Upon attempting to run the Tie Dynamic Cockpits installer, my AV reported it detected that the application was attempting to adapt and encrypt several system files. One of these was C:\ProgramData\NVIDIA Corporation\Drs\nvdrssel.bin .
I can't see why a patch for a game should need to alter a file in ProgramData, so I've blocked it.
The full error:
The process C:\Users\Thrawn\Downloads\TieDynamicCockpits_v2.0.exe manifests ransomware behavior and was blocked. Several files were encrypted but we successfully restored all of them. You can find the restored files list below....
Just FYI.
AV Error: "TieDynamicCockpits_v2.0.exe manifests ransomware behavior and was blocked"
- Driftwood
- Posts: 2174
- Joined: Wed Oct 22, 2003 11:01 pm
- Contact:
That's strange, what antivirus are you using?
Historically with this project any virus warnings are all false positives.
Historically with this project any virus warnings are all false positives.
- Forceflow
- Posts: 7219
- Joined: Wed Oct 20, 1999 11:01 pm
- Contact:
That installer should not touch anything outside of the XWA directory. I am pretty sure that when I last used it, it didn't do anything else. It might be a false positive, though it seems to be a bit specific for that.
Could you check the MD5 checksum of the installer in the windows command-line:
Could you check the MD5 checksum of the installer in the windows command-line:
Code: Select all
CertUtil -hashfile <path to file> MD5/[code]
Murphy was an optimist! I am a pessimist!
And always remember that a smile is cheaper than a bullet! (District 9)
Webmaster of the X-Wing Alliance Upgrade Project
And always remember that a smile is cheaper than a bullet! (District 9)
Webmaster of the X-Wing Alliance Upgrade Project
- Forceflow
- Posts: 7219
- Joined: Wed Oct 20, 1999 11:01 pm
- Contact:
This is the result you should get with CertUtil:nww02 wrote: ↑Sun Aug 02, 2020 8:52 pmUpon attempting to run the Tie Dynamic Cockpits installer, my AV reported it detected that the application was attempting to adapt and encrypt several system files. One of these was C:\ProgramData\NVIDIA Corporation\Drs\nvdrssel.bin .
I can't see why a patch for a game should need to alter a file in ProgramData, so I've blocked it.
The full error:
The process C:\Users\Thrawn\Downloads\TieDynamicCockpits_v2.0.exe manifests ransomware behavior and was blocked. Several files were encrypted but we successfully restored all of them. You can find the restored files list below....
Just FYI.
Code: Select all
CertUtil -hashfile "TieDynamicCockpits_v2.0.exe" MD5
MD5 hash of TieDynamicCockpits_v2.0.exe:
4a805a0d244a19a139b79a5fc70c8399
CertUtil: -hashfile command completed successfully.
Murphy was an optimist! I am a pessimist!
And always remember that a smile is cheaper than a bullet! (District 9)
Webmaster of the X-Wing Alliance Upgrade Project
And always remember that a smile is cheaper than a bullet! (District 9)
Webmaster of the X-Wing Alliance Upgrade Project
- capitanguinea
- Posts: 226
- Joined: Sun Aug 30, 2015 3:59 pm
It could be a dormant virus who operates when another software uses installshield. You have to track back exactly what files were active during installation. If you detect anomalies in files not in use by a program you have your suspectm