LoveMachine detected as malware

[deleniti]

Opening up this issue since the author hasn't mentioned it yet.

Currently, a virus total scan of the setup file shows 2/70 detections, where you can find a lot of weird behaviors. To give some examples, the program seems to have the ability to detect if you're running it in a virtual environment, interact with startup folder/registry and drop executables in the recycle bin.

I apologize if I seem accusatory or ignorant. I do not have any experience with file analysis, and I do not believe there is anything malicious, since there are a lot of false positives in these kinds of programs that pull information from other programs.

I hope the author can clear up this issue.

[Sauceke]

I assume by "the program" you mean the installer. Can you attach the full list?
As to the ones you mentioned:

detect if you're running it in a virtual environment

We're not checking for that, at least not consciously. Could be something Inno Setup does by default. Needs more investigation.

interact with startup folder/registry

We read from the registry to get the install locations of supported games, to make installation easier. We never write to the registry.

LoveMachine/Installer/InstallScript.iss

Lines 125 to 136 in df39d17

	{ Tries to guess the root directory of the game at the given index }
	function GuessGamePath(Index: Integer): String;
	begin
	case Index of
	#sub PathMapping
	{#I}: RegQueryStringValue(HKCU, '{#GetGameRegSubKey(I)}', '{#GetGameRegName(I)}', Result);
	#endsub
	#for {I = 0; I < PluginCount; I++} PathMapping
	end;
	if not DirExists(Result) then
	Result := ''
	end;

Resolution: As HF Patch does the exact same thing, I doubt this is considered a serious threat by most antiviruses. If it is, we can just get rid of this feature to make the antivirus happy and the user sad.

drop executables in the recycle bin

Yup, we do that. Inno Setup requires all directory inputs to contain valid paths when clicking Next. This behavior is hardcoded into Inno Setup with no way to change it.
Since we don't want to force users to select an installation folder for games they don't even have, we temporarily fill empty fields with a placeholder path before this validation happens:

LoveMachine/Installer/InstallScript.iss

Lines 245 to 246 in df39d17

	{ Force value to pass validation }
	DirPages[Page].Values[IndexInPage] := PlaceholderDir;

As to what this placeholder path is, well, you guessed it:

LoveMachine/Installer/InstallScript.iss

Line 269 in df39d17

PlaceholderDir := AddBackslash(ExpandConstant('{sd}')) + '$Recycle.Bin';

Nothing will be actually copied there though, this is just to pass validation.
Resolution: I'll change the placeholder path to the user's Temp folder. If it still gets flagged after that, there's nothing to do, since Inno Setup itself copies stuff to Temp.

Looking forward to the full report. Unfortunately I only have Defender, which shows 0 threats.

[Sauceke]

As an aside, if this is preventing you personally from installing the mod, you could try installing it from the ZIP files provided in the release page. And if even the ZIP files are marked as malicious, I definitely want to know about it.
If even that sounds risky, you can also build it directly from the source code after making sure it's safe to run, assuming you know C#.

[Sauceke]

Version 3.1.0 passes with 0/71 detections on VirusTotal. (Took me a while to realize "virus total" is the name of a website.)
https://www.virustotal.com/gui/file/106a68aa522ad6e71ce45d3fde5ed432120ffa79231e6770f003abd3314b2e58
The things I changed:

• the installer no longer asks for admin elevation
• it no longer uses the Recycle Bin as a target path

I'll add an automated virus scan job to the release pipeline so that I won't get similar unpleasant surprises again. Thanks for bringing this to my attention.