ALERT:Virus found in class 390 from trainsimcentrel...

[Bruces]

Ok,was doing a virus scan I found this, cl 390_v4.07.07.exe has win32:trojan-gen,found with Avast! as Mcafee has failed...So what do you get??Is it a false alarm??

[tads1970]

Downloaded both versions and scanned with NOD32,both virus free,looks like a false positive from the exe file,it's safe

[davejc64]

I had a similar problem with the northen line stock for bve4/openbve. Just be careful. Lets just say I no longer use BVE4 or OpenBVE, in fact I have removed them from my system! On advice from AVG!

[Easilyconfused]

Let's not over react here people.

UKTS gets complaints from time to time about files we host. In all the time I have been around they have all been false positives. Matt did recommend people who have doubts to use one of the online services such as http://www.virustotal.com/ to check out any files they have doubts about. It seems some antivirus products take a dislike to the executable installers that some files come in. The problem is that some members prefer the installers over the zip file that has to be unpacked manually.

Completely removing a simulator due to these warnings seems a bit of an over reaction when a quick check online against multiple antivirus products would most probably show that it is a false positive.

[johny]

I had a similar problem with the northen line stock for bve4/openbve. Just be careful. Lets just say I no longer use BVE4 or OpenBVE, in fact I have removed them from my system! On advice from AVG!

I use AVG, the free version, it's never thrown up a virus message for either BVE or Openbve. When you say advice from AVG do you mean either the company or the program?

John

[Jacko]

This is probably due to the presence of the file OS_ATS1.DLL in one (or more) of the trains. There's more about this problem on TrainSim Central - but the nub of it is that some of the heuristic (i.e. guessing) algorithms which detect viruses have been spotting elements of Oskari's object-code, and (probably falsely) detecting them as similar to a bunch of code inside a backdoor trojan.

Some of the decent virus-checkers have since updated their heuristics algorithms, and have ceased detecting the DLL as 'harmful' - but there are still plenty of, er, less-wonderful virus-checkers that haven't been fixed. If yours is detecting it, my advice is to look in your virus-checker's helpfiles, and find out how you go about reporting 'false positives' back to the company that made your AV program.

Avira and AVAST have, I believe, fixed their detection, and AVG/Grisoft have fixed their detection in V8 of AVG, but not V7.5 (which I'm still using!) I've notified them today of OS_ATS1.DLL's status, and sent them a copy for checking/verification.

However, in the meantime, Oskari appears to have released an updated version of OS_ATS1.DLL, and it is apparent that SOME trains now circulating the net have this new DLL in them instead. They show up clean, as far as the virus-checkers are concerned, but it does appear that this new version DLL causes problems in BVE4 with 'Jump to Station'. So, there are still ongoing problems, but I think the risk of any infection is over-done. Besides anything else, Oskari's DLL was written long, long before the backdoor trojan which is the subject of the antivirus detection routines, so it's a 99.99% bet this is nothing to worry about.

But of course, progressing the issue with your antivirus company (or, choosing an antivirus company/program that has resolved the problem, and reacts to users quickly) is always worth doing, if you have the time!

[davejc64]

I had a similar problem with the northen line stock for bve4/openbve. Just be careful. Lets just say I no longer use BVE4 or OpenBVE, in fact I have removed them from my system! On advice from AVG!

I use AVG, the free version, it's never thrown up a virus message for either BVE or Openbve. When you say advice from AVG do you mean either the company or the program?

John

I contacted AVG as soon as the virus was detected, who asked me to submit the file for them to check, they then advised me to delete the file and any associated files from my computer, then run a complete scan of my computer. So draw your own conclusion. I did and needless to say I will no longer be using BVE or OpenBve again.

[Jacko]

I contacted AVG as soon as the virus was detected, who asked me to submit the file for them to check, they then advised me to delete the file and any associated files from my computer, then run a complete scan of my computer. So draw your own conclusion. I did and needless to say I will no longer be using BVE or OpenBve again.

I submitted a copy of OS_ATS1.DLL to AVG yesterday, as a false positive, along with a note about its creator, purpose and where they could find out more about BVE, asking them to check it in detail, and explaining that it shows up as a heuristically-detected trojan in their AVG7.5 detection routines as of yesterday - and I got this response back this morning (the red bold section is my emphasis, not theirs):

Dear Sir/Madam,

thank you for your email.

Unfortunately, the current virus database version may detect the
mentioned virus on some legitimate applications. We can confirm that
it is a false alarm. We would like to inform you that the false
positive will be removed in the next Definitions update. Please update
your AVG and if a new Definitions update was downloaded, check whether
the file is still detected.

If you need to restore deleted files from AVG Virus Vault you can do
it this way:
- Open AVG user interface.
- Choose "Virus Vault" option from the "History" menu.
- Locate the file that was incorrectly removed and select it (one
click).
- Click on the "Restore" button.

We are sorry for the inconvenience.

Best regards,

Zdenek Parizek
AVG Technical Support

As far as I'm concerned, that's good enough for me! It's a false positive, plain and simple - and unavoidable from time to time, unfortunately. I only hope that it hasn't put off too many people from using BVE or openBVE, as mentioned above.

The fact that it's a false positive is further confirmed by the fact that the current AVG8 detection routine (via the web-based http://virusscan.jotti.org/ combined malware-checker) turns up nothing (as do a lot of other respectable malware detection routines). I'm not quite sure why or how AVG's v7.5 engine detection-routines weren't in sync with their AVG8 ones, but there you go (and in case anyone's interested, I loathe AVG8 because it's so bloated, so have stuck with AVG7.5, which is why I'm still using it - even though it's officially outdated, it is still supported, at least until April).

Meanwhile, I copied OS_ATS1.DLL over to my other machine where I run AVIRA (part of my investigations into an alternative to AVG v8! ), and Avira was previously reported (by others, not me) as detecting a trojan (again, via a heuristic 'guessing' algorithm). Now, however, Avira is coming up clean, so they too must've tweaked their routines to target them better.

Thus OS_ATS1.DLL is safe, I would be prepared to say fairly categorically. Any virus-checker which is still showing it up as 'bad' clearly needs work (and it's interesting that it's always the same old laggards who show up on Jotti as having not bothered to tweak their detectors, which is stunning, considering that most of the freeware AV apps seem more proactive than the payware ones!)

In a thread TrainSimCentral, Oskari indicated that he's rather busy at the moment, and probably won't have time to fix his recently released updated version of OS_ATS1.DLL (early Feb 09), which, as it turns out, is partly bust and causes issues with BVE4 and the Jump To Station feature. Therefore, in my case, I'm simply going to revert to my previous, original versions of OS_ATS1.DLL, as soon as the AVG7.5 routines have been set not to detect it, as per the message from AVG this morning.

Hope this helps set some people's minds at rest.

[davejc64]

I am using AVG 8! As I said before draw your own conclusion! And at that point I will let the matter rest!

[Easilyconfused]

OK - that is enough of this nonsense. It is well known that all AV products suffer from false positives from time to time and part of my day job is validating false positives that periodically get generated about the software we use. This has been explained several times and the statement from AVG is most clear. There is no need for people to "drawn their own conclusions" about a site or simulator.

I don't see this going anywhere so am locking the thread.

As usual - any complaints to another moderator.