What a pathetic behavior.

[sarcasm]It's a very constructive attitude.[/sarcasm]

It happens that I bought this game, I paid to play it, and I don't want a malware inside a game I've paid.

But despite what you all seem to believe without any evidence, some clues suggest that the game is not malware-free .

Isn't part of the reason why the DRM files aren't flagged as virus because they are in fact signed and likely have an agreement with the AV vendors?

Again down to my horrible memory, some years back there was a bit of a kerfluffle with Sony who decided to put a piece of rootkit on several of their music CDs. This wasn't picked up on by any Anti-virus....right until the point where someone found out how to exploit the rootkit to hide stuff like cheats for WoW, at which point the AV vendors decided to withdraw their whitelisting of the software.

Personally I believe that Gog wouldn't push anything with a virus at it's customers. I think that'd be a really good way of suddenly losing all their customers since they don't sit on a controlling point like others who ship malware as "a service" such as ubisoft, sony and Ea do.

I just wish they could've managed a better deal. If Tages is like stuff like Starforce, then the datafiles for the game will be encrypted and only decryptable by the Tages system once you're authorized. The cracked .dll magically authorizes you without the need for mucking about with activation and such. But the optimal non-drm solution would've been to get the decrypted files so there's no need for the software to begin with.

Still a "fixed" .dll file which doesn't need to install the Tages drivers and such into your system is still preferable to the actual drm. I'd just wish they would've at least got it officially and signed or something rather than, as it seems, picking it up from the nearest warez site.

My bad, forgot your wikipedia link: http://en.wikipedia.org/wiki/Rootkit

https://www.virustotal.com/file/ca8fe8d6f44f7503735d7a664e3809254ba120a8b306a6fd180a5f467f62661a/analysis/1341685988/

half of the antiviruses detect it as a virus, how am i supposed to trust this game?

You are so pleasant and constructive.

I'm an IT security expert, it's my job.

I'm not expert in games and DRM because I don't crack my games: I am good enough in my job to allow me to purchase them.

And for information, the original dll contain a virtualisation system as well, but don't behave in a supicius way, unlike the one provided by GOG.

Furthermore, VirTool:Win32/Obfuscator.XZ is not a generic alert. It's an underground tool to make rootkits.

You said yourself that the dll was encrypted and that was the reason for the alert. You contradict yourself...

Trust GOG + forum posts + votes at virustotal or reinstall the tages/solidshield protected VM or don't play it at all. Sorry, but there's nothing more you could do.

Someone could verify if that dll is the same one used by Steam, as a similar thread existed there, too. Would you guys trust it then?

EDIT:
@Guixyy: All obfuscated files are suspicious for any AV in the first place. That's life. As you already said it depends on the tools used and it doesn't have to be malware.

Has anything GOG ever done given you any reason to think that they would put a piece of malware in their game?

In one of the links in the other thread, there was a post about a file in a different game that had the same false positive as this one, and GOG contacted the antivirus company to show them that the file wasn't infected.

This game doesn't have DRM, and it doesn't have any malware. It does however have a file that used to be part of the old DRM, that GOG had to hack to disable, causing it to show up as a false positive in alot of anti virus software.

I'm sure GOG will do something soon to rectify the situation, but until then I would suggest just allowing an exception for the file, and enjoying the game :)

The dll isn't signed by Atary, unlike the others. I don't think they created it.

If the dll was signed by GOG, it would mean they endorse responsibility for its content. Would have been a reason to trust them.

it's not a question of lack of trust, but not blindly trust anyone.

Because half the antivirus detected, at some point in the past, the original dvm.dll too!, as i said above, there were old reports for this same game (see Steam forum), and other titles too that used TAGES (have a look around at Egosoft forums, DeepSilver, Ubisoft... )

Since the file came from a trusted DRM company, used by trusted publisher, I guess it was whitelisted by most of the av companies in it's original form and the problem was solved.
Fast forward to now.... this DLL was tampered to remove the DRM, so what it's more likely happening here is that the antiviruses are recognizing again the same old pattern in the code, but since the file is not 100% identical to the whitelisted version, they trigger the alert again

If this argument is used whenever something suspicious happens, and it says in a peremptory manner that there is no problem, it's easy to never give reasons to think that they would put a piece of malware in their game.
Excuse me, but the dll was not just tempered, but completely rewritten!

No evidence?

1: I manually okayed the dll, and my computer isn't behaving abnormally. That seems to me like pretty good evidence that it is, in fact, a false alarm.

2: Googling 'dvm.dll virus' shows that this is a fairly common problem, not limited to gog purchasers. People who manually okay the dll are not complaining that their computers are behaving abnormally. That seems to me like pretty good evidence that it is, in fact, a false alarm.

3: GOG would be very, very stupid to release an infected product - that's the sort of catastrophic error that puts previously good businesses in bankruptcy. They surely understand that, and surely take precautions against it. It seems to me that a failure on their part, while technically possible, should not be the first possibility one examines - that it is less likely than a false positive. In light of the above, and especially 2, there is excellent reason to accept the false-positive explanation.

Call my behavior pathetic if you like. I am more concerned with good reasoning than good behavior.

Maybe you are right, maybe not... have you seen every known version of the original DLL?!
You said you have recovered an original copy... i have one too from another game, how big is yours/what version is?
Edit: actually, i found I have 3 of them... every one different from the other in size and version number, two signed, one unsigned

Well, this is not a very good argument, you know....
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=VirTool%3AWin32%2FObfuscator.XZ
Quote:
"VirTool:Win32/Obfuscator are detections for programs that have had their purpose obfuscated to hinder analysis or detection by anti-virus scanners. They commonly employ a combination of methods including encryption, compression, anti-debugging and anti-emulation techniques."

Now, look at SolidShields, tages company, http://www.solidshield.com
Quote:
"Solidshield wrapper is the state-of-the-art technology for code obfuscation and anti-tampering against reverse engineering and mailicious programs modification."

Ah, yes, experimental evidence is no good. Thanks for clearing that up for me; I was starting to think this newfangled 'science' crap might have something to it.

Also, FYI, that Microsoft page did not say that Obfuscator.XZ is a tool to make rootkits. It said, quite clearly (if a bit ungrammatically in parts) that it's a generic catch for a variety of obfuscation techniques that are commonly used in malware. It does not say that said techniques are exclusively used for malware. It does not say that said techniques constitute malware in and of themselves. There is no Obfuscator.XZ virus, trojan, malware, etc., etc., etc.; there is no way to be infected by it. If you get a warning about it, all it's saying is that there's a piece of obfuscated executable code on your computer, and since code obfuscation is handy for lots of bad things, you might want to make sure you trust this before running it.

And, as explained, you have good reason to trust this particular bit of obfuscated code.

While my AV detected the "deactivated" file, I whitelisted it after reading the forums, and things have been fine. Also the firewall hasn't detected any in/outgoing transmissions from the game.

GOG should try and get this fixed however, as it's going to worry people.