sdalgl72

Behavior Blocker Steam and AMD Radeon software

Recommended Posts

Since updating to v12 I have noticed that nearly every Steam update has triggered the behavior blocker and so does the update function on AMD software which seems a little odd as you'd of thought they wouldn't along with Eve.

 

Has anyone else been experiencing this and know why some reputable companies are being triggered?

Share this post


Link to post
Share on other sites

When you see an alert from the Behavior Blocker for a Steam file, can you click on the button to view details, and then copy and paste the file information (especially the SHA-1 hash) into a reply for me? I can look the files up using the SHA-1 hashes to see if there should be alerts for them.

Share this post


Link to post
Share on other sites

When you see an alert from the Behavior Blocker for a Steam file, can you click on the button to view details, and then copy and paste the file information (especially the SHA-1 hash) into a reply for me? I can look the files up using the SHA-1 hashes to see if there should be alerts for them.

Will do probably won't get one now but will look out for it

Share this post


Link to post
Share on other sites

heres the ones for the eve launcher.

 

MD5: D33B3659676BC8315ED7BE281705DCFE
SHA-1: 5B3D5607C2F6F51E9666A72ACA8A851505B50E1D
 
Verified information according to the digital certificate of the detected file (evelauncher.exe):
This file is not digitally signed
 
Hashes of the detected object (evelauncher.exe):
MD5: D33B3659676BC8315ED7BE281705DCFE
SHA-1: 5B3D5607C2F6F51E9666A72ACA8A851505B50E1D
 
Verified information according to the digital certificate of the detected file (evelauncher.exe):
This file is not digitally signed
 
now I know its not signed but coming from a big game like EVE Online shouldn't it be whitelisted already?

Share this post


Link to post
Share on other sites

Hashes of the detected object (TransportFever.exe):

MD5: 0C373B8BB5617F037434DD0CFFBD951A
SHA-1: 47A45576CFE163EAA5B477364EBBA2662CF9A90A
 
Verified information according to the digital certificate of the detected file (TransportFever.exe):
This file is not digitally signed
 
The reoccurring theme is they aren't digitally signed but this seems to happen for every game downloaded through steam

Share this post


Link to post
Share on other sites

now I know its not signed but coming from a big game like EVE Online shouldn't it be whitelisted already?

No, we don't whitelist files that are not digitally signed. Every time they get updated the file would no longer be whitelisted, since the hashes would no longer be the same, and it would be impossible to keep a database of files like that updated every time one of the files changed.

When enough users have allowed the file, it is considered "Trusted" on our Anti-Malware Network (at least until the file changes, and the hashes no longer match). In this case there are no results when searching for the SHA-1 hash on IsThisFileSafe.com, which is a good indication that the file has not yet been seen by our Anti-Malware Network.

Hashes of the detected object (TransportFever.exe):

MD5: 0C373B8BB5617F037434DD0CFFBD951A

SHA-1: 47A45576CFE163EAA5B477364EBBA2662CF9A90A

 

Verified information according to the digital certificate of the detected file (TransportFever.exe):

This file is not digitally signed

This one wasn't even on VirusTotal. It's possible it's just a very new version of the file, or it isn't a popular game.

The reoccurring theme is they aren't digitally signed but this seems to happen for every game downloaded through steam

Yes, this is normal for games. They are almost never digitally signed, and so they will trigger Behavior Blocker alerts (especially if they are frequently updated or not common among our customers). The easy workaround is to exclude the Steam folder from monitoring so that the Behavior Blocker never shows alerts for things running out of the Steam folder.

Here are instructions on excluding a folder from scanning and monitoring:

  • Open Emsisoft Internet Security.
  • Click on Settings in the menu at the top.
  • Click on Exclusions in the menu at the top.
  • To the right of the list to Exclude from scanning, click on the Add folder button.
  • Navigate to the folder you would like to exclude, click on it once to select it, and then click OK.
  • To the right of the list to Exclude from monitoring, click on the Add folder button.
  • Navigate to the folder you would like to exclude, click on it once to select it, and then click OK.
  • Close Emsisoft Internet Security.

Share this post


Link to post
Share on other sites

Thanks for the information will check where they are stored and do the exclusions possibly.  Transport Fever was only released yesterday that was why but it was the first example that came to hand.

 

Just added the C:\Program Files (x86)\Steam\SteamApps\ to the exclusions for the real-time but haven't added it for the scan.

 

Should this be safe setting or should I just leave it to pop every time?

Share this post


Link to post
Share on other sites

Just added the C:\Program Files (x86)\Steam\SteamApps\ to the exclusions for the real-time but haven't added it for the scan.

Adding it to the exclusions list for monitoring (the bottom of the two exclusions lists) should be enough.

 

Should this be safe setting or should I just leave it to pop every time?

It depends on whether or not you trust the publishers of games you are downloading. I generally exclude my Steam folder as well since some games don't react well to being monitored, and I even add the executable files individually for any game that I think has performance issues while an anti-virus software is running.

Share this post


Link to post
Share on other sites

If it's common practice to exclude (presumably standard) folders that game software is commonly downloaded to, is there not a huge risk that malware authors will target that folder as a place to put their nasty programs?

Share this post


Link to post
Share on other sites

If it's common practice to exclude (presumably standard) folders that game software is commonly downloaded to, is there not a huge risk that malware authors will target that folder as a place to put their nasty programs?

That was what I was considering however that is why I didn't exclude it from the file scanner.

Share this post


Link to post
Share on other sites

If it's common practice to exclude (presumably standard) folders that game software is commonly downloaded to, is there not a huge risk that malware authors will target that folder as a place to put their nasty programs?

Technically yes, however unless you manually save a malicious file in the excluded folder then you will still have to execute it before it can copy itself to the excluded folder.

Share this post


Link to post
Share on other sites

I'm not familiar with any major issues with malicious content on Steam, and they do have a set of standards for the software that they allow on their store. Those standards have been lowered over the years, but mostly in the area of game quality. Granted there is a bit of a gray area when it comes to game that require you to log in through their own account system rather than using your Steam account, but we assume that Steam holds them to some sort of standard when it comes to user data to help minimize or prevent privacy issues.

The biggest security issue I have seen on Steam is with malware that after infecting a computer will spread by sending messages to people on the Steam friends list of any logged in Steam users on the infected computer. Usually it's in the form of a link that can be followed to a download, either pretending to be a screenshot from a game or of a Steam inventory, but ends up being a malicious program that infects the computer. These should be caught by our Behavior Blocker and generate an alert (since they are unknown), assuming the File Guard doesn't automatically delete them.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.