BIG question about DLSite and general security of F95Zone

[wwa06212]

I want to know if the games on DLSite (as im considering buying some) are somehow viruses? Because when looking at a game in virustotal there is SO much IP traffic and mitre signatures and seems very sketchy so I was considering just buying it.

You must be registered to see the links

I have attached the virustotal scan and the original post: https://f95zone.to/threads/translat...f-the-newlywed-hero-rj01081992-bralac.172055/
I have downloaded games from F95Zone before resetting my pc and also ran it on a virtual machine in the past, I just want an honest reply because this file looks suspicious thru virustotal, even my mate who works in IT says that it could be a virus. I'm sorry if this is a stupid question, but I have trouble trusting online files, as I have been hacked with ransomware before and have paid the price for it. Please leave an honest comment, thank you.

 

[NTR_Connoisseur]

Here is my honest reply. I have been in this site for many many years.

I have NEVER gotten a virus out of any games posted on f95. I even have my firewall disabled. No auto antivirus either. I do check once in a while with premium malwarebytes and I have never gotten any viruses.

dlsite is also very legit. I have never personally bought any games from dlsite but I have downloaded them from third party sites. Never had a virus either. I would say dlsite is safer than this site even. dlsite is a legit tax paying company as far as I'm aware.

Some games or some patches of somegames do have some false alarms on virustotal. Usually when that happens some idiot has already asked about it on the site and it has been answered.

If anyone ever encounters a hint of any virus, that link will be reported so many times by users, it will be taken down within seconds. (both in this and dlsite)

 

[Insomnimaniac Games]

I want to know if the games on DLSite (as im considering buying some) are somehow viruses? Because when looking at a game in virustotal there is SO much IP traffic and mitre signatures and seems very sketchy so I was considering just buying it.

You must be registered to see the links

I have attached the virustotal scan and the original post: https://f95zone.to/threads/translat...f-the-newlywed-hero-rj01081992-bralac.172055/
I have downloaded games from F95Zone before resetting my pc and also ran it on a virtual machine in the past, I just want an honest reply because this file looks suspicious thru virustotal, even my mate who works in IT says that it could be a virus. I'm sorry if this is a stupid question, but I have trouble trusting online files, as I have been hacked with ransomware before and have paid the price for it. Please leave an honest comment, thank you.

It's an RPGMaker game, which is notorious for false flags. Even testing my own game defender still flips out some times.

 

[peterppp]

only one detection out of that many antivirus means a false positive. nothing to worry about

 

[Yuki-x]

That exe is legit.
It's the "nw.exe" renamed to "game.exe" from the

You must be registered to see the links

...that does not mean a game cannot do "fishy" things.
For rpgmaker games you should be more worried about the code inside the ".html" ".json" and ".js" files....

 

[anne O'nymous]

I want to know if the games on DLSite (as im considering buying some) are somehow viruses? Because when looking at a game in virustotal there is SO much IP traffic and mitre signatures and seems very sketchy so I was considering just buying it.

You must be registered to see the links

Perhaps do not look at the behavior page if you don't have the capacities to understand what it say.

By example, yes, there's IP traffic, but when you look further, you discover where they come from and what they are for:

"C:\Program Files (x86)\Google2424_1480534763\bin\updater.exe" --update --system --enable-logging --vmodule=*/chrome/updater/*=2 /sessionid {358EEE5F-C339-47C7-A649-9A8C61E0CA52} --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2

At some point (don't remember the version) RPG Maker take a turn and became a NW based application embedding its own display engine based on Chromium. And the traffic is nothing more than the proof that they didn't removed the totally useless (and potentially game breaking) auto-update process.


As for the MITRE related information, by themselves the don't mean much, it's the combination that is important.
By example, the game in example spawns process, and write in other process. What is totally natural with Chromium since it multiply processes faster that some prophet did with bread.
There's also a lot of encoded data, what isn't surprising coming from a game. After all, they don't want people to easily access the data and then steal their IP.
Same goes for the System Information Discovery. 99% of the software do it, to ensure that they can works on the current system and/or tweak themselves to works for it.
And so on. There's nothing really suspicious here when put in perspective with the concerned software.

 

[wwa06212]

Perhaps do not look at the behavior page if you don't have the capacities to understand what it say.

By example, yes, there's IP traffic, but when you look further, you discover where they come from and what they are for:


At some point (don't remember the version) RPG Maker take a turn and became a NW based application embedding its own display engine based on Chromium. And the traffic is nothing more than the proof that they didn't removed the totally useless (and potentially game breaking) auto-update process.


As for the MITRE related information, by themselves the don't mean much, it's the combination that is important.
By example, the game in example spawns process, and write in other process. What is totally natural with Chromium since it multiply processes faster that some prophet did with bread.
There's also a lot of encoded data, what isn't surprising coming from a game. After all, they don't want people to easily access the data and then steal their IP.
Same goes for the System Information Discovery. 99% of the software do it, to ensure that they can works on the current system and/or tweak themselves to works for it.
And so on. There's nothing really suspicious here when put in perspective with the concerned software.

Thank you for the insight on what this behaviour could mean, as I get very confused with these things. I see what you mean by the IP traffic being related to auto-updates, but it shouldn't be updating on an illegal copy of the game right? Also there are ALOT of IPs, surely it could not just be related to an auto-update?

 

[anne O'nymous]

[...] but it shouldn't be updating on an illegal copy of the game right?

Strictly speaking, it's not the game that is updating, but the game engine. And there's no real issue in it updating itself while the game haven't been legally acquired.

Also there are ALOT of IPs, surely it could not just be related to an auto-update?

There's always a lot of IP addresses nowadays, especially for major companies (Chromium is developed by Google).
In order to offer the best possible quality of service, the load is spread around many servers and all around the world. Even a place like this forum have more than one server and, while the main servers are all located in the same place, the attachments servers are them spread in different places in the world, for them to be as close as your location than possible.
Depending on the system used for that, and also depending if a DNS request is done for every connection or not, it's not too surprising to found many IP addresses. This especially when it's for something like an auto-update, therefore something that need to be as fast as possible (in order to not delay the user too much) while possibly implying a heavy traffic (if you haven't used the software since a long time, there possibly many files of hundred MB that will need to be downloaded).

 

[wwa06212]

Strictly speaking, it's not the game that is updating, but the game engine. And there's no real issue in it updating itself while the game haven't been legally acquired.




There's always a lot of IP addresses nowadays, especially for major companies (Chromium is developed by Google).
In order to offer the best possible quality of service, the load is spread around many servers and all around the world. Even a place like this forum have more than one server and, while the main servers are all located in the same place, the attachments servers are them spread in different places in the world, for them to be as close as your location than possible.
Depending on the system used for that, and also depending if a DNS request is done for every connection or not, it's not too surprising to found many IP addresses. This especially when it's for something like an auto-update, therefore something that need to be as fast as possible (in order to not delay the user too much) while possibly implying a heavy traffic (if you haven't used the software since a long time, there possibly many files of hundred MB that will need to be downloaded).

Thank you all so much on this post for your help, especially you, anne O'nymous. I think I will download and trust f95zone.