FFXIV_ACT_Plugin icon indicating copy to clipboard operation
FFXIV_ACT_Plugin copied to clipboard
verified publisher icon ravahn

Version 2.7.3.3 Update in ACT shows supposed malware being downloaded

Open StarcallerJae opened this issue 8 months ago • 15 comments

Specifically, Trojan:Win32/Kepavll!rfn

Image

StarcallerJae avatar Apr 25 '25 04:04 StarcallerJae

Latest version is also being flagged by Eset's NOD32 (fully updated, detection engine version 31094, dated 2025/04/25), listing the detected threat as Win64/HackTool.RustRegion.C

Image

Schnoofles avatar Apr 25 '25 10:04 Schnoofles

My computer won't even let me download it since it thinks it's a virus

nep63 avatar Apr 25 '25 22:04 nep63

Same issue, on windows 10. Downloading from ACTs own site causes the same issue. Defender detects it as a virus.

Mentaelis avatar Apr 26 '25 11:04 Mentaelis

Same. Can't download the parsing plugin because everything thinks its a virus to the point of not letting me do anything with it. Hopefully the issue is fixed soon

warmybear avatar Apr 28 '25 09:04 warmybear

Same issue, Windows 11 24H2

Was able to work around it by disabling Defender AV temporarily:

  1. Open the Windows Security app
  2. Under Virus & threat protection, click "Manage settings"
  3. Turn off "Real-time protection"
  4. Update the plugin using ACT as normal
  5. Turn on "Real-time protection"

DhakaWolf avatar Apr 29 '25 01:04 DhakaWolf

DO NOT under ANY circumstances disable Defender to continue using ACT.

cptroot avatar Apr 29 '25 14:04 cptroot

DO NOT under ANY circumstances disable Defender to continue using ACT.

Temporarily. Just download the plugin and enable immediately afterwards.

DhakaWolf avatar Apr 29 '25 14:04 DhakaWolf

DO NOT under ANY circumstances disable Defender to continue using ACT.

Temporarily. Just download the plugin and enable immediately afterwards.

They are trying to tell you that you never know what code is or isn’t included in the release .exe / .dll that is or isn’t in the open source code. Until verified, you should never trust any code flagged as malware unless proven otherwise.

Just because it is what you once knew as a safe ACT, does not mean it is the same safe ACT after the code becomes flagged as malware after a merge pull request and new update. Wait for it to be fixed, do not just “allow the malware to download”

CordeliaMist avatar Apr 29 '25 15:04 CordeliaMist

Just because it is what you once knew as a safe ACT, does not mean it is the same safe ACT after the code becomes flagged as malware after a merge pull request and new update. Wait for it to be fixed, do not just “allow the malware to download”

This is the source code to the file being flagged: https://github.com/ff14wed/deucalion Look at it all you want. I'm pretty sure there are no plans to make another build just to "evade" bad detections. The library is up front about what it does and some companies call that a HackTool or PotentiallyUnwantedApplication.

Keep in mind that ACT, the FFXIV parsing plugin and deucalion are all made by a different person each. Make sure you understand that distinction when you decide what to trust or not.

EQAditu avatar Apr 29 '25 15:04 EQAditu

Just because it is what you once knew as a safe ACT, does not mean it is the same safe ACT after the code becomes flagged as malware after a merge pull request and new update. Wait for it to be fixed, do not just “allow the malware to download”

This is the source code to the file being flagged: https://github.com/ff14wed/deucalion Look at it all you want. I'm pretty sure there are no plans to make another build just to "evade" bad detections. The library is up front about what it does and some companies call that a HackTool or PotentiallyUnwantedApplication.

Keep in mind that ACT, the FFXIV parsing plugin and deucalion are all made by a different person each. Make sure you understand that distinction when you decide what to trust or not.

Thank you for the clarification and source flag identifier. I also apologize if my reply seemed to be directing the issue at your code, I should have said "safe Code" over "safe ACT"

CordeliaMist avatar Apr 29 '25 16:04 CordeliaMist

VirusTotal suggests that Microsoft now considers this as PUA:Win32/GameHack with at-rest scanning. So soon temporarily disabling real-time protection to install it will not be enough. You will need to add an exception. You should already know this is a game hack, so Microsoft will likely not change their determination but at least they are honest.

EQAditu avatar Apr 29 '25 17:04 EQAditu

Makes sense, I had tried doing the exclusion to do the download at first and had no luck so that tracks.

DhakaWolf avatar Apr 29 '25 17:04 DhakaWolf

VirusTotal suggests that Microsoft now considers this as PUA:Win32/GameHack with at-rest scanning. So soon temporarily disabling real-time protection to install it will not be enough. You will need to add an exception. You should already know this is a game hack, so Microsoft will likely not change their determination but at least they are honest.

at the risk of asking a stupid question, is deucalion at all the sort of thing Microsoft would somehow normally flag or is this just random Microsoft bs?

warmybear avatar Apr 29 '25 18:04 warmybear

It's possible that a random user submitted the file to Microsoft asking for the Trojan flag to be removed and the Microsoft employee decided to give it this new determination manually.

EQAditu avatar Apr 29 '25 18:04 EQAditu

looks like a lot of AVs are flagging it, mostly with generic flags. idk if this is any help just thought i'd throw the zip at virustotal to take a peek

https://www.virustotal.com/gui/file/70411b861a0e7a1f9e44bb6a3091bc24443eb009fd6b810402f5802078926f64

steakwipe avatar May 04 '25 02:05 steakwipe