Update to earlier malware scare, Semi-technical, Seeking a tech/netsec opinion
So, something really strange:
I managed to get a legitimate copy of the file ESET flagged as malicious earlier today. My heart sank when it turned out to have a different SHA-1 hash than the file I had in quarantine. That told me "this is a different, and therefore *malicious* file."
A friend of mine popped both files into a hex editor and compared them.
They're the same file. The flagged file is just all 0s after a certain point - Which makes sense, because Steam makes "dummy" file placeholders of all zeros before downloading the actual files.
So for some reason, a partially downloaded file was scanned by ESET, then flagged as malicious.
Does that sound even remotely reasonable? I'm not sure how safe I really am here.
Update to earlier malware scare, Semi-technical, Seeking a tech/netsec opinion
Questions I find myself asking:
Did this game ever even get to run before this file got scanned and flagged?
Have you looked in the forums for the copy of this game on Steam to see if other people are talking about this?
Does the virus scanner say anything else on your computer is now showing up as infected?
"your scanner grabbed the partially-downloaded file at just the right moment for its quick, preliminary tests to result in the same hash value as something in its database" does sound like a pretty plausible false positive IMHO.
Update to earlier malware scare, Semi-technical, Seeking a tech/netsec opinion
Nothing ran at all - It flagged this file during download, from Steam's download cache directory.
No one else has reported anything similar on the Steam forums. When I asked there, the reply was "This game hasn't been updated in over two years, clearly a false positive" (The people on the ESET forums do not agree).
Full system scan came back clean, no further detections.
Notably, the specific detection being flagged in this case seems to indicate that the detection was made via ESET's Machine Learning algorithm, rather than a match to a previous malicious hash.
re: Update to earlier malware scare, Semi-technical, Seeking a tech/netsec opinion
@Phorm @anthracite yeah given the hex stuff this is almost certainly a false positive. At a guess I think the AV may have actually been at fault here- it and Steam didn't play nice when it tried to scan a partially-downloaded file, which resulted in minor file corruption.
Just delete the .exe and redownload, see what you get.
re: Update to earlier malware scare, Semi-technical, Seeking a tech/netsec opinion
@Doephin @anthracite
Yeah, I've done a redownload and it went through clean as a bean without issue the second time. It all adds up to a false positive to me, with that in mind (Particularly given the way that Steam allocates "empty" files prior to download).
There are some folks on the ESET forum claiming this could be something more malicious*, but I've zero ways to verify that, and tons of anxiety over it.
*(To quote: "This "smells" like malware process hollowing activity which in stage one, clears a portion of process memory while its in a suspended execution state, and then injects the malware code in the previously cleared memory space. In this instance however, the modified process wasn't executed but rather, would've been saved to disk.")