6.4 Miqobot download shows virus detected

Forum Forums Discussion 6.4 Miqobot download shows virus detected

This topic contains 17 replies, has 9 voices, and was last updated by  NepNep 1 year, 6 months ago.

Viewing 15 posts - 1 through 15 (of 18 total)
  • Author
    Posts
  • #40266

    Fer
    Participant
    0

    After downloading the 6.4 update for Miqobot, I’m getting multiple virus warnings for the executable, past the “unknown developer” error.

    #40267
    Miqobot
    Miqobot
    Keymaster
    1+

    Yes, this always happens with every new version release.
    False Positive is a bug in antivirus, but since we have no affiliation with antivirus vendors and have no access to their source code we can not help them fix it.

    This is why there is a special entry in our FAQ section.

    Even if you did not experience this problem before, it doesn’t mean that you never will. Antiviruses are updated often and each update has a chance to introduce a new false positive bug.
    We highly recommend to report this behavior to your antivirus vendor.

    #40268
    whomovedmycheese
    whomovedmycheese
    Participant
    0

    Same. Shows that there’s a trojan in there. Windows Defender won’t even let me override the warning, which in and of itself is a red flag.

    Attachments:
    You must be logged in to view attached files.
    #40270
    Lyfox
    Lyfox
    Participant
    0

    Just whitelist it and move on. Always happens after every patch: https://miqobot.com/forum/forums/topic/virustrojan-win32wacatac-bml/

    #40275

    Fer
    Participant
    0

    Ah, thanks for the information! I don’t think I’ve done this before, but I took like 1.5 years off of FF, so I must not remember it.

    #40277
    akiyuki
    akiyuki
    Participant
    0

    I’m sorry but no, things aren’t identified as a Trojan unless they meet specific criteria. Windows Defender and other Virus scanners don’t flag things unless the things embedded within the code match known threats.

    The specific trojan being reported with this release of Miqobot indicates key logging, backdoor access to the PC and remote installation of software capabilities. There are a ton of apps on the internet that do key logging without being classified as a trojan. Whatever approach they’re using that is indicating potential remote access to the systems is a huge red flag. Or at a minimum provide a technical reason on what they are doing, how they are doing (without giving away proprietary information) to help.

    Developers staying quiet on the issue and the community pushing for people to just “whitelist and move on” is how bot nets are formed across the internet. It happens all of the time with trusted software. I won’t renew my license without the code being changed to be less intrusive or the developer openly share what’s going on to cause it.

    #40278
    Lyfox
    Lyfox
    Participant
    0

    Oh no nobodys forcing you to buy anything. Its just that this issue is so old and has been talked over so much that its getting boring. Devs answered this openly probably a hundred times by now and you can do a quick search on forum to find the answers you need: https://miqobot.com/forum/forums/search/virus/

    And in case you havent been following the news. Miqo devs are from Ukraine, they are living in a war zone. They stopped changing the code on the day Russia invaded. The bot is currently on life support. Miqo devs are keeping it alive only because there are people who still need it and dont want it to die. And im pretty sure they wont bother going out of a bomb shelter just to force one more player to renew a license.

    #40279
    Miqobot
    Miqobot
    Keymaster
    2+

    Thank you for your opinion very much.
    Miqobot Team is already doing everything possible to alleviate the issue with antiviruses.

    We always inform antivirus vendors about False Positives, and Miqobot project is also subscribed to premium VirusTotal services that send automatic notifications to them.
    If you upload Miqobot to VirusTotal, you may notice that our executables are published in the VirusTotal Monitor collection:
    https://www.virustotal.com/gui/file/d80f91b000bce773233c41b4808a384f0bbbf0d993117755c0d8728e907a32cf

    However, we have no affiliation with antivirus vendors and have no access to their source code, therefore we can not help them fix this problem. It’s entirely up to them when and how to address it.

    #40289
    akiyuki
    akiyuki
    Participant
    0

    Thanks for sharing!

    #40290
    akiyuki
    akiyuki
    Participant
    0

    Devs answered this openly probably a hundred times by now and you can do a quick search on forum to find the answers you need: https://miqobot.com/forum/forums/search/virus/

    I did do a search, every result I looked at (and double checked again this morning) didn’t actually say why. The community says “just whitelist” and the developer said “we can’t get the virus vendors to update their code”. Nothing actually said what specifically the app is doing that would cause a scanner to pick up backdoor risks, how their key logging is working etc. For example – is keylogging happening OS-wide, or is it limited to just the ffxiv_dx11.exe process? If it’s limited to just the ffxiv_dx11.exe process, then I would keep using it no problem. The search results, nor the FAQ, answer things like this.

    And im pretty sure they wont bother going out of a bomb shelter just to force one more player to renew a license.

    I love the tool, I’ve followed their struggles with the invasion and the challenges they face trying to keep it on life support. Thus why I searched before posting, hoping that in the past they had at least disclosed a technical reason. I wish the devs well and hope they stay safe and the war ends quickly so they can stop fearing for their lives. I don’t think anywhere in my post I said “risk your lives and make this change right now”. I just said I’ll not use it until clarity is provided or code is changed. If they choose to not change it at any point in the future, or choose not to disclose technical reasons like mentioned above, that’s no big deal. To each their own and we move on

    Cheers!

    #40291
    Lyfox
    Lyfox
    Participant
    2+

    To each their own and we move on

    Looks fair. Cheers mate.

    #40292
    Nekro
    Nekro
    Participant
    0

    Nothing actually said what specifically the app is doing that would cause a scanner to pick up backdoor risks, how their key logging is working etc

    I am not the dev. It’s your call to make, but feature wise it’s somehow reasonable:

    Keylogger: You can define hotkeys, for example to toggle combat assist off and on. Or you can create grids, which is an overlay over the game and has hotkeys to create, move, toggle points etc. Which it obviously needs to listen to.
    Backdoor: It is communicating with the Miqo Server to check if your license is valid and not used twice, probably during the whole time the bot is open. Plus it updates the memory addresses (and maybe other stuff) the bot needs to read from the game on startup, which of course could be seen as providing a backdoor to execute code from an external source.

    #40300

    NepNep
    Participant
    4+

    I’m sorry but no, things aren’t identified as a Trojan unless they meet specific criteria. Windows Defender and other Virus scanners don’t flag things unless the things embedded within the code match known threats.

    The specific trojan being reported with this release of Miqobot indicates key logging, backdoor access to the PC and remote installation of software capabilities. There are a ton of apps on the internet that do key logging without being classified as a trojan. Whatever approach they’re using that is indicating potential remote access to the systems is a huge red flag. Or at a minimum provide a technical reason on what they are doing, how they are doing (without giving away proprietary information) to help.

    Developers staying quiet on the issue and the community pushing for people to just “whitelist and move on” is how bot nets are formed across the internet. It happens all of the time with trusted software. I won’t renew my license without the code being changed to be less intrusive or the developer openly share what’s going on to cause it.

    It is far more complicated the that.

    The reason windows flags Miqo is because of the way it does key presses to emulate human input, to avoid Bot detection in the game.

    Any program that reads your keys and can simulate key presses, with out a digital signature from Microsoft is going to get flagged. And Miqo would not be able to get a Digisig from Microsoft given the nature of their software.

    This has been a thing since forever with miqobot, the reason why it is showing up more is microsoft is pushing new updates in the past few months that are increasing the level of reading it can detect for those programs access this specfic set of .dll.

    Any bot program that simulates key presses is going to trigger this. Peroid. And thats far more preferable then a bot that injects cause those ARE detactable by most games that have basic anticheat.

    So sit there and try to slander the bot when you have no basis other then to, what apepars be a troll.

    As to why I am responding this way, I am a 6+ years cybersecurity manager, I deal with Windows defender and its systems intergration on a daily basis as a part of enterprise security. It’s also why we typically rely on 3rd party AV because windows applies this new blanket inclusion only via digisig.

    Did you know RPG maker also gets flagged on my system because of how it access my GPU drivers? One of the most used single party in home rpg maker tools is now a virus by your logic.

    Just because “Microsoft” flags it, doesnt mean they are all knowing. It simply means its doing somehting they would prefer things not to do normally.

    Edit: I felt I needed to post this because honestly theres this huge misunderstanding that defender is an AV, and its not, its meant to protect windows first, you second, anything that manipulates windows core .dll makes Microsoft nervous because it can come back to them as an exploit.

    • This reply was modified 1 year, 6 months ago by  NepNep.
    • This reply was modified 1 year, 6 months ago by  NepNep.
    • This reply was modified 1 year, 6 months ago by  NepNep.
    #40304

    NepNep
    Participant
    1+

    Also one last clarification, Windows classifies threats based on “know action types” that Screenshot showing the Script/Wacatac.H!ml is a falase positive, windows simply places that designation on it because thats the closest thing it can find to what the bot is doing.

    • This reply was modified 1 year, 6 months ago by  NepNep.
    • This reply was modified 1 year, 6 months ago by  NepNep.
    #40308
    tator-tot
    tator-tot
    Participant
    0

    The reason windows flags Miqo is because of the way it does key presses to emulate human input, to avoid Bot detection in the game.

    Any program that reads your keys and can simulate key presses, with out a digital signature from Microsoft is going to get flagged. And Miqo would not be able to get a Digisig from Microsoft given the nature of their software.

    This. Win 11 defender is overly enthusiastic to put it mildly. It is great for a majority of users in the gen pop, but has caused me so many headaches on the security end.

    • This reply was modified 1 year, 6 months ago by tator-tot tator-tot.
    • This reply was modified 1 year, 6 months ago by tator-tot tator-tot.
Viewing 15 posts - 1 through 15 (of 18 total)

You must be logged in to reply to this topic.