Some might share these heuristical methods, thus sharing the detection, others might not, other times you might see a file detected as two different malware families by two different AVs, other times you might see the same file with different detections by different versions of the same AV, long story short, detection names aren't always accurate and you shouldn't always rely on them, better keep track of the number of files detected and their location. Remember that if you do not run with default ports and use 5555 for example, you will need to open the port the number above. Of course, if you use other ports in your launcher-scripts your network setup must use those. For example: -f9000 would run a server on ports 90. You need to have your firewall so that requests to the UDP ports 2874 go to your local machine running the server. This argument allows you to bind the AssaultCube server to other ports. You need to use different ports if you want to run several servers on the same IP address. You need to forward two consecutive User Datagram Protocol ports. Longer answer: it's not that easy to determine the exact name of the malware by just looking at the file (reasons range from code sharing between the malware authors to the reuse of the same crypter) so, AVs use heuristical methods that could range from "i have seen this x bytes before in another malware sample" to things like "this file seems to have long sequences with high entropy". The AssaultCube server uses 2 ports (UDP), the default ports are 2874. Your firewall may interfere with the server as it needs to listen for incoming connections. Short answer: "Tnega!MSR" probably has sense only for people that are actually coding the AV, some of them try to put the name of the malware in the detection, but when a file doesn't match any known malware patterns then it might be detected as malware by other heuristical internal engines of the AV and the detection can be some sort of id of what the engine found. The bug was introduced by Microsoft in the Fall Creators Update for Windows 10 (in the last quarter of 2017) and affects SDL 1.2.14 library, which is used by AC 1.2.0.2. Does anyone here know the alias used for "Tnega!MSR" by other antiviruses, or can point me to a resource so I can find it out myself? AssaultCube is installed by default in C:\Program Files (x86)\AssaultCube\, so in such case you have to copy 'SDL.dll' to C:\Program Files (x86)\AssaultCube\binwin32\. Googling "Tnega!MSR" wasn't really helpful, it only returned the Microsoft page above, a forum thread which dealt with removing the threat, but didn't contain any additional information, and the usual deluge of keyword-stuffed fake pages. However after restarting, the Windows Defender message wasn't shown anymore, so it looks like ESET managed to remove the threat after all. It found 13 threats and removed 12, but none of them were identified as "Tnega!MSR" or any variation thereof. I then built a "Windows PE" USB stick with various antiviruses (provided by c't), booted from that and performed a complete scan with "ESET Online Scanner". Unfortunately, the removal was unsuccessful, and after restarting the machine, the same message would pop up again. Recently I had a Windows 10 (64 bit) PC where Windows Defender would report that it found and (apparently) removed a "threat" it calls Win32/Tnega!MSR.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |