It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Dege has addressed my concerns on the Vogons forums. Thanks go to ZellSF for passing along my concerns there.
Dege Wrote:
What I can say is that dgVoodoo and my other stuffs often get false positive detections from various antivirus softwares but they are 100% safe. They don't contain any backdoor or dangerous code at all, it doesn't matter what your AV says. This was a problem for all other softwares built with NSIS (Nullsoft Installer) because that utility also builds an installer containing compressed data.
----Original Post----
So on another forum, a user commented that their copy of Symantec (Norton) flagged dgVoodoo2, so I ran a scan on the dll and exe files included in the dgVoodoo2 zip file, using the VirusTotal web service and sure enough many of them seem to have something or other going on.

I understand that the provided DDraw.dll and D3Dlmm,dll files are wrappers and function as translators for the modern DirectX counterparts, so a flag of "WS.Reputation.1" that Symantec returned makes sense, but others like: "Trojan.Win32.Qudamah.Gen.8", "Trojan-Dropper" and "Malware-Cryptor.Limpopo" look pretty scary.

Does anyone know if dege has addressed these on the Vogon forums or elsewhere?
Post edited May 28, 2015 by DustyStyx
avatar
DustyStyx: So on another forum, a user commented that their copy of Symantec (Norton) flagged dgVoodoo2, so I ran a scan on the dll and exe files included in the dgVoodoo2 zip file, using the VirusTotal web service and sure enough many of them seem to have something or other going on.

I understand that the provided DDraw.dll and D3Dlmm,dll files are wrappers and function as translators for the modern DirectX counterparts, so a flag of "WS.Reputation.1" that Symantec returned makes sense, but others like: "Trojan.Win32.Qudamah.Gen.8", "Trojan-Dropper" and "Malware-Cryptor.Limpopo" look pretty scary.

Does anyone know if dege has addressed these on the Vogon forums or elsewhere?
You should figure out what those definition names mean.

Or keep spreading panic about false positives without the research to warrant it, whichever you want.
It is a 100% false positive.
If you are still concerned, go ask Dege about it here, http://www.vogons.org/viewtopic.php?f=9&t=34931
avatar
MrEWhite: It is a 100% false positive.
If you are still concerned, go ask Dege about it here, http://www.vogons.org/viewtopic.php?f=9&t=34931
Before I made a forum post, I had sent email his way, but haven't gotten a reply. I already had a once over of that thread you linked to, checking for the word "virus" and the only thing that came up was for a game title that some one had tried running it with (virus 2000 or something similar). I don't have a Vogons account and I'd probably be barraged with ZellSF type replies if I did, ya'd think that asking an honest question was a crime.

I figured the Symantec one was a false positive, but the others make me wonder what might be going on.
avatar
MrEWhite: It is a 100% false positive.
If you are still concerned, go ask Dege about it here, http://www.vogons.org/viewtopic.php?f=9&t=34931
avatar
DustyStyx: Before I made a forum post, I had sent email his way, but haven't gotten a reply. I already had a once over of that thread you linked to, checking for the word "virus" and the only thing that came up was for a game title that some one had tried running it with (virus 2000 or something similar). I don't have a Vogons account and I'd probably be barraged with ZellSF type replies if I did, ya'd think that asking an honest question was a crime.

I figured the Symantec one was a false positive, but the others make me wonder what might be going on.
Then why not look into it like I suggested? You have the same tools we do, you have the same tools Dege does to look into it.

Google quickly gave me some results on what those definition names meant, or at least what they were linked to. I'll give you a hint: they're all guesses. Also 8/57 AV software saying something is a virus does not exactly fill me with confidence that it is. Especially not when the list you consult includes shit like Norton.

Edit: Dege has written his thoughts on the matter
Post edited May 26, 2015 by ZellSF
avatar
DustyStyx: Before I made a forum post, I had sent email his way, but haven't gotten a reply. I already had a once over of that thread you linked to, checking for the word "virus" and the only thing that came up was for a game title that some one had tried running it with (virus 2000 or something similar). I don't have a Vogons account and I'd probably be barraged with ZellSF type replies if I did, ya'd think that asking an honest question was a crime.

I figured the Symantec one was a false positive, but the others make me wonder what might be going on.
avatar
ZellSF: Then why not look into it like I suggested? You have the same tools we do, you have the same tools Dege does to look into it.

Google quickly gave me some results on what those definition names meant, or at least what they were linked to. I'll give you a hint: they're all guesses. Also 8/57 AV software saying something is a virus does not exactly fill me with confidence that it is. Especially not when the list you consult includes shit like Norton.

Edit: Dege has written his thoughts on the matter
Thank you for the update. I'm glad he made a statement today.

I already did do some research, but I'm not a security expert so it's hit and miss to me as to what means what, hence asking questions.

The list was is fairly comprehensive, so Norton and TrendMicro were in there as a matter of course. It also included AVG, Ad-Aware, Avast, ClamAV, Comodo, DrWeb, F-Secure, Kaspersky, McAfee, Microsoft, Panda (none of which found anything), as well as a few AV clients that I haven't heard of, that did (Ikarus, Sophos, Tencent, and VBA32). Virus Bulletin lists Ikarus and Tencent as fairly reputable AV clients, so I'm not sure concern is unwarranted.
avatar
ZellSF: Then why not look into it like I suggested? You have the same tools we do, you have the same tools Dege does to look into it.

Google quickly gave me some results on what those definition names meant, or at least what they were linked to. I'll give you a hint: they're all guesses. Also 8/57 AV software saying something is a virus does not exactly fill me with confidence that it is. Especially not when the list you consult includes shit like Norton.

Edit: Dege has written his thoughts on the matter
avatar
DustyStyx: Thank you for the update. I'm glad he made a statement today.

I already did do some research, but I'm not a security expert so it's hit and miss to me as to what means what, hence asking questions.
You aren't asking questions about how to interpret virus scans though. You're specifically implying one piece of software has a virus, it's a false positive and people might believe you. This is not a good idea. You could've posted the results in general discussion without naming the software, get people to help you interpret results and THEN raise panic if needed.

I mean, the person who brought this up to you said it had "WS.Reputation.1" and you took this to mean something. Let's Google "WS.Reputation.1":

WS.Reputation.1 is a detection for files that have a low reputation score based on analyzing data from Symantec’s community of users and therefore are likely to be security risks. Detections of this type are based on Symantec’s reputation-based security technology. Because this detection is based on a reputation score, it does not represent a specific class of threat like adware or spyware, but instead applies to all threat categories.

The reputation-based system uses "the wisdom of crowds" (Symantec’s tens of millions of end users) connected to cloud-based intelligence to compute a reputation score for an application, and in the process identify malicious software in an entirely new way beyond traditional signatures and behavior-based detection techniques.
If you're having trouble reading the awful Norton PR speak: they're basically saying they have never heard of the file, so it must be dangerous.

Oh, and there are no security experts here. Dege isn't one either (assumption). If you wanted a second opinion from security experts, submit it to your AV company.
Post edited May 27, 2015 by ZellSF
ZellSF, I already read that WS.Reputation.1 report that Norton published, I am asking WHY would it pop up with the alleged "false positives" about the Trojan/Malware stuff. I wasn't necessarily implying that dgVoodoo2 had a virus, I was only pointing out what happens when you run a virus scan using multiple agents and it raised a concern. If you recall, I did ask "if dege has addressed these on the Vogon forums or elsewhere?". Thank you for forwarding the question to dege on the Vogons forum, to gnerate a reply, on my behalf.

I am willing to accept dege's statement: "What I can say is that dgVoodoo and my other stuffs often get false positive detections from various antivirus softwares but they are 100% safe. They don't contain any backdoor or dangerous code at all, it doesn't matter what your AV says.". I will ammend my original post with the quote.

I have previously pointed people at dgVoodoo2, to resolve some of their older DirectX game issues here and elsewhere, it's a great tool, but that was when I took it at face value and assumed it was safe, I wanted assurances that it is. If some one is having an issue and I am able to direct them to a solution, I want to be sure it is a good one.

Please let me clarify where my concern arose.

If it was just Symantec reporting WS.Reputation.1, or TrendMicro reporting Suspicious_GEN.F47V0401WS.Reputation.1, I wouldn't have had issues with it because the tags pretty much say "Hey, these kind of look suspicious, you might want to be careful". I get that when you scan the Glide and DirectX substitute DLL files, it would generate some questions because the hash they generate will not match any of the published Microsoft of 3dfx hashes and thus be...suspicious. I get the idea of a false positive and would expect it for something like that. Again: "I understand that the provided DDraw.dll and D3Dlmm.dll files are wrappers and function as translators for the modern DirectX counterparts, so a flag of "WS.Reputation.1" that Symantec returned makes sense...

But why the Trojan/Malware stuff? Is it because dgVoodooSetup.exe has code it in to change the included DLLs? I'm guessing that it would have to do that to remove the watermark from the rendered screen? Believe me all I have to go on at this point is speculation.

For a full list of the results, many of which I already ignored, things like "generic" or "suspicious" :
File: 3DFx\Napalm\Glide3x.dll
Agnitum • Packed/MPress
Bkav • HW32.Packed.F976
Symantec • WS.Reputation.1
TrendMicro • Suspicious_GEN.F47V0401

File: 3DFx\Glide.dll
Agnitum • Packed/MPress
Bkav • HW32.Packed.4296
Symantec • WS.Reputation.1
TrendMicro • Suspicious_GEN.F47V0401

File: 3DFx\Glide2x.dll
Tencent • Trojan.Win32.Qudamah.Gen.8
TrendMicro • Suspicious_GEN.F47V0401

File: 3DFx\Glide3x.dll
Agnitum • Packed/MPress
Bkav • HW32.Packed.8207
Ikarus • Trojan-Dropper
Symantec • WS.Reputation.1
TrendMicro • Suspicious_GEN.F47V0401

File: MS\D3Dlmm.dll
Bkav • HW32.Packed.B9CA
Cyren • W32/Alureon.D!Generic
F-Prot • W32/Alureon.D!Generic
TrendMicro • Suspicious_GEN.F47V0401

File: MS\Ddraw.dll
Agnitum • Packed/MPress
Bkav • HW32.Packed.B532
Cyren • W32/Alureon.D!Generic
F-Prot • W32/Alureon.D!Generic
Symantec • WS.Reputation.1
TrendMicro • Suspicious_GEN.F47V0401

File: dgVoodooSetup.exe
Agnitum • Packed/MPress
Bkav • HW32.Packed.81DE
Qihoo-360 • HEUR/QVM18.1.Malware.Gen
Sophos • Mal/EncPk-OJ
Symantec • WS.Reputation.1
TrendMicro • Suspicious_GEN.F47V0401
VBA32 • Malware-Cryptor.Limpopo
If you want to rag on me about not checking into the full definitions of the offending flags, why not check into one I actually had a problem with? Trojan.Win32.Qudamah.Gen.8 (detected by Tencent), Trojan-Dropper (Ikarus), HEUR/QVM18.1.Malware.Gen (Qihoo-360), Mal/EncPk-OJ (Sophos), Malware-Cryptor.Limpopo (VBA32). Mal/EncPk-OJ looks particularly agregious, but for the most part I could only find information about it from dubious remove spyware vendors. That might be "proving" your point, but I'm not sure it does. Again Ikarus, Qihoo and Sophos scored fairly high on the Virus Bulletin rankings. The question is does Virus Bulletin take in account false-positive numbers as part of their ranking.

I will leave it at that, again I will take Dege at his word and update the original post.

Edit: had the wrong "quote" mark-up
Post edited May 28, 2015 by DustyStyx
You know of course that if you want to disregard generic names (as you should, because they are just guesses) then you definitely should disregard "trojan-dropper".

They don't have one definition for all trojan-droppers. They're basically saying that's what they think it is. They have no specific information to go on or they would make a fancier name for it and raise their prices.

HEUR/QVM18.1.Malware.Gen ... HEUR = heuristics = guess. Gen = Generic. It's a generic guess. They think it might be malware (aka mostly harmless). They remembered to add some random letters and numbers so it looks like they know what they're doing.

That should leave, what, 3 results out of 50? Let me ask you this: we have 40 companies saying this is NOT a virus, we have 7 companies saying they have no idea and we have 3 companies saying they have a definition for it in their secret non-public database. Why believe those 3 over the 40 saying they're wrong?

Mal/EncPk just sounds like malware encrypted package btw... I'm sure they're deliberately making up stupid names because they don't want their users to educate themselves.

Now AV makers do make... sort of educated guesses. If over half thought there was a virus there would be cause for worry. If 10 of them had very solid definitions, there would be cause for worry. You also need to weigh in the trustworthiness of the source when trying to evaluate how safe it is to run something.
Post edited May 29, 2015 by ZellSF
So far, from my experience, I haven't come across any false alarms when it comes to the program. What it is is that common people are too afraid to do research about what's a virus and what's not a virus and will flag anything as a virus. That's why I switched to Avast.
avatar
DustyStyx: Dege has addressed my concerns on the Vogons forums. Thanks go to ZellSF for passing along my concerns there.
Dege Wrote:

What I can say is that dgVoodoo and my other stuffs often get false positive detections from various antivirus softwares but they are 100% safe. They don't contain any backdoor or dangerous code at all, it doesn't matter what your AV says. This was a problem for all other softwares built with NSIS (Nullsoft Installer) because that utility also builds an installer containing compressed data.
avatar
DustyStyx: ----Original Post----
So on another forum, a user commented that their copy of Symantec (Norton) flagged dgVoodoo2, so I ran a scan on the dll and exe files included in the dgVoodoo2 zip file, using the VirusTotal web service and sure enough many of them seem to have something or other going on.

I understand that the provided DDraw.dll and D3Dlmm,dll files are wrappers and function as translators for the modern DirectX counterparts, so a flag of "WS.Reputation.1" that Symantec returned makes sense, but others like: "Trojan.Win32.Qudamah.Gen.8", "Trojan-Dropper" and "Malware-Cryptor.Limpopo" look pretty scary.

Does anyone know if dege has addressed these on the Vogon forums or elsewhere?
Hi there, it's October - 2019, and apparently this problem still exist. I installed Blood Omen 2: Legacy of Kain. Of course the game is not working properly. I found a YouTube video showing the dgVoodoo as a solution to the screen freeze issue. I went to the website and tried downloading, both Windows Defender (Windows 10) and McAfee Live Safe are preventing the download going forward warning that there is a Trojan inside the file download.

Is there a solution to this problem, i.e.is the threat real? or still a false positive?
thanks
avatar
DustyStyx: Dege has addressed my concerns on the Vogons forums. Thanks go to ZellSF for passing along my concerns there.
Dege Wrote:
----Original Post----
So on another forum, a user commented that their copy of Symantec (Norton) flagged dgVoodoo2, so I ran a scan on the dll and exe files included in the dgVoodoo2 zip file, using the VirusTotal web service and sure enough many of them seem to have something or other going on.

I understand that the provided DDraw.dll and D3Dlmm,dll files are wrappers and function as translators for the modern DirectX counterparts, so a flag of "WS.Reputation.1" that Symantec returned makes sense, but others like: "Trojan.Win32.Qudamah.Gen.8", "Trojan-Dropper" and "Malware-Cryptor.Limpopo" look pretty scary.

Does anyone know if dege has addressed these on the Vogon forums or elsewhere?
avatar
Pashakora: Hi there, it's October - 2019, and apparently this problem still exist. I installed Blood Omen 2: Legacy of Kain. Of course the game is not working properly. I found a YouTube video showing the dgVoodoo as a solution to the screen freeze issue. I went to the website and tried downloading, both Windows Defender (Windows 10) and McAfee Live Safe are preventing the download going forward warning that there is a Trojan inside the file download.

Is there a solution to this problem, i.e.is the threat real? or still a false positive?
thanks
Still very much a false positive.
For anyone who may still have concerns about this being a real virus, let me share a story of what I've just done with the latest version of dgvoodoo (2.62.3):

- I downloaded the file from dege.freeweb.hu
- Norton AV went nuts and started quarantining the DL
- I restored the file and unzipped it
- Norton went NUTS flagging basically every file as it came out of the archive
- Moved the archive to my NAS and unzipped it there (no problems)
- I set about manually scanning EACH FILE with Norton after they were unzipped
- EACH FILE came back "no threats found" (Even the DLLs)

So in summary: the EXACT SAME AV PROGRAM that had a problem with the zip file, found NO PROBLEMS when I scanned each file within individually.

Of course it's still good practice to do your own research on a given file if your AV of choice starts throwing up flags, but if everyone online is saying they've used it and it's clean... it's probably clean.

Also, I need to dump this Norton shit and find a reliable AV.
The built-in windows (10) antivirus thingie keeps quarantining the exe. I keep going in there to allow it/ignore it/restore it/all that shit and some time later once again it's magically been quarantined as I notice the game I've set up with it won't run properly or when I do a registry cleanout that exe's path will be among the obsolete items. It's really annoying, MS need to get its shit together...

Edit: ok, I just did the exceptions thing on the exe, I hadn't delved into the settings before, lol, hopefully that fixes it forever.
Post edited December 26, 2019 by Al3xand3r
Even Firefox and Chrome are now blocking the site and flagging files

Anyway dgvoodoo works great

Edit: Went back to site with Firefox and now no warnings or blocking
Post edited February 07, 2020 by HG1995