False Positives and Malware
-
This is a very short guide to some forms of false positives you may see in the file sharing scene
Introductions:
There are several types of false positives you may see in the wild when downloading files.
first and foremost, I would recommend that you:Refrain from accusing people of spreading malware unless it is confirmed via testing.
This entire website is based on reputation, and accusing someone of spreading malware falsely could mean halting their progress of sharing files, and it alienates people from uploading in the first place.
False Positives can be caused by a host of things, one of the most common things that causes false positives as far as I have found are as follows:
-
Nested Archives:
If a archive (zip, rar, rar5, or 7z) contains more archives, It seems to be apt to triggering a false positive in quite a few programs, I am unsure why this is but this is how I was banned previously from vrmodels without ability to appeal my ban.
-
Aggressive Filter Settings:
Certain Browsers will have built in protection settings to stop tech illiterate users from downloading pretty much all files or quite a few files, Edge is one such browser that does this as Windows Defender and Smart-Screen Filter are built into it's functionality, making it quite aggressive at preventing you from "downloading malware."
-
Poor Quality Anti-viruses':
Several antiviruses are quite stupid to say the least, a dumb antivirus that approaches everything like it's a threat is not the best, and quite a few antiviruses subscribe to the "protection by prevention" sort of mentality and will just prevent downloading completely benign files.
-
"This File isn't commonly Downloaded":
Yet another file download Prevention, but a bit more rare, some browsers based on settings will give a "this file isn't commonly downloaded" error and prevent downloading newly uploaded files, this is most common in chromium browsers as far as i could tell.
-
MD5 Hash Look-A-Likes:
Quite a few rather bad antiviruses don't scan behavior of files, rather they look at the digital footprint of the file known as it's Hash, but this isn't very robust, it may be rare but two files that are completely different can have the same or similar enough hashes to trip certain antiviruses.
-
Password Protection IS Obfuscation:
In the malware scene and and also the piracy/cracking scene, password protected archives are used to PREVENT SCANNING, while it is true that this is used in actual malware (and crack) delivery to prevent scanning of archives, some sites (i.e. mediafire) also use automated file hash comparisons so you may see this used to prevent auto-DMCAs, some tools choose the nuclear approach and just go "anything I cannot scan properly is unsafe."
-
Some Compression Algorithms Just Look shady to Anti-Viruses:
Yeah, it sounds pretty stupid but it is true, whichever archiving tool and algorithm is used will effect how certain Anti-Viruses interpret a file, this is just a limitation of how this stuff works.
-
Text Equals Script, Right?:
Once Upon a time, I 7zipped a json file with 7zip, now, nothing weird here, json is essentially a plaintext txt file, but NO, you see, since 7zip can be scripted windows defender immediately threw a fit and read it as a scripted/infected archive, very silly but oh well.
Can your antivirus detect malware in unity anyway?
It may sound a little bit silly but actually it isn't quite as silly as it sounds, UnityPackages can't even be scanned properly, they are proprietary formats that aren't shared with antivirus developers, the only way you can actually scan a UnityPackage is to decompress it in unity and make it readable by your antivirus. at which point, you have already ran the malicious code.
(unless you're using FACS Safe Import to prevent loading on import)
So you've confirmed there's malware
Well, it's finally happened, hate to see it but sometimes it happens, but here's some things to do.
(I am not an expert)
-
If the malware is detected by an Anti-Virus on import, run a full scan, if you have a tool that checks recent file activity check for weird files dropped, go ahead and check for weird drops then revoke your tokens (password reset) on key sites to be safe (discord, google, anything) and you should be fine.
(doing the password resets on a separate device would be safest) -
If the malware is detected by an Anti-Virus sometime after import, run a full scan and if your AV asks for a restart, do not restart with internet connected, if you have a tool that checks recent file activity check for weird files dropped like your life depends on it, check your registry for new entries, look at internet settings and your path file for new, your tokens (password reset) on key sites on another machine (preferebly connected to another network, as your router might need a reset) to be safe (discord, google, anything) and be ready to issue chargebacks if worse happens.
-
If the malware is not detected by an Anti-Virus but you notice it quickly, you might as well do a scan but do not expect results, this is likely to be an entirely manual job, do not restart at all until we are done, pull the plug on your network modem and router, you are probably in the process of being ratted/botted/or password jacked, reset your tokens on key sites on another machine on another network to be safe, and freeze your credit card/bank accounts, if you have a tool that checks recent file activity check for weird files dropped like your life depends on it, and if you have you have a network sniffer check outgoing packets to see the damage, check your registry for new entries, look at internet settings and path file, after you feel have removed everything, do a internet-less restart and see if anything has changed, otherwise if you feel uneasy, re-install windows.
-
If you learn about some malware later on then repeat previous section but, wipe/format your drive and re-install windows, re-flash your motherboard, factory reset your modem, and format and re-install plus re-flash other computers on the network as they may have had a shell put on top of them.
(Again, spit-balling, go to actual experts who don't charge an arm and a leg in a shop for better guides)
Witchunt Time? Let's DOX and SWAT this guy?
Actually no believe it or not, depending on the circumstances, Malware can be spread accidentally and unwittingly, the context matters immensely, let's give some examples of unwitting malware spreading scenarios:
-
User has a virus auto-infecting 7zip/rar/zip archives:
7zip viruses are very hard to detect out side of very specific Anti-Viruses, BUT if found, it's pretty easy to tell if it was meant to be spread, bonus points if it has nothing to do with vrchat and is just general malware (i.e. document/pdf stealer).
-
Lack of Testing and Constant Mirroring of Infected Files:
In this silly game of telephone we play the same file ends up getting passed along in circles and circles, often malware is unnoticed for years until long after its to late to find the original source, imagine you're a file hoarder, someone asks for DPS, and you send it not realizing that file passed around 50 times was ratted by sanctuary.
-
"File verified! No viruses detected!"
Ah yes, vrmodels.store, once again, earlier I mentioned sanctuary, this will be important, vrmodels, doesn't really seem to test files properly, and despite having BUGGED PACKAGES THAT DON'T IMPORT, they mark them as "File verified! No viruses detected!" Which tells me they don't scan UnityPackages unpacked, now back in 2021/2022, there was a group/person running a site named sanctuary, sanctuary had ratted ALL of their files, which were proudly mirrored with the tagline: "File verified! No viruses detected!".
When to call out the person and not the file
Pretty simple honestly, if you're tech inclined, start going through the person's upload history, and look for patterns, if every UnityPackage from said user differs from the original source file, or contains the same (or similar) "build your own skid bootloader and token stealer 9000" then its a very safe bet to tell the person to get lost in a hole.
AFAIK User Is Screwed Either Way
Spreading of malware is kind of a zero tolerance thing anyway, so if it happens any way except MAYBE mirroring another's link, that user is a goner either way.
Safety when messing with Untrusted Files
I recommend having ProcMon, RegMon, FileMon, and InControl, and having AT LEAST ProcMon and FileMon in the background when messing with things you don't fully trust, ProcMon Monitors Processes, FileMon Monitors changes to the filesystem, FACS Safe Import should also help prevent DLLs from autoloading on import with unity if set up correctly, and stay away from untrusted sources like the plague, sanctuary/akiisoba was proof people are dumb enough to load up an entire file service with malware.
-
-
By the way, if anyone else knows of more things that can cause false positives, let me know and I can update this article, cheers!
-
this has been updated a little.
