I've put about 6 hours in to it and suddenly Windows decides to delete the application file. Tried unzipping and copying the new version in to the old folder and it refused. I copied the old saves in to the new folder, and then Windows deleted the application. Suggestions?
Edit: wow, Windows is militant about this. It just deletes the application, within a minute of me extracting it. I'm going to go ahead and assume its cancer.
Edit 2: Cancer confirmed.
You must be registered to see the links
For sure. If it had flagged it for generic suspicion of malicious activity I'd probably wave it on. But it identified a specific piece of malware. Virus scanners work through comparing signatures. There are a bunch of ways to do that. The common one is through a simple hash signature and since you're a security expert you don't need me to explain the math behind collisions.
There are other ways. Matching lines of code or specific patters of behavior. But since this is a pirated hentai video game, I'm going to lean on the side of caution and find something else that doesn't match up to a known piece of malicious code. But hey. You do you booboo.
I'm not going to suggest you stop using Defender and switch to Enterprise w/KMS with baseline privacy GPOs enabled to disable Big Brother (along with a lot of other software including a patched copy of WFC to set FW keys to read-only to prevent anything from modifying them), you wouldn't be able to rely on your own skills to reverse-engineer anything it looks (the more I hang around this forum, it seems these skills elude many, no offense meant). Instead, I'll try to explain a little about AVs:
Defender's over-protective nature these days is to damage control everything given how horrible a history it has. Usually Defender sits in the background, low-priority scanning everything based on your usage of them. Take a HD out and put a virus in an obscure, never-used folder and it will take a full scan to ever see it. Lazy scanning. Ex: Download a file, immediately scanned (but if compressed, needs decompression, may not be able to detect). On file write/library load (software term) you can run the extracted executable until the AV engine in the background scans it. If it flags something, it temporarily goes into a higher-priority scanning mode and uses cached io to keep a quicker eye on those recently accessed uri paths or memory patterns (such as using specific undocumented Windows APIs)... That's just a toe-dip, there is a lot more going on behind the scenes.
AVs use other means than signatures to decide on whether to flag something. Ten years ago, every AV would bitch about UPX-ed executables despite UPX being entirely harmless (a compressor). It took ages for everyone to just unpack the executable and scan the payload instead and stop bitching. Signatures were created to then allow UPX...except if it was modified, (custom jmp at end to another code cave) you could get around crappy AVs and it'd still be viral. Because of simple tricks like that, signatures are not always specific enough anyway and are given to categorize what is not always determined but rather
assumed. In the case of Bifrost, it probably matches enough characteristics to be flagged as something else. Signatures though have come to include behavior analysis routines rather than 'PE section names, api/routine/string/region-detection, etc...'
AVs don't use many hash signatures anymore, hashes are almost entirely useless except to save time on known small, 4KB> executables. Change a byte, hash changes, useless. Even if you were to use specific regions of memory. Hell, pack it, entire thing changes. Some AVs automatically rate an executable higher during analysis if it is unsigned, for example. Simply removing a signature can cause some AVs to magically now think it is "SomeRandomVirusABC" or "SomeRandomTrojanXYZ". Some AVs do use string analysis to search for things such as "ntldr" or "bootsect" and will flag an executable certain kinds of strings are found. ...No lines of code in compiled software, unless it is emulating/a byte-code machine similar to PHP, etc.
Every AV out there almost, sucks. Either they're crap and miss everything or they false-positive the fuck out of everything. Before I stopped using AVs long ago (useless, I do it myself now, don't need an AV), I used MalwareBytes. Sucks they went paid-only, was an easy and cheap solution to friends/family without being bothered to fix things. Not going to keep up patching it to provide to friends/family, just too much in life to bother with it.
As for Bifrost, it is indeed a false-positive. You can either play it in a VM (very little can ever escape a VM) or you can pass on. I believe the reason it is identifying it as something else is because it uses a scripted engine and the scripts are incorrectly encoded, (a trick used long ago to elude scanners, by Asian regions but not used anymore because it is useless (clearly marked even on false positives)). "This Trojan connects to the following possibly malicious URL:..." Also not true. If you use the old steam_api, an emulator by Goldberg, it does try to open a socket to local network by default because that emulator tries to implement LAN-games. I patched that steam_api a few versions ago to stop that behavior (unnecessary in a game like this) so that Windows Firewall would stfu about socket calls being opened. If OP didn't include that, you can disable those requests by creating steam_settings\offline.txt and steam_settings\disable_networking.txt and Windows Firewall will stfu from then on. (Or you can byte-patch two bools but I believe that beyond your ability at the moment.) You can also use ProcExp to keep a continual list of all processes the game ever starts (none...). That Trend Crapo result mentions it calls vbc (Visual Basic Compiler) to compile some .NET code but it never launches it. Trend Crapo is reporting by signature name what is done, not on results of actual analysis of software. It never creates any processes. Another suggestion would be that every AV suggests a different type. Trend Crapo thinks it is Wacatac. Microshit thinks it is AutoItInjector and identifies Wacatac as Wacatac and Adromeda Bot as Andromeda Bot (both of which are not being named in Microshit's detection). McaCreep thinks it is AutoItInjector. Kasperusky thinks it is Andromeda Bot. Yes there is room for error in analysis and differences in signatures and detection methods but this just further suggests it isn't known but merely looks suspicious. Considering that everyone who uses an AV is getting "detections" from legitimate buys on Steam of Bifrost, you could assume only two possibilities: A company has risked a lot (imagine the consequences) to push viral software out there that garners "low damage" (what profitz? ;]) or it is a false-positive.
Quite frankly, Bifrost should have been wrote in perhaps Godot (little to no false-positives). This in-house engine is blegh to begin with. Damn shift_jis/cjk encoding...
If you'd like to learn more about anything like this, I'd suggest learning Assembly, C++, IDEs, Debuggers, Operating Systems. All of that would point you in the right direction to begin.
*Edit* Wrote exhausted, should probably go to bed. Not everything was clearly aimed at whoever I was supposed to direct to. HUNGRY TOO. Damn COVID hoarders.
