I’m using trainer created by CheatEngine6.2 and Avast shows message about virus:
“Win32:Evo-gen [Susp]”
- first problem:
I tried to add this EXE to exclude list:
*\Trainer.exe
*\Trainer.exe|[Embedded_R#DECOMPRESSOR]
But still, I can not launch trainer. Avast just ignore my exclude list.
- second problem
Currently, all CE6.2 trainers are made like this:
files: .cetrainer, few .dll, one .exe , are compressed with zlib into ARCHIVE
and there is DECOMPRESSOR file (standalonephase2.dat file inside installed cheatengine dir) - this file, when launched, will decompress ARCHIVE and execute final EXE
ARCHIVE and DECOMPRESSOR are embedded into final EXE (standalonephase1.dat file)
So, standalonephase1.dat file with changed icon, name and with embedded ARCHIVE and DECOMPRESSOR is final product. For example as gameName_trainer.exe
On end-user side, it looks like this:
When user launch gameName_trainer.exe, embedded data:ARCHIVE and DECOMPRESSOR, are saved inside temp dir (F:\temp\cetrainers\CET28.tmp),
ARCHIVE as CET_Archive.dat and
DECOMPRESSOR as gameName_trainer.exe (yes, the same name)
then DECOMPRESSOR (gameName_trainer.exe) decompresses CET_Archive.dat into “extracted” folder
inside “extracted” there are: .dll, .lua and exe file (with the same name: gameName_trainer.exe)
But, AVAST treats DECOMPRESSOR as malware. You could say: “you downloaded trainer from untrusted site”. Well, I made that trainer and I know what it is exactly doing. And CheatEngine is an “open source GPL” application.
I even tried to compile DECOMPRESSOR myself with current Lazarus version 1.0.8. The same result.
I know this topic is old, but there’s no other threads like this one. And first post contains useful informations.
Standalone single player trainers are again blocked by Avast: Win32:Evo-gen [Susp]
Problem applies to CheatEngine ver. 6.2 and the new one, CheatEngine ver. 6.3. I have to save my trainers to folder added to exclusion list. And downloaded (from trusted site) trainers do not work until I move them to excluded folder.
We can manually scan CheatEngine v6.2 installed inside “program files” folder - no threats detected. (CheatEngine v6.3 too).
Conclusion:
now standalonephase1.dat (from CE6.2 and CE6.3) file with appended RCData (ARCHIVE and DECOMPRESSOR, and changed icon) is treated as Win32:Evo-gen [Susp]
PS:
Thanks for previous fix.
PSS:
I’ll use contact form. I’ll post it here too:
emptyTrainer.EXE - (false positive - Win32:Evo-gen [Susp]). It is an empty trainer generated with CE6.3, this EXE is standalonephase1.dat file with appended RCData
Thank you for your previous fixes. Sadly, problem returns again.
As an example, trainer made by CheatEngine forum member. His trainer is flagged as Win32:Malware-gen.
I’m using “avast! Free Antivirus 2014 9.0.2013”
I attached: Banished Trainer (x32).exe - flagged as Win32:Malware-gen
Banished Trainer (x32) (NO RCData).exe - flagged as safe, Avast doesn’t find anything suspicious. I removed RCData (Embedded data) with Resource Editor.
Extracted from EXE resource, RCData, with Resource Editor:
ARCHIVE - flagged as safe. As mentioned earlier in my posts, this is zlib archive, and contains essential files: two DLL files, one EXE file (cheatengine main EXE), one LUA file, one CETRAINER file (which is XOR-crypted CheatTable file). Basically, it contains some files from “C:\Program Files\Cheat Engine 6.3”. Worth to mention - Avast doesn’t find anything suspicious in “C:\Program Files\Cheat Engine 6.3” directory. Main trainer exe (Banished Trainer (x32).exe) saves it as CET_Archive.dat.
cheatengine main EXE - it can be cheatengine-i386.exe or cheatengine-x86_64.exe.
DECOMPRESSOR - flagged as safe. This is executable file. It extracts ARCHIVE and executes another EXE file. It is the same file as standalonephase2.dat from “C:\Program Files\Cheat Engine 6.3”.
Components are clean. Combined into one EXE, false-positively flagged as malware.