Occamy.C Trojan detected in FFAStrans.exe

Here you can submit bugreports
DigitalMetal
Posts: 7
Joined: Mon Mar 16, 2020 12:40 am

Re: Occamy.C Trojan detected in FFAStrans.exe

Post by DigitalMetal »

Extracting the main package and adding the contents of the patch to its folder and then trying to run the exe gives me this error.
Capture2.PNG
Capture2.PNG (23.72 KiB) Viewed 11339 times
admin
Site Admin
Posts: 1658
Joined: Sat Feb 08, 2014 10:39 pm

Re: Occamy.C Trojan detected in FFAStrans.exe

Post by admin »

This should not be a problem as you don't have any old database to convert.

The exe files will still be detected as various malware/viruses by some anti virus systems. The only difference between the old files and the new is that they have been self signed. This is not very trustworthy but some anti viruses will see this as "good to go". So as I wrote, it's very difficult to fix this 100% cause it's not a bug in the software, but rather over eager anti viruses with allergic symptoms.

The reason I don't exchange the files in the main package is that I need some feedback on these new files whether they all work fine or not. Also, most people don't have issues with the main package. At work we use Symantec endpoint and it has no problems with the main package files. However, I will exchange the main files when I get some feedback that the new files are OK.

-steinar
crispyjones
Posts: 104
Joined: Wed Dec 27, 2017 3:21 am

Re: Occamy.C Trojan detected in FFAStrans.exe

Post by crispyjones »

I've been struggling with this as well. First of all let me say that I've used this software for sometime now and these virus detections come and go. I've only noticed because I've tried some fresh installs on some Windows 10 laptops. I can confirm that the 1.0.0.0 file gets flagged for Occamy.C in Windows Defender. I also had the 1.0.0.3 patch get flagged for Win32/Ashify.J!ibt also by Windows Defender.

I tried the 1.0.0.4 patch and it seems to work without getting flagged with the following, very frustrating, caveat. When I try to reproduce these virus errors I cannot because I've found that once a threat exception is made in Windows Defender it is written to the registry and I can't figure out how to delete it. The exception remains even if the Defender GUI states there are no exceptions. Therefore, on a machine I've made the Defender exception for 1.0.0.3 Win32/Ashify.J!ibt I can't be sure that 1.0.0.4 is OK or simply being allowed by the existing exemption that made 1.0.0.3 work. I've done two installs on two different machines and confirmed 1.0.0.0 and 1.0.0.3 but I've run out of laptops to try a fresh install of 1.0.0.4 for now.

I'll update if I get my hands on another windows machine.
emcodem
Posts: 1631
Joined: Wed Sep 19, 2018 8:11 am

Re: Occamy.C Trojan detected in FFAStrans.exe

Post by emcodem »

We believe that the virus situation should be a lot better when we are able to do code signing using a real certificate.
But those certificates do cost some coins per year.


https://codesigningstore.com/code-signi ... providers/

Anyone wants to fund this? :D
emcodem, wrapping since 2009 you got the rhyme?
crispyjones
Posts: 104
Joined: Wed Dec 27, 2017 3:21 am

Re: Occamy.C Trojan detected in FFAStrans.exe

Post by crispyjones »

That's very interesting, the screen I landed on said $83 year. Do you have to pay something extra every time you release a new patch/version, or would that cover everything for a year?
emcodem
Posts: 1631
Joined: Wed Sep 19, 2018 8:11 am

Re: Occamy.C Trojan detected in FFAStrans.exe

Post by emcodem »

Hey Crispy,
those 83 USD are for a certificate that we can use to sign as many applications as we like for one year.
I see 3 problems:
-) as soon as the cert expires, antivirusses would react probably even more aggressive than now - due to the fact that the code is signed but the certificate expired. So if we sign our apps with a cert that is valid for one year, the app will also just run for one year. But it is no problem to re-sign the same .exe again without the need to keep the source code (anyone can sign any exe) - still users need to exchange the old .exe files by the newly signed ones.
-) there is no guarantee that all antivirus problems are gone and there is no way to test it for free :-(
-) AV Software and Windows itself could stop running the application in case there is some mistake globally about Comodo certificates. Such stuff happened already to a website by me using ATrust Certificate - in that case no website and no application on this world that was signed with Comodo works anymore. In my case, the error was resolved by ATrust globally after about half a day.

Certs are like a money machine that also keeps the IT industry busy as whole. They ensure that the stuff you drive is maintained by someone.
The best we could do is to start with a 1-year cert for testing and if it works, we should look into getting 3 year certs.
emcodem, wrapping since 2009 you got the rhyme?
admin
Site Admin
Posts: 1658
Joined: Sat Feb 08, 2014 10:39 pm

Re: Occamy.C Trojan detected in FFAStrans.exe

Post by admin »

Honestly, I would like to try and live without the whim of some cert money machine. The way it is now, I will try and go for the self-sign of all FFAStrans exe's and see how that works out. Also, I'm looking at a way to reduce the need for replacing exe's for new releases by utilizing a more generic launcher app for the a3x files. Hopefully, these two steps will reduce the risks of FFAStrans exe's being falsely flagged as malware or virus.

-steinar
Post Reply