I am worried about the "Black & White Unofficial Patch v1.42"

cortex250

New member
Joined
Oct 15, 2021
Messages
1
I downloaded all patches, run them through VirusTotal (A Website to check viruses in files you can upload), and one scan thought that the "Black & White Unofficial Patch v1.42" was a Trojan. Every other patch was completely fine.


I am aware of the fact that Virus Scanners can get things wrong at times. And it seems to be the case, since it's only one single scan that thinks that way.
I just prefer to worry too much if it means to keep viruses of my PC.

Does anyone who uses this patch ever got any problems?
 

Ziusudra

New member
Joined
Nov 12, 2021
Messages
3
So, there are multiple reasons to think this is a false positive:
  • only one engine flags it
  • that engine, VBA32, is an older, lesser-known engine by a Belorussian company whose best employees allegedly now work for Kaspersky
  • on the Behavior tab in the VirusTotal ZenBox sandbox, the only changes the installer makes are:
    • the only files written are in the B&W folder
    • and temp files for the installer which are later deleted
    • the only registry keys written are B&W ones
  • on the Relations tab there are 3 files flagged:
    • d3dim.dll and d3dim700.dll are flagged the same (VBA32 Heur.Trojan.Hlux) and appear to be why the installer is flagged. The sha256 hashes on these files match the files released at https://github.com/UCyborg/LegacyD3DResolutionHack . On the Details tab for these files they include "Copyright © 2016 UCyborg" in the version information. So these seem to be open source files that hav been public for 5 years. This appears to be a heuristic match based on behavior of a local library forwarding calls to the system library.
    • The other flagged file is Setup.exe which is also flagged by only one engine, SecureAge APEX, as "Malicious". SecureAge APEX is an AI engine that is known for false positives. The sandbox behavior on this file doesn't include any changes to anything, probably because the sandbox operator didn't change any of the setup options.
I've also been using it for a while with out issue.
 
Top