Apas 0 Posted May 2 Posted May 2 Hi, since the last update of the game "Helldivers 2" on Steam the file D:\Programme\Steam\steamapps\common\Helldivers 2\data\game\game.dll will be reportet as a variant of Win64/Packed.Themida.L and be deleted. This is a known problem in the community and occurs only with eset and no other antivir. I don't want to just create and exclusion for the file. Would be nice if someone can look into the matter.... Greetings Apas
Administrators Marcos 5,446 Posted May 3 Administrators Posted May 3 Please provide logs collected with ESET Log Collector.
MK369 0 Posted May 5 Posted May 5 I'm having the same problem. Did a search and I'm seeing everyone with ESET security and playing Helldiver2 is having the same problem. Will this be fixed in a way that I don't have to do anything but wait? I'm not good with computer programing stuff. The only fix I'm seeing currently is changing settings in ESET, which I don't clearly understand. Id rather not do that and possible mess something up.
Administrators Marcos 5,446 Posted May 5 Administrators Posted May 5 1 hour ago, MK369 said: I'm having the same problem. Did a search and I'm seeing everyone with ESET security and playing Helldiver2 is having the same problem. Will this be fixed in a way that I don't have to do anything but wait? I'm not good with computer programing stuff. The only fix I'm seeing currently is changing settings in ESET, which I don't clearly understand. Id rather not do that and possible mess something up. Please provide logs collected with ESET Log Collector as I requested in my post above.
MK369 0 Posted May 5 Posted May 5 42 minutes ago, Marcos said: Please provide logs collected with ESET Log Collector as I requested in my post above. Hello, did the log collector and opened a case. Thanks
itman 1,800 Posted May 5 Posted May 5 (edited) Per VirusTotal analysis: https://www.virustotal.com/gui/file/ab920976c7aebc1d3c50a9ef23b3a2eda36551002f37f466b1664aecd4f684e4/details , the .dll is code signed which would further indicate its a legit file. The Eset detection of a variant of Win64/Packed.Themida.L indicates the .dll file is using software code protection making it impossible for Eset to scan the file. Code protection is deployed by developers to prevent their code being stolen via reverse engineering methods. It also is used by malware developers for the same reason. Edited May 5 by itman
Administrators Marcos 5,446 Posted May 6 Administrators Posted May 6 Please upload your ELC logs here. Attachments can be accessed only by ESET staff.
itman 1,800 Posted May 6 Posted May 6 (edited) FYI: Quote Helldivers 2 & nProtect GameGuard (anti-cheat) DEVELOPER Hi everyone, My name is Peter Lindgren and I'm the Technical Director of HELLDIVERS 2. I've been making games at Arrowhead since the Magicka-days and I've been involved in every game we've released to date. I will do my best in this post to address the concerns and confusion that's come up recently regarding the choice of Anti-Cheat software in HELLDIVERS 2. So, let's start off with the more urgent questions: Is GameGuard a kernel-level / administrator-priviledge anti-cheat? Yes, GameGuard is a "kernel-level", aka rootkit, anti-cheat. Most anti-cheat run at "kernel-level", especially all of the popular ones. It's unfortunately one of the more effective ways to combat cheating. https://www.reddit.com/r/Helldivers/comments/19dp2qw/helldivers_2_nprotect_gameguard_anticheat/ Bottom line - when you run this software, a kernel mode rootkit is being deployed. It's the user's decision on whether to use the software since there is always the possibility it could be used maliciously. Edited May 6 by itman sesk 1
itman 1,800 Posted May 6 Posted May 6 Finally from the developer of the Themida protector software, what its users can do to prevent AV software from detecting it as malware: https://www.oreans.com/help/tm/hm_virus.htm .
Administrators Marcos 5,446 Posted June 14 Administrators Posted June 14 29 minutes ago, kalima said: Same issue with latest Patch 01.000.400. Please create a detection exclusion with the detection name Win64/Packed.Themida.L and the appropriate path in which Steam creates files that are detected: The thing is that the application downloads chunks of the file with zeroes inside and assembles the final file in the end. As a result, the digital signature of the chunks is invalid and the detection is triggered since Themida protector is used.
itman 1,800 Posted June 14 Posted June 14 The problem is Themida protector is used also by malware developers. Example here: https://any.run/report/4c5f4a21141e39095d94c78cc8239c35df49901baf1b7d5bca9e4c1b29845a15/a3963161-4e67-451d-9bda-5bb647d5660a .
Recommended Posts