liveUpdater issue...

[flySWISS]

Hello everyone!

I get an error while trying to update GSX / GSX L2. However, this is very strange, since the LiveUpdater will surely download and install it straight away if updates are available. In order to avoid the risk my ESET NOD32 Antivirus might block it, I have renamed (for the time being!) two specific files => "QlmLicenseLib.dll" (@ Addon Manager Folder) and \QlmLicenseLib.dll located within Addon Manager\Couatl Folder, but unfortunately did NOT work for me so far. Your cooperation and support will be greatly appreciated in this matter. Thank you.

Regards

Paul

[virtuali]

I get an error while trying to update GSX / GSX L2

Which error, exactly ?

In order to avoid the risk my ESET NOD32 Antivirus might block it, I have renamed (for the time being!) two specific files => "QlmLicenseLib.dll" (@ Addon Manager Folder) and \QlmLicenseLib.dll located within Addon Manager\Couatl Folder, but unfortunately did NOT work for me so far.

You shouldn't rename or touch any files. The correct way to prevent the antivirus to interfere, is ADD the whole Addon Manager folder to the antivirus Exclusions.

[flySWISS]

Thank you for your reply. Note, it is much appreciated!

It does not work for me so far, even with the Virus programm (en)abled or (de)sabled INCLUDED virusSCANs EXCLUSIONS applied for the entire SIM and Addon Manager folder. Thats the point.The ERROR MESSAGE says -> The remote server returned invalid data.
 
SIR... I am not a newbee at all to flight simulation or IT concerns, so maybe the error message that I am getting now it is related to performance of datasource or if there are many other dataset need to be refreshed at that point in time, so try to set up another datatime to refresh it.
 
 
BEST REGARDS from LSZH

[flySWISS]

...starting lliveUpdater directly from "Couatl_Updater.exe file" There, that does the trick!!!

Bye Bye now

[virtuali]

...starting lliveUpdater directly from "Couatl_Updater.exe file" There, that does the trick!!!

If you mean this as an alternative of starting it from the Icon shortcut on the Desktop, there cannot possibly be any difference between starting the file this way or from the exe because, of course, the Icon shortcut points exactly to that file so, it's the same.

Now, this in theory but, we have seen all sort of weird behavior when defective antivirus that mistakenly flag the executables as threats, even if they are digitally signed with TWO digital signatures ( our own authenticode AND the "software taggant", which is a standard to help the antivirus not catch false positives ) so, I wouldn't be surprised if your antivirus made starting the SAME program from the Icon shortcut or manually somewhat different, when there shouldn't be any difference.

[flySWISS]

Now, this in theory but, we have seen all sort of weird behavior when defective antivirus that mistakenly flag the executables as threats, even if they are digitally signed with TWO digital signatures ( our own authenticode AND the "software taggant", which is a standard to help the antivirus not catch false positives ) so, I wouldn't be surprised if your antivirus made starting the SAME program from the Icon shortcut or manually somewhat different, when there shouldn't be any difference.

What we both are assuming here is that a breach can and will occur, which is the correct position to take. No security solution is perfect, and if a threat has made it past other lines of defence, you need something that can alert you to the breach so that you can begin to investigate. AND A software taggant is JUST a cryptographic signature added to software that enables positive origin identification and integrity of programs somewhat similar to Microsoft's Authenticode. Also, a software taggant may cover ONLY small critical areas of the program to minimize the cost of software integrity checking.

You know, there is NO user who does not encounter the problem of false antivirus triggering. The reaction of an ordinary person most often comes down to deleting a “suspicious” file, which is often not only not harmful, but rather useful and sometimes valuable. In turn, programmers, knowing about such jokes, can fall into irritation close to stress. Neither one nor the other contributes to effective work. A few years ago, a real battle broke out between antivirus companies and protectors. Losing, antiviruses decided to ban all packers that are not used in commercial and widespread software. Then even several well-known packers were banned. Over time, the situation returned to normal, but there is still no complete solution to the problem!!!

And YES Sir, FSDT GSX /GSXL2 is definitely one of my favorites for Flight Simulation! You haven’t missed a thing! WOW! Highly recommended. Nothing can stop you now. You’ve got your brain in gear today. However, next I will visit your Onlineshop because I need some nice airport textures for the MSFS20.


REGARDS from LSZH

[virtuali]

What we both are assuming here is that a breach can and will occur, which is the correct position to take. No security solution is perfect, and if a threat has made it past other lines of defence, you need something that can alert you to the breach so that you can begin to investigate. AND A software taggant is JUST a cryptographic signature added to software that enables positive origin identification and integrity of programs somewhat similar to Microsoft's Authenticode. Also, a software taggant may cover ONLY small critical areas of the program to minimize the cost of software integrity checking.

Sorry no. There's nothing we should do or investigate, because we KNOWN our product doesn't do anything wrong. We already do more than enough by:

- paying our yearly fees for Authenticode certificate, which is the FIRST thing antivirus vendors suggest to prevent false positives.

- paying our yearly fees to license the Software Taggant signature, which is an IEEE standard that antivirus vendors are SUPPOSED to trust.


Assuming a false positive was indeed the cause of your problem, the only thing at fault here is the antivirus itself, which is trusting its own questionable heuristics more than the double digital signature that is supposed to prevent that.

The problem is, antivirus need to boast the ability to catch threats that "hasn't been discovered yet" or catch more threats than the competition, otherwise they couldn't possibly differentiate from each other and, most importantly, from the one included by default in Windows.

So they use heuristic trying to judge behavioural patterns, because they don't really KNOW if something it's a threat or use the despicable "reputation" method so, a new executable that has never been encountered before, is by default flagged suspicious.

That, of course, clashes completely with the very concept of a Live Updater because:

- it's able to "update itself". The 2nd stage .exe gets updated very often so, it never gets enough "reputation".

- it "downloads stuff", which is a behavior that might be associated with trojans, for example

These two combined are seen as dangerous, even if they obviously aren't but, if we had to check EVERY antivirus product out there, EVERY time they have an update, if ANY of them got a false positive, and report it to the antivirus developers, we wouldn't have any time left to do...actual Flight sim products!

[flySWISS]

Assuming a false positive was indeed the cause of your problem...

That is definitely the case here, despite the "tireless" efforts of a friendly cast.

The problem is, antivirus need to boast the ability to catch threats that "hasn't been discovered yet" or catch more threats than the competition, otherwise they couldn't possibly differentiate from each other and, most importantly, from the one included by default in Windows.

So they use heuristic trying to judge behavioural patterns, because they don't really KNOW if something it's a threat or use the despicable "reputation" method so, a new executable that has never been encountered before, is by default flagged suspicious.

Hey listen...! Heuristic analysis was INVENTED by antivirus companies to detect new threats and is partly necessary for them to collect suspicious files. The probability of false positives in our case is much GREATER, therefore, antiviruses maintain a “white” list of signatures for commercial packers. This partly helps to improve the situation, but it still leaves the opportunity for antiviruses to feel "with impunity." Like "gods" playing dice, they are able to give out a harmless file for a virus. To justify their existence, antiviruses are forced to complicate the analysis and come up with additional control schemes. For protectors, they decided to implement a system of complete control over the distribution of protected files. The system allows you to block only files from unreliable publishers of protected software and show loyalty to files from trusted sources.

Antivirus intensively use digital signatures to authenticate a file! VALIDATETED by reputable organizations, digital signatures provide a reliable way to track the source of a file. Such organizations are unlikely to sign malicious code with their certificate. But not always a digital signature is enough. There are known cases of "INFECTION" when the file contained a valid digital signature, because the virus was introduced at the compilation stage of the program. However, the responsibility for applying the digital signature lies with the tread user, and a high level of trust is required for the publisher of the certificate.

BEFORE releasing a new tread, VENDORS are advised to protect a representative sample of 10-20 files with various protection parameters and put it on public display. Antiviruses, in turn, must make sure that there are no false positives from the heuristic analyzer. The reputation of the file with the Software Taggant marker should be higher than that of the file without it. When a protected malware with the Software Taggant marker is detected, the license with which the malware was protected becomes a candidate for blacklisting. The COMMUNITY recommends that antiviruses quickly share information to create a complete list of blocked licenses. 

And that's it!!!



Regards from LSZH (Switzerland)

Paul

[virtuali]

Hey listen...! Heuristic analysis was INVENTED by antivirus companies to detect new threats and is partly necessary for them to collect suspicious files.

Heuristic is the OPPOSITE of "collection". Is a way to TRY to detect something that has NOT collected or proved to be dangerous.

The probability of false positives in our case is much GREATER, therefore, antiviruses maintain a “white” list of signatures for commercial packers.

And their mistake is they trust the heuristic more than the white list.

There are known cases of "INFECTION" when the file contained a valid digital signature, because the virus was introduced at the compilation stage of the program.

Yes, that's possible, of course, in this case, antivirus vendors should just simply admit they don't trust digital signatures, instead of always replying ( when we report a False Positive ) with the mantra "have you digitally signed your executable" ?

When a protected malware with the Software Taggant marker is detected, the license with which the malware was protected becomes a candidate for blacklisting. The COMMUNITY recommends that antiviruses quickly share information to create a complete list of blocked licenses. 

But done correctly, it should affect only a *specific* license of a packer. Which is not always the case or, more precisely, is never the case because, it seems highly unlikely that antivirus vendors could check *themselves* a license of a commercial packer that has its own methods of storing the license, which are probably never shared.

So, what *really* happens in the real world, is they blacklist a whole packer entirely, which is way easier for them to recognize, rather than trying to verify the developer license.

And that's what makes the method so unreliable.

The only method that really works, is whitelisting ( or blacklisting ) the ACTUAL executable being executed, not the packer used.

Which as I've sad, it would require contacting ALL the antivirus vendors to submit a white listing request every single time we change a single executable, which is exactly what the "Software Taggant" idea was designed to PREVENT.

[flySWISS]

Dude, You don't know what you're talking about, do you? Sorry, NOOO, you definitely don't. If so, you will NEED to combine broad technical skills with specific SECURITY KNOWLEDGE along with various SOFT skills like I do!!!!

Though YOUR PRODUCT is using this encryption and obfuscation via packers in an attempt to protect the executable code from malware, there's simply NO WAY that the behavioral and other security product detection modules can know this, so it will of course be treated exactly like any unknown, POTENTIALLY MALICIOUS PIECE OF SOFTWARE. And this is the point. The additional problem is that virtually ALL software that obfuscates or uses otherwise QUESTIONABLE PRACTICES for whatever possibly valid reason, has later been abused by malware purveyors in an attempt to circumvent the Microsoft and other security product detection systems.  This is part of the reason that Microsoft indicates in its resources for developers, Software Developers FAQ that they don't accept files for a known list (e.g. whitelist) or false-positive prevention program or any CRAP like that.

If you think logically about this situation, you quickly realize that it's not possible for Microsoft or whatever Antivirus Software to scale the operation of a whitelist for the large numbers of individual software applications that are created in order to remain vigilant against the much larger numbers of individual malware now created daily.  The automation of this malware creation and packaging means that such a whitelist would quickly become unmanageable no matter how efficient the system operating it might seem initially.

[virtuali]

Dude, You don't know what you're talking about, do you? Sorry, NOOO, you definitely don't. If so, you will NEED to combine broad technical skills with specific SECURITY KNOWLEDGE along with various SOFT skills like I do!!!!

Sorry, but saying "You don't know what you're talking about" doesn't make any of what you said anymore right. It sound as pretentious as "you don't know who I am"...

Though YOUR PRODUCT is using this encryption and obfuscation via packers in an attempt to protect the executable code from malware, there's simply NO WAY that the behavioral and other security product detection modules can know this, so it will of course be treated exactly like any unknown, POTENTIALLY MALICIOUS PIECE OF SOFTWARE.

And here you are now contradicting yourself because, first you said "antivirus whitelists know packers", now you are saying we shouldn't use them in the first place, when I said this approach wouldn't obviously work, because they would theoretically have to verify the specific license of the packer, in order not to blacklist its userbase, which is in fact is precisely what's happening, which is wrong.

Are you now trying to say JUST using a packer is by itself a "questionable practice" ? Name me ONE product that has in some way any relationship with verification of licenses that is not packed/obfuscated in some way.

It would be irresponsible if it didn't because, for example, someone hacking it might modify the software to, for example, steal the activation key and use that to obtain the user data, for example. Obfuscation and protection against tampering is not "just" to protect from piracy, but also to protect users from hackers that would modify that software.

And this is the point

The point was the Software Taggant IEEE standard was precisely to allow software to use packers to defend *itself* against malware, without IT being recognized as such. Are you trying to say all those security expert and antivirus vendors who discussed it "didn't know what they are talking about ?"

If you think logically about this situation, you quickly realize that it's not possible for Microsoft or whatever Antivirus Software to scale the operation of a whitelist for the large numbers of individual software applications that are created in order to remain vigilant against the much larger numbers of individual malware now created daily.  The automation of this malware creation and packaging means that such a whitelist would quickly become unmanageable no matter how efficient the system operating it might seem initially.

It's not true they cannot maintain a per-executable whitelist, because they obviously do since, when we DO report a false positive for a specific executable, they DO add its hash to the white-list so no, the list CAN be maintained.

But you are just making my point here, because making a false positive report to everybody is too much for us instead, because while antivirus vendors hire support people just to keep up with false positives, we surely cannot afford that.

And again, that was the point of using digital signatures, software taggant and packers whitelists. Which some ( NOT ALL! ) antivirus vendors seem to trust less than THEIR QUESTIONABLE HEURISTIC.

Topic is locked, since it's completely useless to discuss about antivirus theory, just because for some reason the Live Updater didn't start from the shortcut, but did when started manually, which I only guessed it was something related to the antivirus, since I'm fairly sure you surely know there musn't be ANY difference ( the shortcut points to the same .exe ), in normal operation and, usually, when something inexplicable with the standard OS behavior happens, the antivirus are usually involved, since they run with way higher access level than most of the user programs.