Earlier today, DBM 9.1.9 started getting false flags as malware. One thing I can assure, DBM will never have anything like that and has strict practices to avoid that.
- DBM is hosted publically for all to see on github here: https://github.com/DeadlyBossMods/DeadlyBossMods
- Zip files/releases are done through a safe automated process through another open source project here: https://github.com/BigWigsMods/packager . I simply tag a new release on github and github actions run the packager to generate zip files and uploading them to wow interface, curse, and wago (using files straight from github repo)
- All commits done to github are even GPG signed and show "verified" badge to show that they are authentic commits from the signing computer of developer account. So if by some miracle my 2 factor account was compromised and someone used it to push to github, they wouldn't have my gpg signing key and the commit would be unsigned.
So how did the false positive happen?
- One theory is that antivirus have quick checks and full checks. A quick check may be as simple as checking file hash against known malware file hashes. A full check actually scans all the files and not just the hash. Usually quick checks are on file download before the file is downloaded to avoid downloading a malicious file all together. Full checks are done on file that's already downloaded.
- So what could have happened today was quick checks started throwing a malware threat warning because the hash of DBM matched mash of another file on internet named "phpFgqPl8". This is called hash collision and it's basically an extremely rare condition. It's like winning lottery rare. It does happen though and in this case that's what caused false flag.
- Full file scans of file obviously proved that 9.1.9 had no actual malware in it. You can read full report here: https://www.virustotal.com/gui/file/1f3520776f1931d8a2f37cbf0bff470cb67e9dcf9791f622cb6912d93b7b467a/detection Note that if you click details you can see the hash match to phpFgqPl8. It's what caused this whole mess.
So what did I do about it?
- When detection occured I immediately reviewed every file in zip with a fine comb to make sure nothing didn't slip in from 3rd party libs or anything like that and many others ran file through online scanners to make sure it was clean.
- When it was clear it was a false detection, the file was immediately submitted to microsoft for review and they've already begun fixing the false flag I'm told.
- I'm also making this post for reassurances since even if popups go away after next defender update, a LOT of users saw a scary popup and want to know why.
- I'm going to tag a new release (which will have a different hash) to eliminate the hash collision with that other file on internet for good measure.
- That new release is going to have a one time in game message linking to this post so users who don't follow social media/discord will get a chance to read it and be informed on what happened. This post is NOT paywalled and not solicitation for support in any way. It's just the best public medium I have to get this message out as quickly as possible without users needing to sign up for discord or read an eye straining twit longer with no formatted text.
Conclusion
Rest assured that when this issue popped up I literally hopped out of bed with only 3 hours sleep to deal with it as fast and precisely as possible to make sure no actual threats were in the file and made sure I got notifications out on social media asap while I prepard this longer message. The new release (DBM 9.1.10) will be out shortly after this post as well.
Update 1
Apparently, users who have not yet gotten updated windows defender definitions file update from MS continue to get false positives on DBM 9.1.10, DBM 9.1.11 alphas and DBM 2.5.10 alphas. At least 4 addons were affected by this today as well. They were also false positives by same bug. All of these false positives are resolved by forcing windows defender to update to latest definitions.
To force an update, follow microsofts article here:
https://www.microsoft.com/en-us/wdsi/defenderupdatesAlternatively, you can just ignore false positives for now and wait for next auto update of defender which will resolve the alerts automatically whenever next auto update happens.