Norton Antivirus reports trojan in game files

[dojo]

NAME: Norton Antivirus reports trojan in game files
DESCRIPTION: With the latest patch of skylord reborn norton starts to flag and remove the file "proxy-internal.dll". It is recognized as "Trojan.Gen.MBT". Not sure if this was a heuristic detection or a proper checksum detection, but the game seems to run fine without that dll.
REPRODUCIBILITY: Start launcher, let it redownload the dll -> norton detects and removes it. Game can still be started up and played afterwards.
SCREENSHOT: 

[Kubik]

Is the blue "Trojan.Gen.MBT" a link to some explanation what it means? If yes, can you paste it here?

[dojo]

Not really, it leads to a page of articles not really specific to anything:
https://us.norton.com/blog/emerging-threats
The link actually holds a lot of meta data, that does not have any impact on what the site actually shows

Some investigation however yields this old article:
https://www.nortoninternetsecurity.cc/2014/04/trojangenmbt.html?m=1

This is the most recent information I can find. Not sure why they reasserted the risk level to high eventually.

Edited May 3 by dojo

[Kubik]

😞 That is one of the most generic descriptions I ever seen.

[dojo]

Yeah i know. And its pretty outdated. Dont know what they picked up on with this patch, maybe some new libraries or injection methods? Its pretty annoying. Hope you can figure it out eventually

[Kubik]

No new libraries this patch. Way of injection is same for over 6 years now, and we fix more and more function, but the most important redirecting all network trafic to our server is there since begining.

And there is no way for us to fix it, the base thing we do can be described as "Stealing your login credentials, and sending them to our server, instead of EA's" that is the intended functionality, and in my opinion, any AV that does not report that is useless.

[dojo]

Not sure why norton picks up on it all of a sudden. Maybe they changed the heuristics on their end.

Whats odd to me is, the game seems to run fine without that dll.

I send the dll do norton. Maybe they will whitelist it after inspection.

Edited May 4 by dojo

[Kubik]

🤔is it only "proxy-internal.dll"? There are multiple proxies, and just after the release they are likely to be exactly the same, except the server they point to, there is main server that most players pay on, and few test servers for testing stuff before next path.

[dojo]

It is only the one, and to be honest i was about to ask what it does, because for two days now i can play perfectly fine without it ^^

[xzenon]

i started getting this on norton as well and it removes it just for the auto updater on the game to go oh missing file redownload lol

On 5/4/2024 at 5:52 PM, dojo said:

It is only the one, and to be honest i was about to ask what it does, because for two days now i can play perfectly fine without it ^^

did your game download a file after you removed it? mine did then norton freaked out again lol

 

trojan.gen.mbt is the exact file in question

Edited May 5 by xzenon

[ICET34]

I'll add that with Avira there's a similar problem. But I can't start the game now.

Avira flags:

"proxy-internal.dll" as TR/AVI.Agent.vqkwy (2.5.24) [I could start the game]

"proxy-legacy.dll" as TR/Redcap.ijclw (3.5.24) [I could start the game]

"pcre3.dll" as TR/Redcap.zizvf (6.5.24) [I couldn't start the game]

"proxy-test.dll" as TR/Redcap.lzbma (6.5.24) [I couldn't start the game]

My PC gives the following message (in German): BattleForge.exe system error. The code couldn't work, as pcre3.dll could not be found [because Avira put it in quarantine]. Through a new installation of the program the problem might be solved.

[Kubik]

`pcre3.dll`you need always, but the other 3 only if you connect to the specific server "internal", "legacy", (public) "test"

[ICET34]

Thank you for the answer.

 

It's just strange that it suddenly gets  marked as a trojan. That might scare off new players as it's not a trojan.

[Kubik]

That depends on your definition of a trojan I guess. Main functionality of the proxy is steeling the login credential, and sending them to our instead of EA's servers (which was shut down a long time ago).