Jump to content
peteyt

Steam game Medal of Honor being flagged as PUA

Recommended Posts

Not sure if this is an actual PUA or a false positive. Recently downloaded Medal of Honor a 2010 EA game via Steam. I'd played it years ago but re-downloaded it to play the other day and launching it I got an eset warning, possibly augur, stating something got blocked. Eset has warned me it is potentially unsafe today and given me the options to exclude, ignore etc. but the submit option is greyed out. As EA has sometimes not been the most reputable company when privacy is concerned I wondered if this was related to this but it picks the file up as BH/Crack.1 which shouldn't be the case as it was downloaded from Steam.

Thought I'd post it on here in case it was a false positive. Had to zip the file as I can't upload exes directly.

moh.zip

Share this post


Link to post
Share on other sites
9 hours ago, peteyt said:

but it picks the file up as BH/Crack.1

Show a screen shot of the PUA alert. I have never seen an Eset detection that begins with "BH/."

Share this post


Link to post
Share on other sites
17 hours ago, peteyt said:

Not sure if this is an actual PUA or a false positive. Recently downloaded Medal of Honor a 2010 EA game via Steam. I'd played it years ago but re-downloaded it to play the other day and launching it I got an eset warning, possibly augur, stating something got blocked. Eset has warned me it is potentially unsafe today and given me the options to exclude, ignore etc. but the submit option is greyed out. As EA has sometimes not been the most reputable company when privacy is concerned I wondered if this was related to this but it picks the file up as BH/Crack.1 which shouldn't be the case as it was downloaded from Steam.

Thought I'd post it on here in case it was a false positive. Had to zip the file as I can't upload exes directly.

moh.zipUnavailable

Hahahaha , ESET is smart , knows that EA Games are PUA :D

Share this post


Link to post
Share on other sites
On 4/5/2020 at 11:44 PM, itman said:

Show a screen shot of the PUA alert. I have never seen an Eset detection that begins with "BH/."

Will try and get one. Might not be able to get onto my desktop till wednesday. Checked VirusTotal and nothing

Share this post


Link to post
Share on other sites
8 minutes ago, peteyt said:

Will try and get one. Might not be able to get onto my desktop till wednesday. Checked VirusTotal and nothing

Could be ESET Augur ? , but Augur detection should come with Augur name before the detection , maybe they have corrected the FP

Share this post


Link to post
Share on other sites

It's a Deep Behavioral Inspection detection. It's possible to exclude it by the detection name or hash like anything else.

Share this post


Link to post
Share on other sites
1 hour ago, Marcos said:

It's a Deep Behavioral Inspection detection. It's possible to exclude it by the detection name or hash like anything else.

Is it a false positive though? I just thought it was odd that it would flag up for a mainstream AA game

Share this post


Link to post
Share on other sites
18 minutes ago, peteyt said:

Is it a false positive though? I just thought it was odd that it would flag up for a mainstream AA game

The Eset detection says it all. Eset is detecting is as cracked software. Looks like they are finally cracking down, pun intended, on that malware delivery method.

Share this post


Link to post
Share on other sites
1 hour ago, itman said:

The Eset detection says it all. Eset is detecting is as cracked software. Looks like they are finally cracking down, pun intended, on that malware delivery method.

But thats my point it can't be cracked as it was downloaded from steam the other day and hasn't been edited, patched etc. 

Unless there is a cracked version and eset can't distinguish the two?

Share this post


Link to post
Share on other sites
12 minutes ago, peteyt said:

But thats my point it can't be cracked as it was downloaded from steam the other day and hasn't been edited, patched etc. 

Unless there is a cracked version and eset can't distinguish the two?

Submit it to VT and see if anyone detects it as cracked.

Share this post


Link to post
Share on other sites
1 minute ago, itman said:

Submit it to VT and see if anyone detects it as cracked.

Already did before I did the post. I don't even think eset did on VT but could be wrong. Hoping to get onto my desktop tomorrow to check fully.

Share this post


Link to post
Share on other sites

All I can say is you appear to be the first one to every get an Eset deep behavior detection. I for one have never seen anything showing a BH/........... detection.

Share this post


Link to post
Share on other sites

We are checking it, however, also another AI reports it as most likely unsafe.

Share this post


Link to post
Share on other sites
Posted (edited)

  

17 hours ago, itman said:

Submit it to VT and see if anyone detects it as cracked.

But as it's coming from Steam there shouldn't be any indication of cracks because it's not a pirated copy or cracked one.

17 hours ago, peteyt said:

Already did before I did the post. I don't even think eset did on VT but could be wrong. Hoping to get onto my desktop tomorrow to check fully.

Augur is not active on VT , it uses the database.

Edited by Nightowl

Share this post


Link to post
Share on other sites
Posted (edited)
On 4/5/2020 at 11:44 PM, itman said:

Show a screen shot of the PUA alert. I have never seen an Eset detection that begins with "BH/."

I have attached a copy to show you. Only just been able to get back onto the computer now.

The first one shows the PUA alert - There submit for analysis window is greyed out. I have just been hitting ignore and then straight afterwards the next window comes up showing it was blocked. I've only been playing the single player campaign which works fine - haven't tried the online version, so I'm unusure what is being blocked as at least single player wise everything is working fine. 

2114123632_PUAEset.jpg.24b15e9dd56f3c31b34811ae55f74bb8.jpg

1226444724_PUAEsetBlock.jpg.1c60064d895a44b18cd7883a9bad35bb.jpg

Edited by peteyt

Share this post


Link to post
Share on other sites
35 minutes ago, peteyt said:

I have attached a copy to show you.

My best guess at this point is the game since it is an old one, might be manifesting behavior associated with cracking activity. An example of this behavior is here: https://null-byte.wonderhowto.com/how-to/hacks-behind-cracking-part-1-bypass-software-registration-0132568/ .

An interesting Augur test would be to restore it from quarantine. Then set PUA default settings in Eset real-time section from "Balanced" to "Cautious." Note that the cautious setting corresponds to prior release 13.1 PUA detection level. Now try to run moh.exe and see if the same PUA alert is generated. Note that there are possible risks with this but it is the only way to determine if Augur's more aggressive settings are the source.

Share this post


Link to post
Share on other sites

Please post the information about installed modules.

Share this post


Link to post
Share on other sites
1 minute ago, Marcos said:

Please post the information about installed modules.

i have copied them below but unsure if I should have and apologise just in case - not sure if I should have included this in the insider forum

Detection Engine: 21139P (20200409)
Rapid Response module: 16049P (20200409)
Update module: 1021 (20200218)
Antivirus and antispyware scanner module: 1561 (20200326)
Advanced heuristics module: 1198 (20200316)
Archive support module: 1301 (20200403)
Cleaner module: 1208 (20200319)
Anti-Stealth support module: 1163 (20200401)
Firewall module: 1402 (20200403)
ESET SysInspector module: 1276 (20200217)
Translation support module: 1795 (20200409)
HIPS support module: 1388 (20200331)
Internet protection module: 1395 (20200331)
Web content filter module: 1075 (20200310)
Advanced antispam module: 7852 (20200402)
Database module: 1110 (20190827)
Configuration module (39): 1866 (20200401)
LiveGrid communication module: 1061 (20200402)
Specialized cleaner module: 1014 (20200129)
Banking & payment protection module: 1182 (20200409)
Rootkit detection and cleaning module: 1025 (20191211)
Network protection module: 1683P (20200214)
Router vulnerability scanner module: 1067 (20200130)
Script scanner module: 1070 (20200406)
Connected Home Network module: 1035 (20191112)
Cryptographic protocol support module: 1042 (20200227)
Databases for advanced antispam module: 4704P (20200409)
Deep behavioral inspection support module: 1091 (20200211)
Advanced Machine Learning module: 1058 (20200401)
Telemetry module: 1059 (20200204)
Security Center integration module: 1020.1 (20200313)

Share this post


Link to post
Share on other sites

What has changed is that the file is detected by Deep behavioral inspection as a potentially unsafe application, ie. not with default settings. Since the file is not digitally signed and has suspicious characteristics, we'd recommend excluding it. It is indeed weird that a file by Steam would be like that.

Share this post


Link to post
Share on other sites

The problem here is deep behavior inspection is only supposed to be deployed on unknown processes:

Eset_DBI.thumb.png.1f998163662003731ce34b6265f168d8.png

https://www.eset.com/int/about/newsroom/press-releases/research/eset-deep-behavioral-inspection-enables-deeper-monitoring-of-unknown-suspicious-processes/

LiveGrid reputation status clearly shows this is not an unknown process.

Share this post


Link to post
Share on other sites
Posted (edited)

To begin, we are talking about 10 year old game software. Like software is notorious for "dodgy" behavior.

AML which also monitors API call behavior sees something it hasn't been previously trained for. A fair assumption since we are again talking 10 year old software which is a "stretch" to run on Win 10. It in turns passes control to deep behavior inspection for a "look see." DBI is now running outside of normal context w/o LiveGrid analysis feedback. DBI sees API behavior related to cracking activity. Again we are talking about 10 year old game software that may indeed be using such in regards to anti-crack protection. In reality only the game software developer really knows what is going on but I believe the previous scenario is a reasonable one.

Edited by itman

Share this post


Link to post
Share on other sites

I believe the only thing that might do  a dodgy behaviour is the anti-tamper software which is

SecuROM 8 and SecuROM PA DRM, 5 machine limit.

Share this post


Link to post
Share on other sites

I forgot about the DRM aspect. And that very well might be the crack Eset is detecting. Medal of Honor (2010) indeed has it for online activation: https://www.pcgamingwiki.com/w/index.php?title=Special:Ask&offset=100&limit=100&q=[[Category%3AGames]]+[[Uses+DRM%3A%3AOnline+activation]]&p=format%3Dtemplate%2Ftemplate%3DDRM-20list-2Frow%2Fintrotemplate%3DDRM-20list-2Fintro%2Foutrotemplate%3DDRM-20list-2Foutro&po=%3FDeveloped+by %3FPublished+by %3FRelease+date %3FAvailable+on

I would contact Steam and see if they can shed some light on what is going on here.

 

Share this post


Link to post
Share on other sites
Posted (edited)

What I did notice is that Medal of Honor (2010) can be downloaded from the publisher: https://www.ea.com/games/medal-of-honor/medal-of-honor for $4.99 versus Steam's price of $19.99. So they might only be hosting cracked software but grossly overcharging to boot.

 

Edited by itman

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...