miraslovbaros85 Posted January 3, 2020 Share Posted January 3, 2020 Hello, I recently started modding FNV to improve stability and gameplay. I downloaded NVSE, 4GB patcher by Roy, NVAC, One tweak, etc. Everything looked ordinary but, since I'm sort of paranoid, I scanned the FNV executable on Virustotal and, according to VT, the executable tries to make DNS requests to a malicious site.Probably a false positve but I don't know, does anyone have the same issue with the executable after patching it? Thanks in advance, kind regards. https://www.virustotal.com/gui/file/518c87f58a6c4d9826e9ef8fbb7f4213882fa70822675610d45aea2464502a57/relations Link to comment Share on other sites More sharing options...
dubiousintent Posted January 9, 2020 Share Posted January 9, 2020 You can run "verify local files" to re-download the game executable. (You will then need to re-run the 4GB Patcher after you first run the "Launcher".) That should replace the game exe. I've used the 4GB Patcher without incident for years. It does indeed change the executable, so it might get reported as a possible "generic" type of infection, but not something so specific as a DNS routing to a known malicious site. VirusTotal uses a number of different AV scanners. But it does mean that one scanner might put out a "false positive" where others don't. It might also be detecting a "zero-day" exploit the others are not yet detecting. That is one of it's strengths. You sort of have to make your own decision about how likely it is to be one or the other conclusion. If the report is something the others are likely to already know about but aren't reporting, then I figure it's a "false positive". Some (innocent) sites get infected and then cleaned on unpredictable intervals. Some sites are known to be "command-and-control" sites for botnets. These do not "get cleaned" but may vanish when they get taken offline. DNS services are also subject to infection and exploitation, and they are external to your computer. They take a request from your computer to connect to a particular site, and when infected re-route the request to the malicious site instead. You may need to change your DNS service. If you don't understand how to do that (not unusual) then speak to your internet service provider tech support. But I would wait until after you try using the "verify local files" option. -Dubious- Link to comment Share on other sites More sharing options...
miraslovbaros85 Posted January 9, 2020 Author Share Posted January 9, 2020 (edited) You can run "verify local files" to re-download the game executable. (You will then need to re-run the 4GB Patcher after you first run the "Launcher".) That should replace the game exe. I've used the 4GB Patcher without incident for years. It does indeed change the executable, so it might get reported as a possible "generic" type of infection, but not something so specific as a DNS routing to a known malicious site. VirusTotal uses a number of different AV scanners. But it does mean that one scanner might put out a "false positive" where others don't. It might also be detecting a "zero-day" exploit the others are not yet detecting. That is one of it's strengths. You sort of have to make your own decision about how likely it is to be one or the other conclusion. If the report is something the others are likely to already know about but aren't reporting, then I figure it's a "false positive". Some (innocent) sites get infected and then cleaned on unpredictable intervals. Some sites are known to be "command-and-control" sites for botnets. These do not "get cleaned" but may vanish when they get taken offline. DNS services are also subject to infection and exploitation, and they are external to your computer. They take a request from your computer to connect to a particular site, and when infected re-route the request to the malicious site instead. You may need to change your DNS service. If you don't understand how to do that (not unusual) then speak to your internet service provider tech support. But I would wait until after you try using the "verify local files" option. -Dubious-Hello, Thank you so much for your response, I will try to re-download the executable via verification of local files and then patching it again. Something similar that I tried, is to recreate the scenario in another computer (downloading Fallout NV from steam and all the patches from its official sources) but after scanning the executable (FalloutNV.exe) I only see that the file has an invalid signature; I honestly think that after patching it, for any reason, AV engines go crazy and start to get false positives. Edit: Oh, one last thing, could anyone scan their executable on VirusTotal after patching it? It would be very much apreciated. Thanks in advance. Regards Edited January 9, 2020 by miraslovbaros85 Link to comment Share on other sites More sharing options...
dubiousintent Posted January 9, 2020 Share Posted January 9, 2020 Just realized that perhaps you don't know, but VirusTotal only scans individual files you submit to it. It does not scan your system for any viruses that may be currently infecting it. If you suspect you might be infected, it is best to use several different AV scan programs to confirm it is clean. Such would be best run after booting from independent media such as a CD/DVD disk, to ensure it is not also infected. (Flashdrives are easily infected. "Read Only" is a file or folder flag, not a lock. A "write once" DVD cannot be altered by a virus.) I had my patched "steam" version exe scanned by VirusTotal and it reported "2 engines detected" "W32.HfsAutoB." = "PE.Heur.InvalidSig", which is a "heuristic" (generic) detection that the signature is not valid, and to be expected after patching. -Dubious- Link to comment Share on other sites More sharing options...
miraslovbaros85 Posted February 18, 2020 Author Share Posted February 18, 2020 Just realized that perhaps you don't know, but VirusTotal only scans individual files you submit to it. It does not scan your system for any viruses that may be currently infecting it. If you suspect you might be infected, it is best to use several different AV scan programs to confirm it is clean. Such would be best run after booting from independent media such as a CD/DVD disk, to ensure it is not also infected. (Flashdrives are easily infected. "Read Only" is a file or folder flag, not a lock. A "write once" DVD cannot be altered by a virus.) I had my patched "steam" version exe scanned by VirusTotal and it reported "2 engines detected" "W32.HfsAutoB." = "PE.Heur.InvalidSig", which is a "heuristic" (generic) detection that the signature is not valid, and to be expected after patching. -Dubious-Hi, sorry for this extremely late response. At that time, I got the same report on VirusTotal after scanning my patched version. It seems like it was a false positive. However, the thing that, months ago, made me get hesitant, was the ''Behavoir'' tab that VirusTotal has, to provide more information about the .exe, where it showed that the patched version attempted to connect to a strange server. But, if we got exactly the same report from VT, it is safe to assume that this attempt of connection, that VirusTotal says, might be a false positive. In any case, thank you so much for your time and for sharing your result of VirusTotal, that really helped. Kind regards, friend. Link to comment Share on other sites More sharing options...
Recommended Posts