Avira finds malware on Classic99 when I try to extract files

[Ayrhead]

Hi!

I downloaded Classic99 from http://www.harmlesslion.com/software/Classic99.

When I extract, Avira thinks cartpack.dll contains something named HEUR/APC and quarantines it.

 

My understanding of emulators is very superficial and I know nothing of TI-99, my girlfriend has just played Parsec in her childhood and I'm trying to get it working on our computer

[atrax27407]

Most often, particularly if it is a newly released version, the virus software will reject it for "reputation exception". If you can override the quarantine on your virus protection, Classic99 is fine. I have to do that every time an updated version is released.

[Ayrhead]

Thanks, I restored the file from quarantine and the emulator works fine

[Tursi]

I've gotten false positives a couple of times over the years - I used to use Avira and Trend Micro and both did it. I also contacted tech support for both, and basically got nothing but a runaround. They could neither tell me why the software triggered (especially since I built it on the same machine that later complained about it) nor what to do to prevent it. With Trend Micro I went around with support more than two months, twice (once for a work product).

 

If you ever have a concern, you can hit https://www.virustotal.com/gui/home/upload - you can upload the Classic99.exe and it will run it through several dozen virus detection engines - it's helpful for weeding out false positives. (I thought it used to extract and scan inside zips, but when I tried it just now it didn't appear to scan inside).

 

The details and behaviour tabs will also tell you a lot about what's going on inside. It actually runs the program and watches what files are accessed for read and write, and reports them.

 

It's showing clean here on all engines except 'Rising' which thinks it's a trojan. I'm not sure why it thinks that, and it's impossible to find out, but the behaviour tab doesn't show anything I'd consider unusual - in particular the only file it writes is classic99.ini. On a rescan it changed it's mind, so, go figure.

 

Full source code for Classic99 is also available at https://github.com/tursilion/classic99 - so you can also look up any behaviours you question. You can also build it yourself, but, I admit it's not been set up to be easy for someone else to build. The source is offered for educational use only, not derivative works.

 

[+OLD CS1]

Any anti-virus which utilizes behavior analysis will by default find executables outside of "Program Files" and "Program Files (x86)" suspicious until determined otherwise.  Most of the time the executable may take a while to launch the first time as the security software runs the binary in a virtual machine to determine if it does anything bad.  AVG (Avast) cyber-capture will allow the program to interact with the user for a while, then kill the VM and restart the program proper if it determines it does nothing malicious.

[Tursi]

28 minutes ago, OLD CS1 said:

Any anti-virus which utilizes behavior analysis will by default find executables outside of "Program Files" and "Program Files (x86)" suspicious until determined otherwise.  Most of the time the executable may take a while to launch the first time as the security software runs the binary in a virtual machine to determine if it does anything bad.  AVG (Avast) cyber-capture will allow the program to interact with the user for a while, then kill the VM and restart the program proper if it determines it does nothing malicious.

I dunno, I run a lot of software outside of Program Files that never trips, and always have. Some AV might, but not while I was a user of it.  And the work software I fought with Trend over /was/ in Program Files.

 

But I also suspect that a lot of AV increase their trust level on signed binaries, and someday I'll cough up for a cert to prove that.

 

Now that I think about it, I also fought with Trend Micro over marking my whole website as suspicious, and specifically noting that they had reviewed it and determined it as such. They removed it when I complained but never addressed my complaint about calling it reviewed when it was clearly an automated flag.. they just kept telling me to add it to my exclusions list.

 

[atrax27407]

Norton almost always flags a new version of Classic99 as "dangerous" because it has no clear reputation. Since I download it from Tursi's site, and know that it is good, I always choose "run anyway". It is good after that - until the next upgrade.