XenkoSetup.exe - Virus detected W32/Exploit.gen

myles · May 2, 2017, 10:02am

Hello,

I downloaded XenkoSetup.exe from https://xenko.com/files/XenkoSetup.exe and virus scanned it as I do most executables. The virus scan returned that it was clean.

Once I attempted to run the installer my antivirus quarantined the file and reported

Virus detected W32/Exploit.gen

I am using Panda Antivirus (http://www.pandasecurity.com/usa/).

Was wondering if anyone could speak to why this may have occurred, and get word out as Xenko may want to reach out to antivirus companies to get flagged as false positive should that be the case.

Kryptos · May 2, 2017, 12:13pm

XenkoSetup.exe was submitted for analysis prior to the release to make sure it doesn’t show as a false positive. As this summary shows, Panda should not have reported it. Make sure that your have the last definitions for your antivirus and if the problem still persist, you should probably report it to Panda as the issue is likely on their side.

myles · May 2, 2017, 1:03pm

Yeah, fun fact, that summary on VirusTotal from 8 hours, 9 minutes ago was actually me uploading it and scanning it there, as well as at virusscan.jotti.org, after it was quarantined. I wanted to double check it.

As I mentioned, if I just scan the file using Panda it does not flag it as infected. When I run XenkoSetup.exe it is detected and quarantined immediately, I suppose as it begins to extract itself and possibly first downloads content from the web.

I can run wireshark and see how far it gets, but I would assume its deployment method is already known.

Kryptos · May 2, 2017, 2:08pm

Then it is probably some rules in your antivirus/firewall that are too strict. I’m afraid there is nothing more we can do on our end.

Note: also you were not the first to submit it, we actually did it on April 25th.

First submission 2017-04-25 14:52:21 UTC ( 6 days, 23 hours ago )

PS: after looking at similar issue with other software blocked by Panda. It looks like their analysis/white-listing takes more time than other AV so I guess the best you can do is wait. Maybe you can lower the protection (even disconnect internet but that might not work well as I think the Setup might install some prerequisites) just in time for the setup to complete, as it seems that this false positive is triggered by their cloud protection.