Virus warning when updating Calvi St.Catherine Airport LFKC

[Hauer 129]

Hi - I recently received notification that there is an upgrade available to v1.10

After downloading the update from the relevant 3rd party, Microsoft Defender immediately flagged the zip / exe file with a severe virus warning.  As a precaution, I removed the data from my PC. Anyone else had this issue?

This message is also mentioned in the original posting of the originally free product made available back in March.

Herman🤨

[Tomcatsclaw 3]

Hi Herman, I have also experienced the same issue with the new update.
The issue remains even after I deactivated Kaspersky and dowloaded the file from Simmarket. 
I did not have any problems with the original file when it was offered free on Simmarket.

It remains in quarantine until I have more info on it. Otherwise I will reinstall the original file. 

Milton

 

[Tomcatsclaw 3]

According to Simmarket it is just a false-positive. They recommend disabling the AV-software during install.

Milton

 

[Wolkenschreck 269]

That is the reaction one would expect from Simmarket.
Atco, a user who is active at Alpha India Group and at Avsim, reported the same problem. After disabling the AV-software he got an infection with Win32/Jeefo; a virus that attached itself to every exe on the C drive (Source: https://www.alpha-india.net/forums/index.php?topic=33356.msg332013#new)

Right now I would stay away from the Calvi update and NOT disable the AV-software

[radorabatin 24]

Hello the same issue here,

I just contacted Simmarket and asked for correction of installer.

 

Rado

[vc10man 732]

Just got the same flag from Avast of a Win something infected.

[diederik1 4]

Also Comodo in sandbox says: don't execute.

For sure it is infected.

[Tomcatsclaw 3]

Well, I did install the update but did not run it in FSX. 
So I just uninstalled the update and deleted the download-file from Simmarket.

Running a complete scan with Kaspersky to verify all the drives.

 

[honanhal 1,420]

I can think of a couple other times the “advice” to disable AV to install turned out to be...not a great idea. Or even (*cough* FSL *cough*) was hiding something more sinister.
 

Another one of those things we as a community have gradually normalized that to an outsider would seem totally bonkers!

James

[micstatic 4,319]

thats a good point honanhal.  I still have that thought.  "Wait what.  disable my antivurus?"  Flight sim is the only software that has ever had this requirement that i've ever seen.  

[phmcr 93]

I installed it while I had my virus scanner disabled because of the initial warning. As soon as I turned it back on it alarmed me again and I followed its directions.

Did a complete check today and all seems fine. The reported virus has been removed. Scenery installed ok.

Doesn't look like a false positive to me.

 

[edpatino 1,964]

Same issue here with FSX3D installer for the Calvi update. First got a Kaspersky warning, then disabled it and got another warning from Windows Defender. Then installed the files and deleted the original download from SimMarket from my system. Did a quick A/V scanning and all seems fine.

I also wrote a review about the Calvi scenery at SimMarket indicating the issues with the virus warnings.

Cheers, Ed

[Egbert Drenth 250]

" First got a Kaspersky warning, then disabled it and got another warning from Windows Defender."

If I were you, I would save some cash on virus scanners and don't buy them anymore. "I don't need no stinking virus scanners" 😄 

[atco 161]

Yes, as Wolkenschreck describes I ran into this just over 36 hours ago.

The virus is not particularly dangerous it appears, its just highly annoying. After the initial clean up however your system will show as clean when it is not.
Once the virus is run it places svchost.exe in the Windows root folder. Once that is active it then starts to hunt down exe files on your system and it appends itself to them.

Its quite straight forward to clear the initial infection. Anti-virus software will remove svchost.exe and should be able to clean up the registry entries that will activate it.

The problem is that your system is not really clean.

Your legitimate exe files are now infected and will run svchost.exe in the Windows root folder once you run them. It will appear that nothing is wrong because the programs launch and run. Installers also work as intended. However of course each time an infected exe is run it places the svchost.exe back into the windows folder and the virus continues to infect.

The worst issue I ran into was that it infected all my uninstaller exe files as well. That meant all the exe files that were infected I had to remove by hand. By far the worst to deal with was my Adobe products that became infected. Creative Cloud, Lightroom, Photoshop were all infected and I spent several hours removing all traces of them from my system before I could re-install them again.

In many ways the virus seems easy enough to get rid of. You can simply replace an infected exe with a clean one and its gone. My experience tells me that it doesn't replicate any registry entries, it merely seems to thrive by infecting exe files.

I'm no computer expert but the only way I found to rid my system of this was using real time malware protection. The free Malwarebytes Anti-Malware has real time protection and in my experience it caught svchost.exe every time it was activated and quarantined it. That way I could find which programs were infected and then re-install them.
Once I re-installed with a new, clean exe the virus was gone.
I also found at least in my case that the virus attacked exe's in the ProgramFiles and ProgramFiles(86) folders first. It also did so by going from top to bottom in alphabetical order. I could literally see which folder it stopped attacking (when my anti-virus kicked back in) because it was in a series of FSLabs livery uninstaller folders and I noticed the change in file size of the uninstaller exe.

The virus will only be active if svchost.exe is allowed to run for any period of time in the Windows root folder. If it is intercepted and not permitted to run then there should be no issue. If it has been running though it will have started to infect other exe files. How many it infects will depend totally on how long it has been left to run.

Very important to note too that of course svchost.exe is a legitimate and necessary Windows file, but only when it is in certain windows folders. The Windows root folder is not one of those places.

I notified both Simmarket and the developer. Simmarket deferred all responsibility to the developer.
The developer replied very angrily to me that everything is fine on his system, that its a false positive and I'm the only one out of 5000+ clients who have complained. Fair to say he doesn't see any problem.

[keithb77 308]

I installed it before seeing the warnings, as far as I can tell no virus infection...no svchost.exe in C:\windows, no warnings on running large exe's from Program Files, no warnings from a virus scan...

However I'd suggest NOT installing it for now until there is more evidence.

Cheers
Keith

Edited April 23, 2020 by keithb77