Bug Problems with modpacks, Java, and Antivirus

[NineTailedFox173]

Yesterday I was working all day trying to find what was the matter with my Antivirus.
Trend Micro reported that it had detected HTTP_KEYLOGGER_REQUEST-2 in C:\program files\java\jre1.8.0_45\bin\javaw.exe twice in three modpacks: Infinity, Departed and Trident.
I was chatting with Viper-7 and he said the following: (short version)

[23:10] <Viper-7> Those modpacks do not contain a key logger, Trend Micro is detecting a particular sequence of instructions being used probably by one mod shared by those packs, it looks very likely to be a false positive.
[23:12] <Viper-7> It looks like a trap they've set for a particular way of making a HTTP request, commonly used by virus software, but in this case was used by a modder.

As far as I know, it only happens with these three modpacks.
And yes, I have tried two other launchers to see if this happens there, and surprisingly no.
When trying Infinity on the MyM launcher, Trend Micro does NOT detect that Javaw.exe is infected with the HTTP_KEYLOGGER_REQUEST-2. I don't know for sure if this is an actual threat, but please don't set javaw.exe to your exclusion list, as it can leave your java open for compromise to actual threats. I've went over this with the lovely people at Bleepingcomputer.com, and I can link to the topic there.
Also, Viper-7, rolling back to Java 7 can leave your system vulnerable, and I have been warned against it, so please don't do that either.

The issue still persists as of today, and I advise someone to look into it. It may be nothing, but causes hassle to others, as in my case it causes Trend Micro to delete Javaw.exe, rendering Java useless untill a reinstall is performed.
... Thanks In advance.

(Also, pardon me if I posted this in the wrong area. I just wanted to get this out there.)

 

[wolfsilver00]

Change AV? I recommend kaspersky..

 

[NineTailedFox173]

Needless to say I'm surprised only one person responded to me. (And sorry wolf, I'm not going to change antiviruses. At least not until my subscription expires next year.)
Too bad. I thought people would be more, well, concerned about this, if anything?

 

[Cptqrk]

[23:10] <Viper-7> Those modpacks do not contain a key logger, Trend Micro is detecting a particular sequence of instructions being used probably by one mod shared by those packs, it looks very likely to be a false positive.

This is why no one is up in arms about this.

Even Norton360 freaks out once in a while over modpacks or even the FTB launcher. False positive means no panic.

 

[NineTailedFox173]

Well, does that still mean nobody should do anything? Like I said, putting Java on the exception list is a risk, and switching AVs sometimes isn't an option.
Having your AV delete the thing that makes Java run is not a fun thing

 

[Cptqrk]

If AV is deleting the thing that makes java run, you might want to tell AV to ease up or at least ask you what you want it to do before it starts deleting things.

I can't wait until you get a virus that attaches itself to your windows root directory and you blame AV for deleting it.....

Seriously, no one here is going to freak out. If you don't trust the launcher, don't use it.

 

[ShneekeyTheLost]

You could always switch over to a Debian-based Linux distro and not have to worry about it...

In the meantime, no one is going to get into a panic over something that isn't a problem, and the people on these forums are sufficiently knowledgeable in how minecraft works that most of us have already worked out what mod it is, why it is doing it, why your AV thinks it is doing something else, and have already moved on to something more interesting.

It is about on par with a Geiger counter going off when someone yanks a strip of duct tape off the roll. It isn't detecting radiation, it is detecting free electron particles emerging from the static electricity generated. This is a well known and documented false-positive, so nobody is worried their hair is going to fall out.

 

[NineTailedFox173]

Don't get me wrong, I trust the launcher, It's just that I wish the mod author of that one particular mod in question didn't write the code so as to set up a red flag for an AV. I know EVERYBODY doesn't use Trend Micro, but hey, a problem is a problem, right? Potentially someone else has the same problem, and puts Javaw.exe,or even the entire folder on the exclusion list. Is that safe? No! What happens if an actual virus weasels its way into that folder? It may be unlikely, but still possible. I know this issue isn't something for people to be all freaked about, just a minor nuisance. Is it really that difficult to fix? It's either they fix it, or I go through all the trouble of complaining to Trend Micro, and let's face it, they're most likely never going to respond because their website is godawful in terms of navigation, and their complaint forms look like they're from the stone age, and you'd be lucky if they reply back within the next century. Also their forum, if they even have one, is so well hidden, it would take you millennia to find. I apologize if I'm making a fuss, but I'm just slightly peeved about having to reinstall Java over and over again if I wanted to use any of these packs, and let me say this. Before, I never had any problems with Infinity until the new update. If you know, what is causing the AV to freak out, is it so astronomically important (the cause), and why wouldn't this happen when I run Infinity on say, the MyM launcher?

 

[wolfsilver00]

Don't get me wrong, I trust the launcher, It's just that I wish the mod author of that one particular mod in question didn't write the code so as to set up a red flag for an AV. I know EVERYBODY doesn't use Trend Micro, but hey, a problem is a problem, right? Potentially someone else has the same problem, and puts Javaw.exe,or even the entire folder on the exclusion list. Is that safe? No! What happens if an actual virus weasels its way into that folder? It may be unlikely, but still possible. I know this issue isn't something for people to be all freaked about, just a minor nuisance. Is it really that difficult to fix? It's either they fix it, or I go through all the trouble of complaining to Trend Micro, and let's face it, they're most likely never going to respond because their website is godawful in terms of navigation, and their complaint forms look like they're from the stone age, and you'd be lucky if they reply back within the next century. Also their forum, if they even have one, is so well hidden, it would take you millennia to find. I apologize if I'm making a fuss, but I'm just slightly peeved about having to reinstall Java over and over again if I wanted to use any of these packs, and let me say this. Before, I never had any problems with Infinity until the new update. If you know, what is causing the AV to freak out, is it so astronomically important (the cause), and why wouldn't this happen when I run Infinity on say, the MyM launcher?

The thing is, the solution is there, you can put java on exclusion or just disable your AV while you play, also, if you don't do anything stupid then you don't need an AV. I have used my computer (with windows, even though my main is debian and archlinux) without an AV for almost 6 years by now, and never had a problem with virus. You just need to know what is dangerous and don't do it/do it in a virtualized sandbox (check on google for that).

Also, are you using the real launcher or a pirated one? That could be an issue.. Do you own minecraft?
As I said, you can just change AV (there are free AV's too, so it's not really a problem, avg is good enough I guess) or just disable it while playing...

 

[Vilmos]

Can you turn off heuristic analysis of files in Trend Micro?

Your antivirus is just detecting possible threats. It shouldn't be in lock-down mode for that, it should at least ask what you want to do. Get rid of the heuristic analysis since it is garbage anyway. The chances that Trend Micro will actually detect an unknown virus using that method is less than none.

 

[NineTailedFox173]

1. I am using the real launcher, and I do own Minecraft. (I've never pirated anything and don't exactly plan on doing so.)
2. I know changing AVs is always an option, but It's a problem when I already have one that I paid for (a.k.a.Trend)
3. Trend's GUI is ugly as all hell, and difficult to navigate or find anything, just like their website. I didn't even see an option to turn off heuristic analysis, if it was even in the main console.
4. Is there a reason that this problem exists in the first place?

 

[Bibble]

AVs should have three main activities on discovery of things:

1. Notify. This is basically for things of low risk, or high false positive rate. It should pop up and say something along the lines of "This thing is acting weird, is it something you know about, or do you want me to escalate it?"
2. Action. This is for a confirmed threat. Signatures, or known bad activity. This is basically a shoot-first-ask-questions-later approach, so you need to be very sure that you've got an issue.
3. Headless chicken. This is for large-scale confirmed malicious activity. If it reacts like real people, it would likely be indistinguishable form the virus. It'd change permissions to limit damage, disable interfaces to prevent spread, pop up big flashing windows and blare sirens. Most AVs lack this feature, which is (in my mind) a serious design oversight.

Realistically, your options are either:
1. Tell Trend Micro that the specific mods are not a threat.
2. Tell Trend Micro that anything that the FTB launcher is not a threat.
3. Tell Trend Micro that anything Java does is not a threat.
4. Tell Tren Micro that anything that happens is not a threat.

From what you're saying, 1 and 2 are difficult to do in the UI, 3 is too permanent, 4 is too insecure. Well, I'm afraid those are your options.

 

[Cptqrk]

Have you tried their customer support? If their website is ugly and a pain to navigate, I'm sure their customer support isn't going to be much better (BTW: poorly designed websites by companies who take your money is a higher threat than a mod if FTB in my eyes ;-p) but you could try to contact them and see if there are instructions on how to do what you want.

 

[wolfsilver00]

1. I am using the real launcher, and I do own Minecraft. (I've never pirated anything and don't exactly plan on doing so.)
2. I know changing AVs is always an option, but It's a problem when I already have one that I paid for (a.k.a.Trend)
3. Trend's GUI is ugly as all hell, and difficult to navigate or find anything, just like their website. I didn't even see an option to turn off heuristic analysis, if it was even in the main console.
4. Is there a reason that this problem exists in the first place?

Sometimes you buy shit.. That's what happens to everyone... But the solution is simple, if you don't want to change Av, then just disable it while playing minecraft, just some clicks and you are done man..
As for the reason this problem exists, probably some kind of injection made by a mod, maybe a background loader for update checking or whatever, you can try disabling half you mod list, launching it again, and if the av cries then you know its in the half you have activated.. Repeat process until you get to the mod that is the onion of your av and disable it completely / report to mod author so he/she looks for a solution that doesn't make your av a 13 year old girl without a boyfriend.

 

[NineTailedFox173]

Alright, fine. Too bad somebody else couldn't do it. I don't have all the time in the world on my hands, and considering this sounds like it's going to be a nightmare trying to get working (Like installing mods for Fallout 3/NV) I'll just let it go. Way too much of a hassle.

 

[wolfsilver00]

Alright, fine. Too bad somebody else couldn't do it. I don't have all the time in the world on my hands, and considering this sounds like it's going to be a nightmare trying to get working (Like installing mods for Fallout 3/NV) I'll just let it go. Way too much of a hassle.

Nobody else could do it because no one has your av, so we don't have your false positive in hands. Just disable AV while playing and be happy