unityspy icon indicating copy to clipboard operation
unityspy copied to clipboard

Published 20 hours ago verified publisher icon hackf5

UnitySpy.dll detected as malware by some antivirus engines

Open sebastientromp opened this issue 6 years ago • 5 comments

Uploading UnitySpy.dll to https://www.virustotal.com results in some engines flagging the DLL as malware:

image

I wanted to know what piece of code was raising the flag, so I've started removing some code from the DLL and submitting it to the scan until I had a full green result.

I did two tests, removing the code in a different order:

  1. In https://github.com/hackf5/unityspy/tree/investigate_antivurs_scan, I started to remove the Util package, then slowly removed some code from the Detail package. The code present in the branch still fails the 9 antivirus checks. However, if I remove any line from ITypeDefinition or IFieldDefinition (and their corresponding implementation), the test is suddenly green, even though the methods do nothing and are never called.

  2. In https://github.com/hackf5/unityspy/tree/test2_antivirus I then did it the other way around: start by removing code from the interfaces (and the implementations), then from the classes in Detail. The code present in the branch fails the 9 engines. However, if I remove any line from what's left of TypeCode, the result is suddenly full green. (maybe worth noting: if I remove one line, and replace it with a random value, it still fails)

In short, I have no clue as to what's going on :/

sebastientromp avatar Oct 26 '19 21:10 sebastientromp

And it looks like some antiviruses don't like when your like is called "HackXXX" (because that's what real badass malwares call themselves). I'll change the name of the projects to just UnitySpy to make them happy, if that's ok with you

sebastientromp avatar Oct 27 '19 06:10 sebastientromp

I`ve been struggling with HackF5.UnitySpy.Gui project compilation ('Access to the path 'C:\Workspace\unityspy\src\HackF5.UnitySpy.Gui\obj\Debug\Hack.UnitySpy.Gui.exe' is denied.')

I removed pretty much everything from project (all references, all classes) so it has almost nothing. However, still blocked by antivirus. The problem was in assembly name.

I`ve tried to build empty .net core console project if its assembly name is "Hack.Spy" without success. Now I see, if your executable assembly name got enough "malware" words (like spy + hack) it is gonna be blocked by some ultrananoaipowered supersecret antimalware technique. Fun and sad at the same moment...

P.s.: I use Bitdefender

BannZay avatar Apr 11 '20 13:04 BannZay

Yeah, I really don't understand why this would be a thing.

So in the end it worked properly after renaming?

sebastientromp avatar Apr 11 '20 14:04 sebastientromp

@sebastientromp, when I remove either "hack" or "spy" from HackF5.UnitySpy.Gui assembly name it works fine

BannZay avatar Apr 11 '20 15:04 BannZay

Good to know, that's what I did as well (and was one of the primary reason I'm now working on the fork and not the original repo anymore)

sebastientromp avatar Apr 11 '20 19:04 sebastientromp