AntBond
Member
Hi,
I can't download GOTD's anymore, because my antivirus (ESET Smart Security 5) blocks it. ESET hasn't caused any problems with downloading GOTD's, until some time ago. It says the downloads are variants of Win32/Packed.Themida. Does it has something to do with the new wrapper? Why should this new wrapper trigger my anti-virus?
pavid
gamer extraordinaire & knowledgeable computer nerd who likes to argue, but is still a very nice guy
Yes it has to do with new wrapper, Themida. It triggers your antivirus because it has been used in the past by unscrupulous people to hide malware and viruses. All downloads from Give Away Of The Day have been scanned by multiple sources to ensure the absence of nasty stuff before they are wrapped. The wrapper is a safe software that helps ensure that people cannot extract the contents of the download and thus violate the terms of service of GAOTD and the developer. If you want to continue using ESET, the best way around this is probably to suspend or turn off your antivirus until the install is complete. Once you have installed the software, you can immediately turn on your security software because the Themida wrapper is now gone. The software itself should not trigger any alerts.
AntBond
Member
Okay, I was searching more information on the internet about it, and I found this article: http://blogs.mcafee.com/mcafee-labs/who-digs-the-elephant-trap. Themida is basicly designed to hide code and prevent reverse engineering. This makes it almost impossible for antivirus software to detect malware. Therefore, consumers of GOTD can never verify wether the wrapped software - downloaded from GOTD - contains malware or not. They have to fully thrust GOTD, above their antivirus software. I don't think novice consumers are able to do this.
The previous (lets call it "version 1") wrapper (before GOTD adopted "version 2" Themida) also encrypted and packed the setup program inside the GOTD setup.exe.
Scanning the downloaded V1 setup program also was unable to look inside the developers setup program. Scanning any GOTD download would just indicate that the GOTD wrapper didn't look like malware. But no users were able to scan the wrapped software beforehand either.
So effectively there is no difference in actual safety in that users cannot scan the downloaded file - as previously scanning the download was also an essentially meaningless exercise. (Of course some users got a toasty warm feeling, that they were doing something useful in scanning the GOTD download - but it served little purpose).
The unwrapped developers setup program is thoroughly scanned by GOTD prior to wrapping (a lot of their reputation rides on checking these files prior to release). For users who do not trust GOTD to scan the files they receive from the developers, it is their decision to download or not - but to date there have been no confirmed malware issues that I am aware of (plenty of false positives, and contentious definitions from users of what constitutes "malware" - like changing a home page, or an option to install a toolbar)
I would suggest that if you wish to install a giveaway, and you are able to, disable your antivirus during the installation, and enable it again once the software is installed. Many Antivirus apps have a real time option where the system is monitored and files are scanned as they are accessed and programs are run.
Alternatively install a secondary (normally disabled antivirus) that you can enable while ESET is disabled. Something like Microsoft Security Essentials (that I run) does not complain about the GOTD installer.
As for novice users being unable to disable (or use) their antivirus, this really isn't GOTDs charter. Sure we (the users) could create tutorials for each antivirus product on how to enable/disable/scan/update etc etc - but surely this is something that should be fully covered on the AV product site & documentation. There are multiple posts/comments each day of users announcing that the GOTD has a virus or malware "because their antivirus product said so", when thousands of others (including the GOTD team prior to release) have managed to install the software cleanly. There is no getting away from the fact that using security software, and installing/uninstalling applications (including what to do with a zip file), is something that may require some reading and research. Perhaps Themida and the need to change/disable the antivirus software during an install, will introduce and require some new skills... but the day you stop learning you are dead.
On a separate note:
Regarding the "who digs the elephant trap" article that has been posted numerous times by users on GOTD, it is also worthwhile to read the comments that follow the article. I believe the article is purely from the Antivirus (McAfee) viewpoint. Historically they identify viruses by looking inside files (yes this is oversimplified) and looking for a familiar signature. Themida prevents this - and as such has, in the past, been adopted by virus and malware writers. The solution by some AV companies is to just flag EVERYTHING with Themida as being "suspicious" or "possibly unwanted". They don't actually come out and say it is a virus (because they cannot). Rather than adopting other ways to detect malware, they simply state that people should stop using Themida - which is an easy thing to say, when it isn't your own product that is affected by such an action.
Other products that operate differently operate based on what a program does - effectively they look for suspicious activities being performed by software that the user hasn't previously explicitly marked as trusted. Some applications that do this (or similar) include:
http://spyshelter.com/
http://softsphere.com/
http://www.arovaxshield.com/ (FREE)
AntBond
Member
Thank you for your feedback.
The previous (lets call it "version 1") wrapper (before GOTD adopted "version 2" Themida) also encrypted and packed the setup program inside the GOTD setup.exe.Scanning the downloaded V1 setup program also was unable to look inside the developers setup program. Scanning any GOTD download would just indicate that the GOTD wrapper didn't look like malware. But no users were able to scan the wrapped software beforehand either.
So effectively there is no difference in actual safety in that users cannot scan the downloaded file - as previously scanning the download was also an essentially meaningless exercise. (Of course some users got a toasty warm feeling, that they were doing something useful in scanning the GOTD download - but it served little purpose).
Another thing is that many developpers do not seem to care about the fact that their software can installed after the GOTD period. Many serial can be registered with the trial available on the company's website.
pavid
gamer extraordinaire & knowledgeable computer nerd who likes to argue, but is still a very nice guy
The first law of security on the internet is do not go to any site you don't trust. Therefore, if you don't trust GOTD and it's various software suppliers what the hell are you doing here??? That is the long and short of the Themida issue. So, if you can't deal with the wrapper leave, and don't come back. And stop leaving inane comments about giveaways have a virus. THEY DON'T.
mikiem2
Moderator
Building on the essence I think of what pavid wrote, it really does boil down to trust. At the end of the day it all just comes down to whom do you trust -- we firmly believe that GOTD has earned our trust. Considering the consequences should they lose it, I'm convinced their motivation to maintain that trust is 2nd to none.
That said, if there was no wrapper at all, there's really no way the average user could verify whatever setup file was 100% malware free anyway. Visiting a site like Shadowserver you can find malware infection stats -- not all of those systems were infected because they were running nekkid. :) Yes it is nice, maybe a little comforting when you can see your AV stuff doing its thing, but realistically it's a fine line between enjoying that comfort & being complacent. Truth is the AV app(s) you're running are not foolproof, Will Not Catch Everything -- that ideal does not exist. :) I mean, the good folks writing/maintaining AV software constantly update their products... How? By studying malware on newly infected systems their software, along with their competitors' products Did Not Stop. An operation like GOTD OTOH can do quite a bit more to ensure the apps they offer are clean -- they're not just installing on their home system.
"Another thing is that many developpers do not seem to care about the fact that their software can installed after the GOTD period. Many serial can be registered with the trial available on the company's website. "
Not sure if there's an objection there, & if so, to what? GOTD offers all fit into the same mold, use either Activate.exe or use the GOTD wrapper -- it'd be a bit chaotic otherwise, plus it'd likely draw heat to those developers/companies that stood out because they opted for the wrapper. Not all of the developers/companies putting software on GOTD mind if you install their app using the GOTD license tomorrow, next week, or next year -- they're just being extra generous. When the GOTD key in the readme.txt file works with the trial, I at least can't think of any reason not to use the trial instead of the GOTD setup.exe if that's what you prefer, & if the key doesn't work, just install the GOTD version on top of the trial.
mikiem2
Moderator
"Regarding the "who digs the elephant trap" article... I believe the article is purely from the Antivirus (McAfee) viewpoint."
Of course it is. :)
McAfee is a company that, like most every other company wants to make the most profit from the least cost. Anything McAfee publishes, future, past, & present can be assumed to have one goal -- increase sales/profits. The less they have to deal with, the lower their costs. Market competition provides balance -- if some other company does a better job marketing &/or creating a alternative product, McAfee sales drop -- so McAfee would like to 1) lower expectations [& their costs], while 2) countering the competition [in case it does a better job].
From a purely consumer perspective McAfee's "viewpoint" should be, IS irrelevant -- if you want to haul lumber you buy a truck, not a car, just as you buy a DVD or Blu-Ray player to play DVD &/or Blu-Ray discs... Consumers buy solutions -- not excuses -- which is why you don't see McAfee talking about things like Themida on their front/home page. And McAfee Total Protection does not block the new GOTD wrapper. :)
What I was getting at, it is all well and good for McAfee to suggest that everyone should stop using Themida - because if they did it would make McAfees job easier - and it has no impact on McAfee sales because McAfee doesn't actually rely on Themida to protect their own software.
This is akin to me telling you that in order to protect the environment, the price of petrol should be 100 times what it is today - when I do not own or have need of a car. I can make all the statements I want about petrol prices, because the impact of what I am suggesting will have no impact on me or require me to alter my behaviour.
McAfee claiming that Themida should not be used anywhere, because some people chose to use the technology illegally only demonstrates how narrow and short sighted their own thinking is and the result appears to me as a really poor attempt to put together an argument in favor of ditching this method of software protection to overcome a shortcoming in their own detection techniques.
Anonymous
Unregistered
The advantages of using a Software Protector are:Themida so on.
Protect an application against piracy.
Prevents attackers from studying how an application is implemented.
Will not allow attackers to modify an application to change its behavior .
https://secure.dslreports.com/forum/r21106446-Is-Themida-a-legitimate-threat
http://www.wilderssecurity.com/showthread.php?t=184840
Yesterday, we contacted ESET about this issue and today we just got an email saying the following 2007
http://forum.sysinternals.com/process-monitor-themida-tweakvi-clash_topic15130.html
http://www.ehow.com/how_8545435_stop-eset-blocking-themida.html
http://forum.bitdefender.com/lofiversion/index.php/t2165.html
http://forums.taleworlds.com/index.php/topic,3885.0.html
Themida (copy protection), Armagan's choice to use Themida, and the game's speed (because of Themida) have been questioned several times lately.
I have one simple question: WHY?
If you enjoy this game ... if you would like to see its continued development ... if you would like to see Armagan receive payment for his hard work (so that he can continue that hard work) ... then support his decision to use Themida!
AntBond
Member
The first law of security on the internet is do not go to any site you don't trust. Therefore, if you don't trust GOTD and it's various software suppliers what the hell are you doing here??? That is the long and short of the Themida issue. So, if you can't deal with the wrapper leave, and don't come back. And stop leaving inane comments about giveaways have a virus. THEY DON'T.
Themida (copy protection), Armagan's choice to use Themida, and the game's speed (because of Themida) have been questioned several times lately.I have one simple question: WHY?
At the end, I am happy to hear your opinions and why you don't agreed with me.
"I have never in my life learned anything from any man who agreed with me." - Dudley Malone
Anonymous
Unregistered
trust it the fix is
http://www.ehow.com/how_8545435_stop-eset-blocking-themida.html
https://en.wikipedia.org/wiki/Runtime_packer
List of packers
UPX is one antivirus all-so not like most packers antivirus just don't like.
You must log in to post.
