What is the difference between a vanilla .exe and one with a native extension?

Questions
#1

I’ve had a lot of “fun” the past days diving into the wonderful world of anti-virus false positives. This is mostly resolved, but it has lead me to a question: When bundled, what is the difference between a vanilla Windows executable and one with a native extension? What happens to the Windows executable when a custom version of the engine is bundled that might explain the discrepancy in anti-virus threats detected?

For the results below I am using virustotal.com - it seems to be a commonly used tool for cloud based virus scans.

If I build a blank project without any extensions (or a Lua-only extension) and upload the .exe file then a virus scan shows zero threat.

Vanilla engine:
image
Threat summary page

However, if I add any native extension, even something innocuous like DAABBCC or defold-utf8 then we start getting threat results. These are all generic results, indicating the scanners aren’t detecting a specific threat but that something about the file is suspicious.

Engine with a native extension (DAABBCC in this case, but the result is the same with other extensions):
image
Threat summary page

Any thoughts? Pinging @Mathias_Westerdahl in particular!

2 Likes
#2

I don’t recall if the vanilla exe is signed by Defold Foundation? (I’m not next to a windows machine)

Mainly, the difference is how the engine is linked. We use the same engine libraries in both cases:

  • In the cloud build server, we use clang, on a Linux machine.
  • For the vanilla exe, we use link.exe, on a windows machine.

If there is an extension, it is also built using clang on the Linux build server.

The bundling itself is the same, it’s done on your local machine.

As for adding an extension, you could also try just using an .appmanifest to remove libraries (i.e. not adding any extensions), to see if that makes a difference.

In my experience, these checks seem to be pattern matches, that err on the side of caution. I.e. many false positives.
Iirc, in the past, the various virus checkers have stopped both the Defold editor, as well as the vanilla engine.

We’d happily take suggestions on how to remove these issues from the executable. Perhaps there’s a way to post process the .exe file so that doesn’t trigger the anti virus programs.

1 Like
#3

Thanks for the response!

As far as I can tell, these flags don’t actually cause issues directly. I was tearing my hair out trying to figure out why they were appearing, and then I tried uploading an exe from one of my older games which got me the same results.

So these flags were effectively a red herring that made debugging a bit trickier.

My timeline seems to be:

  • Something in the runtime of a build caused a severe but false positive report. My best guess is a ping to a time server.
  • Subsequent builds did no longer have this behaviour, however:
    a) These baseline flags made me think there was still an issue.
    b) Some large antivirus programs had cached a flag for my game, meaning player devices were quarantining a safe file.
  • Eventually Microsoft whitelisted the executable, and updating Windows Defender resolves the issue.