Ren'Py Antivirus and Renpy 7.4.1

[AdventAnyx]

Hey, peeps.
I'm copy-pasting the message I wrote at the Renpy forum since I had much more luck with answers here during my life

I'm getting many worried messages that I'm now a malware distributor
They run a Virustotal check and it returns positive with some antiviruses
I've scanned my PC with several and found nothing. Right now I'm downloading antivirus after antivirus to give me at least something.

Tried to total myself, and x32 files returns this:

You must be registered to see the links

Is there something I can do? The non-32 version gives either 0 (with latest Renpy version 7.4.1), or 1-2 (with different 7.3.5 builds of my game).
I saw someone mentioning that custom icons can do that, but I have a custom icon since 7.3.5 and never had this problem. Though I never scanned myself at virustotal before too.
Thanks!

You must be registered to see the links

Lemmasoft forum

 

[79flavors]

It usually is the custom icon thing, and it takes the antivirus companies a little while to get enough submitted examples to flag them as false positives.

8 out of 74 supported engines is hardly anything. But it's sometimes difficult to convince the occasional rabid player of that.

If you aren't using any of the new 7.4.x features, you could simple build you game with 7.3.5.
Or you could remove the icon.ico file from the main project folder temporarily until the antivirus engine companies get their shit together.

If you are still in anyway concerned that you really have picked up some malicious code somewhere, you could try building a copy of your game on a different computer. Copy your project folder onto a memory stick, download a copy of 7.4.1 directly on that 2nd computer and build your project there. If you run your generated .exe through the totalvirus again and get the same results, you know it's a false positive.
If you don't have access to a 2nd PC, there are always virtual machines.

You must be registered to see the links

, whilst somewhat outdated, is free and easy to set up. Current versions of Windows allow you to install them without putting a serial number in for a limited period of use - just skip the serial number and live with it nagging you for a short while (it's a trial period for system builders and IT departments who are frequently testing hardware/software).

 

[AdventAnyx]

Hey, thanks. I'll try that.
I'm not going back to 7.3.5 simply because some new features (I'm a noob about it) made the game run better, with 0 crashing "out of memory" errors for people who had them before (it's video-heavy).

 

[anne O'nymous]

Is there something I can do?

The answer is "yes but probably no".

Ren'py "build" (really relatively speaking) the launcher exe when creating the distribution, based on information regarding the game. This while for common threat, basic anti-virus tend to use a signature string that is present in the virus/malware and expected to not be present somewhere else.

The icon cause some false positive because it's a big string, more or less random (it's not text, nor a logical suit of processor instruction), that sometime match one of those signature strings. And the same problem can appear in any "built" part of the launcher if the combination match one of those signature.
The first thing to do is to test with a different icon. I know that you had no problems before, and that there's few chance that it's the problem, but the 7.4.1 launcher can have had a small change that now trigger the anti-virus with this icon.
Imagine that the searched string is "ABCDEF", and that your icon starts by "CDEF". With the 7.3.5 launcher, the icon was placed after something that end by "ZEEZ", and it was safe. But the 7.4.1 now place it after something that end by "AAAB", and boom, the searched string is now present and it trigger a false positive.


Edit: Tried the SDK exe on virusTotal, its signature leaded to a gameLauncher, so I guess that the icon is really at fault in your case.

 

[AdventAnyx]

There's something with oracle soft that doesn't go well with my PC.
The process to start the Virtual Box installation just hangs forever.

The same happens when I'm trying to install JDK, the thing that Renpy requires to build and Android distrib. I'm very far from being a developer, so I just wanted to try and do a build myself, but the progress bar on installing anything "Oracle" just won't start.
I think I had a similar problem with installing "c++ redistributable" package a while ago, but I'm not sure.
Probably something fucked up in my Windows and I need to go back to 10-year-old solutions like "did you try reinstalling windows?"

 

[AdventAnyx]

I've won against JDK thing. Had to use the "/s" in the command line to do a silent install. WTF, Mr. Gates...
Now I need to figure out how to do an APK that does not crash on my phone. All 4 that Renpy builds do. But I guess this is for another day and another topic.
Thanks, guys.

 

[Killer7]

It usually is the custom icon thing, and it takes the antivirus companies a little while to get enough submitted examples to flag them as false positives.

8 out of 74 supported engines is hardly anything. But it's sometimes difficult to convince the occasional rabid player of that.

If you aren't using any of the new 7.4.x features, you could simple build you game with 7.3.5.
Or you could remove the icon.ico file from the main project folder temporarily until the antivirus engine companies get their shit together.

If you are still in anyway concerned that you really have picked up some malicious code somewhere, you could try building a copy of your game on a different computer. Copy your project folder onto a memory stick, download a copy of 7.4.1 directly on that 2nd computer and build your project there. If you run your generated .exe through the totalvirus again and get the same results, you know it's a false positive.
If you don't have access to a 2nd PC, there are always virtual machines.

You must be registered to see the links

, whilst somewhat outdated, is free and easy to set up. Current versions of Windows allow you to install them without putting a serial number in for a limited period of use - just skip the serial number and live with it nagging you for a short while (it's a trial period for system builders and IT departments who are frequently testing hardware/software).

Thanks for that explanation, I recently upgraded to 7.4.1 for new builds of my game and people have been reporting the 32bit exe as a trojan as well. I guess I'll just wait and hope that windows updates their list or something, if not then I can always roll back. Was just wondering what caused this.

 

[Winterfire]

To add to that: I managed to include an icon to my game with 0 engines marking it as a false positive on virustotal, but I still got reports from a player that his antivirus would flag the game as a threat.

If you use Ren'Py, I would simply exclude including an icon.

 

[AdventAnyx]

The Renpy Tom himself

You must be registered to see the links

.

 

[AdventAnyx]

It's supposed to be

You must be registered to see the links

. Haven't tested yet.

 

[Vernam]

My game use Renpy 7.4.2.1292 and I am also receiving virus reports.
I removed the custom icon in the last release but still it generate false positives so isn't fixed yet .

 

[79flavors]

My game use Renpy 7.4.2.1292 and I am also receiving virus reports.
I removed the custom icon in the last release but still it generate false positives so isn't fixed yet .

I'd recommend disabling the building of a 32bit windows version (which is what seems to generate the false positives).

Put build.include_i686 = False in the options.rpy file, along with the other build. variables there.

There's another setting for build.change_icon_i686 = False, which only disables the icon. But honestly, that probably isn't enough.

Plus... 32 bit windows.... urgghhh...

 

[Vernam]

Plus... 32 bit windows.... urgghhh...

Ahahah, true!
Thank you, I'll disable it and see how it goes in the next release.