Trojan:MSIL/Remcos.ED!MTB threat on the exe, but I'm curious about the results from other antivirus programs as my NOD32 has been fine with it for some time.
     
    Last edited: May 30, 2022
    • [Rad] [Rad] x 3
  6. gustarballs1983

    gustarballs1983 Vault Senior Citizen
    Modder

    Oct 28, 2009
    well No Script security browser plugin script blocker, block potential cross site scripting attack it detects before proceeding to download, and later bitdefender, blocks the site warning me there's maliious stuff on that website, and if i ignore that, then bitdefender automatically erases the download, after it's been prefetched.. :((
     
  7. QuantumApprentice

    QuantumApprentice Look, Ma! Two Heads!

    365
    Feb 9, 2018
    same no-script warning for me, but Avira doesn't block the site, but it does flag and quarantine the exe when I try to extract it from the zip.
    www.virustotal.com still has 34 flags on 1.3.0.4_test as of this afternoon (up from 31 this morning):
    https://www.virustotal.com/gui/file/7d3d8569b1d44f2e5d15c631799f252b039f61e6e17d131e520433f219524cbc

    virustotal's heuristics seem to get flags from more anti-virus programs the longer the file has been in their system, so it could still end up like 1.3.0.3's 45 flags:
    https://www.virustotal.com/gui/file/300a75ae9e043d1a52ec4e71db6fd0ad0066c51fd1ceafd850d0d0c8e9491ac0

    At this point I'm not sure if you found part of the problem or if the change just made the anti-virus heuristics slightly less able to catch whatever they're flagging.
    I'm still new to programming, and I wasn't able to get a copy of this source code before he pulled it, but what method would you use to sort through source code to find bugs like this?
     
  8. NovaRain

    NovaRain Casual Modder Modder Moderator

    Mar 10, 2007
    I just tried to remove a few things related to networking and see if the Defender would still flag the exe because it's one of the most common anitvirus on more modern machines.
     
  9. QuantumApprentice

    QuantumApprentice Look, Ma! Two Heads!

    365
    Feb 9, 2018
    That makes sense to look at.
    If you click on the "Relations" page, virustotal shows a bunch of 20.190.160.xxx addresses being contacted. Is that what you're referring to?
    -edit-
    there's also a "Details" tab and a "Behaviors" tab that have some interesting information, though I'm unsure of their usefulness.
     
  10. gustarballs1983

    gustarballs1983 Vault Senior Citizen
    Modder

    Oct 28, 2009
    Wouldn't it be the best to cut all internet acces for this from the code?
    I mean it's not like Mr.Stalin suddenly changes His mind and starts to provide updats to auto-download.. on the contrary from now on, the downloads could be maliscious, as Russia went berzerk on Ukraine, God only knows what sneaky forgery Russians are capapble of in order to succed in their attempt for world domination. Mr.Stalin guy seemes likely minded with Russian authorities mainstream, so chances are He'd cooperate with them..
    just my two cents..
     
  11. .Pixote.

    .Pixote. Antediluvian as Feck
    Modder

    Sep 14, 2009
    I think people should give Mr.Stalin a break, I don't think he would do anything malicious towards the Fallout community. He's caught up in the maelstrom like the rest of us.
     
    • [Rad] [Rad] x 2
  12. NovaRain

    NovaRain Casual Modder Modder Moderator

    Mar 10, 2007
    I do agree he wouldn't do such things. It's been flagged for quite some time, long before the recent political events.
    TBH it's just some people don't want to take "false positive" and make a fuss about it.

    On the other hand, I updated the test build with unnecessary prerequisite bootstrapper disabled, should have less flags on VirusTotal, and that's about it. I'd rather work on some text/info improvements than try to make antivirus proggies happy.

    EDIT: OK, now I made a couple of fixes to 1.3.0.4:
    1. The calculation of AI weapon priority score is corrected to match the current sfall fix.
    2. Opening/closing the configuration settings doesn't reset the "Don't select on hovor" setting anymore.
     
    Last edited: May 30, 2022
  13. Lexx

    Lexx Testament to the ghoul lifespan
    Moderator Modder

    Apr 24, 2005
    Like NovaRain said, the ProtoManager is like that for a long time and it's clearly a false positive. However, Mr.Stalin is openly a ruzzian, anti-western, and wants "all the american soldiers and ukrainian nazis to die." - that's 1:1 his words. I wouldn't touch any of his future software releases without an extra pair of gloves.

    lol2.png
     
    • [Rad] [Rad] x 1
  14. gustarballs1983

    gustarballs1983 Vault Senior Citizen
    Modder

    Oct 28, 2009
    I'm glad there are ppl on this forum that have their eyes open like You Lexx, and don't keep their heads in their asses.. perhaps it's the close proximity to Russia, history lessons, and the fact that history likes to repeat itself is the thing that keepes us cautious. anyways I'm glad I'm not alone in this opinion :)
     
  15. antiq

    antiq First time out of the vault

    1
    May 19, 2022
    hey guys, am new here, would any of yall give me a google drive link of the manager so i can download it
     
  16. QuantumApprentice

    QuantumApprentice Look, Ma! Two Heads!

    365
    Feb 9, 2018
  17. AleksL

    AleksL First time out of the vault

    1
    Nov 19, 2022
    Hi, all!
    And what about early versions of ProtoManager before 1.2 ? Maybe somebody has v1.1.6 ?
    Or they also had been detected as a virus?
     
  18. QuantumApprentice

    QuantumApprentice Look, Ma! Two Heads!

    365
    Feb 9, 2018
    Good question, I don't know where to get older versions though, so this may not be answered until Mr. Stalin bothers to return here.
    Although, I doubt he would bother responding, since he hasn't bothered to clean up the code enough to remove the false positive yet.
     
  19. Nirran

    Nirran Vault Senior Citizen
    Modder

    Apr 15, 2007
    v 1.2.1
     

    Attached Files:

  20. pacol

    pacol First time out of the vault

    2
    Jan 2, 2023
    Can someone share the source code of the lastest version to be investigated? This case is stinky as the github project is no longer public.
    BTW: The version of 1.2.1 shared by Nirran is marked as malicious as well.