Avast attacking "Master Control" from FlulpyCrea

Hi, I am the owner of FlulpyCrea (fantasy name), I am GUILLERMO RICARDO FLOOK (my real name).

Based on URL www.flulpycrea.com.ar legally registered in NIC.AR.

Legal FISCAL TAX identificator is 20247846450 (CUIT) at Argentina. I also has a D.U.N.S. global record.

I am a software developer based on Rosario, Santa Fe, Argentina, and produce and maintain a suit called “Master Control”, note that all files of our suit are properly signed digitally at COMODO.

Our software is massively used in E-SPORTs / LANCENTERS / CYBERS COFFE. Now, normally, those PCs hasn’t antiviruses softwares except the Windows Deffender. Normaly those KIOSK machines are fronzen (deepfreze / shadow deffender) or they are just plain frozen virtual machines.

Now, we check from while to while placing our EXEs in VIRUS total, and they come out CLEAN always. So, no problem there.

But guest what?

If a customer which is renting the PC, maliciously install AVAST software, on the first check of AVAST, it will kill , remove our CYBER CONTROL CLIENT.EXE module… the module that is used to control time and cut the machine when the time runs out.

Now, we can EASILY tell the owners of the places, just BAN avast from being used, so they added some rules in our software, and will be impossible to download avast, to install avast, to use avast. Or we can send that rule from our central and massively BAN avast from being used.

But, we don’t want to do that, because avast is a nice AV software, indeed, I use avast in my develop machine, so, nothing to hide.

https://www.virustotal.com/gui/file/fe4a8dd5ca34119a766f07065a397fc84a4651f949c006137e52ee4aa19e92bf/detection

This is just one of the checks that we do in virus total.

We are not aware of how works the AV world simply never care about how to handle these things, not worried because nothing to hide.

The Master Control is like a big comunity, and is sad that some AV software are used to attack it. And cheat the owners.

Ofcourse as a kiosk and gaming management tool, our software aims to have the absolute control of the machine, like, blocking the screen, remote control human asistance, automation, game licencing control, etc. Everything that an owner always dreammed and has it.

Maybe AVAST takes it as “rare software”, is not normal that a kiosk machine for gaming has AV software installed on. And Avast has the ability to take away the file analyse it, and then inform that everything is OK, and bring back the EXE file, but doing that it destroys the cyber control. (I know, because having avast in my develop machine, It does that exact thing every time that I tested the files).

Our software suit is placed normally at C:\Program File (x86)\Master Control Client. But the Owner can chose to install in any other drive letter, not just C:. (in virtual ISCSI machines is usual to install in drive G:, T: Z: by example, or whatever they has).

Any help, any question, please

Estimado Guillermo,

aquí tienes dos enlaces que podrían ser de ayuda:

Gracias, leyendo un poco lo que ven… nuestra suit no se inscribe en agregar/quitar programa por razones de seguridad (es decir, si fuera tan fácil como desinstalar, anularían el tiempo de renta y el futuro bloqueo), el proceso de desinstalación es mediante la autorización del servidor (activar el modo mantenimiento), que lo autoriza el dueño del lugar, no el cliente que está rentando la PC, lo cual es muy lógico). Tal vez sea eso que hace que retire el archivo, lo revise, vuelva diciendo que está limpio y lo vuelve a poner, pero entonces el daño ya está hecho).

Nuestro software no tiene publicidad, no hace popups.

En cuanto al apartado de Comportamiento… bueno, que el software tenga la habilidad de bloquear pantalla y bloquear parte del teclado para que el cliente no pueda escapar del formulario de bloqueo, es algo que cualquier KIOSK manager tiene. Claro que las mismas llamadas a ciertas DLLs, en las manos incorrectas son un red flag comprendemos eso), ero no salta por eso ya que en virus total salimos limpios 99% de las veces.

Claro, si el análisis es solo ver los strings de las funciones DLL que se usan…, van a encontrar media API de win linkeada. Lo normal, para algo que tiene muchísimas características y funciones de control, supervición, gestión de impresiones, gaming, etc.

Voy a hacer que se agregue en agregar/quitar programas, así presento el soft al laboratorio en mejores condiciones, gracias… tengo trabajo que hacer.

https://support.avast.com/es-es/article/229/