Ren'Py Various Virus detections related to different Ren'py versions

[Cool'Thulhu]

For real... What's up with all those VirusTotal alerts with Ren'py games, each version seems to trigger a different antivirus/sandbox

here are some examples (obs: idk which specific version of Ren'py are those games LOL )

Unbroken, Lessons in Love, Hero Party Must Fall are probably the same Ren'py version as their EXE has the same hash and they all trigger 3 Antivirus and 2 Sandboxes (TROJAN)
HASH: 559d5ca234a68bac5a9b1130f9ec73512c1a20178daf0ce04154cbe83dcd32fe

You must be registered to see the links

to Scan

Spoiler: Print if you don't wanna check VirusTotal

You don't have permission to view the spoiler content. Log in or register now.

Friends in Need triggers 2 Antivirus ans 1 Sandbox
HASH: e1c7d09afcada193579ac21b5e3c3ab9eb710576ebc835358add821ddde3a139

You must be registered to see the links

to Scan

Spoiler: Print

You don't have permission to view the spoiler content. Log in or register now.

Refuge Of Embers
HASH: 7757eb5cad0a6a9a40343ee94253d0e39ce0983012fae01e56a99d9e3fdabead

You must be registered to see the links

to Scan

Spoiler: Print

You don't have permission to view the spoiler content. Log in or register now.

(I know that used to happen a lot more with the 32bit.exe files)
so... are these false-positives? if so, why does it happen A LOT?

 

[anne O'nymous]

so... are these false-positives?

Yes.

if so, why does it happen A LOT?

Because cheap exotic anti-virus are cheap and exotic, while Ren'Py executable do not change as often as the version number make it looks.

 

[Cool'Thulhu]

Yes.

Because cheap exotic anti-virus are cheap and exotic, while Ren'Py executable do not change as often as the version number make it looks.

I guess it makes sense, as no popular antivirus detected these files (I also scanned all folders with malwarebytes and they were clean)...
But why VirusTotal gave it the "Popular threat label: trojan" flag?
And why do some sandboxes detect suspicious malware activity (Dr.Web vxCube and Zenbox) ?

 

[anne O'nymous]

But why VirusTotal gave it the "Popular threat label: trojan" flag?

Probably because of the community vote.

And why do some sandboxes detect suspicious malware activity (Dr.Web vxCube and Zenbox) ?

Because they are ridiculous detection systems ?
I did a test, using The Unbroken as reference. I tested the executable, and got the same result than you, what is logical.
Then I tested a file that I know as 100% safe, the executable that come with the SDK for the exact same version (7.3.5.606).

I got to the same page, therefore the page that have all those suspicious behavior from Zenbox... Or perhaps should I say all those ridiculous behavior from Zenbox, because no, Ren'Py do not use netsh, it do not modify the network, it do not read the hosts file, it do not... do all the stupid things that Zenbox pretend it do.

What probably happen is that Zenbox is designed to understand something like Ren'Py, therefore something that rely on a language interpreter.
Like it's a sandbox detection system, it do all its works with a full game, because by itself renpy.exe just launch the Python interpreter for it to proceed Ren'Py scripts.
Then the sandbox detect the said Python interpreter, its different modules and DLL. And, yes, among them there's some that do what Zenbox detect, but it doesn't mean that they are effectively used by Ren'Py and/or by the game itself.

If you want, it's like going to a museum dedicated to piracy (the real one, not the one we are doing here). You'll surely see swords, old pistols and perhaps even canons. But it's not because they are here, that the people working for the museum are dangerous and will try to kill you, right ?
It's something that Zenbox seem to haven't understood ; a possibility isn't a threat by itself. Else, Windows itself is would be threat.

This being said, it point to the real issue with Ren'Py games. The threat do not come from Ren'Py, it come from the game itself.
I trust PyTom. Even with the project having now more and more external contributions, he will not let a threat in the officially released version.
But anyone creating a game with Ren'Py can use Python, and by using Python, can do all the thing pointed by Zenbox, and even more.
Now, it doesn't mean that you have to fear every Ren'Py game that you play. Those that come from nowhere, yeah, it's possible that there's a threat. But those that come from a guy trying to earn few bucks through Patreon... It would be counter productive (who would pledge for someone who put a trojan in his game ?) and relatively stupid (he can be traced through the few bucks he'll earn).

Being cautious, relying on a good anti-virus (that will also keep an eye on the real time behavior), and having an IP filter (firewall), is always a good thing. But globally speaking, as long as you download from here, there's no need to be too paranoid ; "paranoid enough" is enough.

 

[Cool'Thulhu]

I just think it's weird that soma versions of Renpy are totally clean on VirusTotal and some have those crazy flags.

But yeah, I'm being more paranoid then usual, mostly cuz until recently that "Popular threat label" didn't exist, so it caught my attention more then normally does .

I always check the EXEs I download (even from official sources like GOG... paranoid, i know ), and always 2 or 3 antivirus (usually MaxSecure and Jiangmin) report a Trojan on Ren'py, probably cuz they work by reputation and since there's always a new version of the game coming, there aren't enough samples for them to classify as safe.

But yeah, giving that no popular antivirus reported and i always block ren'py on firewall, maybe it's safe lol .
Tkz

 

[anne O'nymous]

But yeah, giving that no popular antivirus reported and i always block ren'py on firewall, maybe it's safe lol .

Globally speaking, if it's just... Hmm, there's 71 tests, I guess you can goes up to 4 detection and still consider that it's a false positive ; especially if it's a generic threat. Except if one of them is Avast, Sophos, Kaspersky, Symantec or McAfee.

I'm out of touch with the security field since too long now, so I perhaps miss some names, but they are the serious guys when it come to virus. Whatever one can think about their product, their labs are serious and efficient, and are generally among the first ones to analyze the threats ; Avast because it's probably now the most used by domestic users, the others because they have a really big and wild range of professional clients.
Therefore, they'll be among the first ones to add a rule to explicitly detect a given threat. What mean that for a short laps of time (two/three days at max) it can happen that they are the only one to detect something new.

Anyway, in case of doubt, Google the name of the anti-virus, you should quickly see if it's something exotic or not, and Google the name of the threat, you'll almost immediately see if it's something generic or not. By example, if you search for "Trojan.Heur.aom", that is among the threats detected for Ren'py, the first thing you'll see is : "Trojan Heur AOM is a heuristic detection designed to generically detect a Trojan Horse".
If the threats are generic and come from exotic anti-virus, there's 99% chance that it don't mean more than uncle Fred saying for the hundredth time that his neighbors are aliens working for the FBI.