Apas 0 Posted May 2 Share Posted May 2 Hi, since the last update of the game "Helldivers 2" on Steam the file D:\Programme\Steam\steamapps\common\Helldivers 2\data\game\game.dll will be reportet as a variant of Win64/Packed.Themida.L and be deleted. This is a known problem in the community and occurs only with eset and no other antivir. I don't want to just create and exclusion for the file. Would be nice if someone can look into the matter.... Greetings Apas Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,158 Posted May 3 Administrators Share Posted May 3 Please provide logs collected with ESET Log Collector. Quote Link to comment Share on other sites More sharing options...
Apas 0 Posted May 3 Author Share Posted May 3 I have send an report of the file directly via ESET. Quote Link to comment Share on other sites More sharing options...
MK369 0 Posted May 5 Share Posted May 5 I'm having the same problem. Did a search and I'm seeing everyone with ESET security and playing Helldiver2 is having the same problem. Will this be fixed in a way that I don't have to do anything but wait? I'm not good with computer programing stuff. The only fix I'm seeing currently is changing settings in ESET, which I don't clearly understand. Id rather not do that and possible mess something up. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,158 Posted May 5 Administrators Share Posted May 5 1 hour ago, MK369 said: I'm having the same problem. Did a search and I'm seeing everyone with ESET security and playing Helldiver2 is having the same problem. Will this be fixed in a way that I don't have to do anything but wait? I'm not good with computer programing stuff. The only fix I'm seeing currently is changing settings in ESET, which I don't clearly understand. Id rather not do that and possible mess something up. Please provide logs collected with ESET Log Collector as I requested in my post above. Quote Link to comment Share on other sites More sharing options...
MK369 0 Posted May 5 Share Posted May 5 42 minutes ago, Marcos said: Please provide logs collected with ESET Log Collector as I requested in my post above. Hello, did the log collector and opened a case. Thanks Quote Link to comment Share on other sites More sharing options...
itman 1,718 Posted May 5 Share Posted May 5 (edited) Per VirusTotal analysis: https://www.virustotal.com/gui/file/ab920976c7aebc1d3c50a9ef23b3a2eda36551002f37f466b1664aecd4f684e4/details , the .dll is code signed which would further indicate its a legit file. The Eset detection of a variant of Win64/Packed.Themida.L indicates the .dll file is using software code protection making it impossible for Eset to scan the file. Code protection is deployed by developers to prevent their code being stolen via reverse engineering methods. It also is used by malware developers for the same reason. Edited May 5 by itman Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,158 Posted May 6 Administrators Share Posted May 6 Please upload your ELC logs here. Attachments can be accessed only by ESET staff. Quote Link to comment Share on other sites More sharing options...
itman 1,718 Posted May 6 Share Posted May 6 (edited) FYI: Quote Helldivers 2 & nProtect GameGuard (anti-cheat) DEVELOPER Hi everyone, My name is Peter Lindgren and I'm the Technical Director of HELLDIVERS 2. I've been making games at Arrowhead since the Magicka-days and I've been involved in every game we've released to date. I will do my best in this post to address the concerns and confusion that's come up recently regarding the choice of Anti-Cheat software in HELLDIVERS 2. So, let's start off with the more urgent questions: Is GameGuard a kernel-level / administrator-priviledge anti-cheat? Yes, GameGuard is a "kernel-level", aka rootkit, anti-cheat. Most anti-cheat run at "kernel-level", especially all of the popular ones. It's unfortunately one of the more effective ways to combat cheating. https://www.reddit.com/r/Helldivers/comments/19dp2qw/helldivers_2_nprotect_gameguard_anticheat/ Bottom line - when you run this software, a kernel mode rootkit is being deployed. It's the user's decision on whether to use the software since there is always the possibility it could be used maliciously. Edited May 6 by itman sesk 1 Quote Link to comment Share on other sites More sharing options...
itman 1,718 Posted May 6 Share Posted May 6 Finally from the developer of the Themida protector software, what its users can do to prevent AV software from detecting it as malware: https://www.oreans.com/help/tm/hm_virus.htm . Quote Link to comment Share on other sites More sharing options...
sesk 23 Posted May 7 Share Posted May 7 line 2 ...some (not widely known) antivirus, have... 😆😅 Quote Link to comment Share on other sites More sharing options...
kalima 0 Posted June 14 Share Posted June 14 Same issue with latest Patch 01.000.400. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,158 Posted June 14 Administrators Share Posted June 14 29 minutes ago, kalima said: Same issue with latest Patch 01.000.400. Please create a detection exclusion with the detection name Win64/Packed.Themida.L and the appropriate path in which Steam creates files that are detected: The thing is that the application downloads chunks of the file with zeroes inside and assembles the final file in the end. As a result, the digital signature of the chunks is invalid and the detection is triggered since Themida protector is used. Quote Link to comment Share on other sites More sharing options...
itman 1,718 Posted June 14 Share Posted June 14 The problem is Themida protector is used also by malware developers. Example here: https://any.run/report/4c5f4a21141e39095d94c78cc8239c35df49901baf1b7d5bca9e4c1b29845a15/a3963161-4e67-451d-9bda-5bb647d5660a . Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.