Issue after maintenance. Avast! detects a threat - Win32:Hoblig[Heur]

Caspur

After the maintenance my ESO launcher was downloading a 40mb update/patch and Avast! detected a threat. Win32:Hoblig[Heur] is what it said. I excluded it from my quarantine list and now the launcher is repairing 40GB worth of data. I was just wondering what the reason for this is.Thanks.

PS. The "threat" was found in the ESO laucher folder and only popped after the 40mb patch started.

starlizard70ub17_ESO

Win32:Hoblig-B [Heur] is a malware that can infect master boot record (MBR) of the computer. It also possesses backdoor feature that may give remote access to an attacker. Virus-like function of Win32:Hoblig-B [Heur] allows it to spread quickly by infecting files on the computer and its network location.

Planetside 2 had this problem also. The patch contained the malware. My advice is stay away from ESO and don't patch until ESO fixes this.

Caspur

So this is an actual piece of Malware then? And does that mean that everyone who has ran the launcher update/patch is now infected with it?

My MalwareBytes Live scan didn't pick anything up. I figured it was a false positive.

starlizard70ub17_ESO

Caspur wrote: »

So this is an actual piece of Malware then? And does that mean that everyone who has ran the launcher update/patch is now infected with it?

My MalwareBytes Live scan didn't pick anything up. I figured it was a false positive.

This is the problem, it may be a false positive like in Planetside 2. I looked it up and the Malware is affecting computers mainly in Asia and Australia. The OP might have been infected from somewhere else but didn't know it. It would be nice if Zenimax could say something about it.

Caspur

Here is a screen shot of the Avast! pop-up message. Just in case it will help.

Mordack

I got that warning as well. It repaired on me, and then started repairing again, so I closed the launcher and got back on. Now it says "play" but does nothing whenever I press that button.

Caspur

Mordack wrote: »

I got that warning as well. It repaired on me, and then started repairing again, so I closed the launcher and got back on. Now it says "play" but does nothing whenever I press that button.

Yes. The same thing happened to me, where it repaired and then repaired again, except I added the threat to my quarantine exclusion list, did the repair again and then the game launched for me.

It would be nice to get a reply from Zeni about it...

Arizona_Willie

My AVAST put this in the Virus Chest, so presumably the guilty file did not get installed so this update < may > not work, dunno.

But, I'm thinking this should be the last straw.

They allow their coding machines to get infected by a virus and send it out with an update without even checking for virii?

What kind of fools are they? Their coding machines should be isolated from the Internet. Not connected at all. Then code should be passed via disc to machines for testing and then to machines connected to the Internet for testing before they send it out.

How many people's machines did they just infect?
It's surprising how many people don't think they need virus programs.

But now I'm seriously on the verge of cancelling.

I'm leery of even trying to run the damn program to see if it will run ... what other little " presents " did they send us?

Arizona_Willie

I'm thinking / hoping EVERYONE cancels to send these idiots a lesson.

ToxicVR

Use decent AV.... before pointing fingers.

Caspur

ToxicVR wrote: »

Use decent AV.... before pointing fingers.

If your talking about Avast! it's one of the best AVs around.

tengri

Caspur wrote: »

If your talking about Avast! it's one of the best AVs around.

No, it's not.

Caspur

Look, everyone has there opinions and this isn't a thread about which AV you think is worthy or unworthy. I simply want to know why I was getting this false-positive and if anyone else was.

Lord_Draevan

I got the same warning, but I was able to play once it was done repairing. I just installed Avast this weekend, so I thought this was just because it was new.

ToxicVR

Avast threw the FP not ESO. Do you know if this was caused by a heuristic scan or definition based?
Avast will 'eventually' adjust their software, most likely after ZEN alert them.

Caspur

ToxicVR wrote: »

Avast threw the FP not ESO. Do you know if this was caused by a heuristic scan or definition based?
Avast will 'eventually' adjust their software, most likely after ZEN alert them.

It was a heuristic scan that's why I added it to my exclusions because I was pretty sure that it was a false-positive and I got nothing on my malwarebytes.

Iago

When It started repairing for me I just disabled avast until it was completely installed and I hope that will take care of it

Arizona_Willie

As my Daddy used to say " Hope in one hand, crap in the other and see which fills up first ".

Iago wrote: »

When It started repairing for me I just disabled avast until it was completely installed and I hope that will take care of it

Phinix1

Looks like a false positive to me as well.

Virus Total Results

Some people sure like to over react, don't they.

Arizona_Willie

I didn't react ... AVAST did it's job and reacted to bad programming that triggers the virus detection.

Defend these clowns all you want, fanboi ... but they couldn't program a 2 car funeral.

Triggering our virus programs is simply TERRIBLE programming any way you slice it.

Sadae

I'm having this same problem with today's patch. But before you go blaming ZOS, Avast also suddenly did the same thing to me two days ago for a popular utility I've used for years.

Most often in these cases it's nobody's fault; it's a matter of keeping your butt protected, and there was something questionable enough to put up the red flags. If the software truly is safe, then generally by the next day Avast will have it remedied, as it did in the above example.

In the meantime I did the same thing as other people here, and added it to my exclusions.

Nebthet78

I had the same virus warning come up with Avast today as every one else. The client updated just fine. I did file a false positive report with Avast as this was the first time I have EVER has an issue with my ESO Client update and Avast detecting anything. (I scan regularly).

At least with being able to fill out a report with Avast, they can go in to the information their program collects and confirm whether it is indeed an issue or not.

Namdnas

Hey guys!

I had this same issue as well. So, I reported it to Avast! as a false positive and a few hours later, I had an update with Avast!. However, I also did contact TESO support regarding this issue and this is the reply that I have received, so hopefully, this will help put the issue to rest:

"I can inform you that, yes, it is a false positive. My colleague researched this issue extensively and seems to have fallen victim as well. Please accept our apologies and I hope this hasn't inconvenienced you too much.

As I see you are using Avast you may encounter this false-positive declaration even after you update your virus definitions. If you would like to exclude the Elder Scrolls Online from this, please use the following steps:

1.Open the Avast! User Interface and go to Settings, and then Antivirus

2.Find the Exclusions tab and browse for the C:\Program Files (x86)\Zenimax Online\Launcher folder or the Bethesda.net_Launcher.exe and ESO.exe file paths in the File Paths tab

3.After adding each path to the Exclusions File Path area, click Add to add the file/folder

4.Added File Paths/Folder will now be excluded from any Avast! scanning and all shield protection

5.Click OK

Sorry again for this misinformation and if there is anything else I can help you with or if you have any further questions, please do not hesitate to contact me."

So, there ya have it! Their customer support so far has been EXCELLENT.

fromtesonlineb16_ESO

Avast is a pile of junk, it has more false positives and more destroyed Windows systems as a result than most others .. it's free and worth every penny you spend.

This is clearly a false-positive, and in any-case. Why people believe sig-based A/V these days is beyond me.

Namdnas

fromtesonlineb16_ESO wrote: »

Avast is a pile of junk, it has more false positives and more destroyed Windows systems as a result than most others .. it's free and worth every penny you spend.

This is clearly a false-positive, and in any-case. Why people believe sig-based A/V these days is beyond me.

So, then, what anti-virus would YOU recommend? As for me, I've only ever gotten two false positives and I've used Avast for almost 10 yrs. One was a long time ago with Starcraft II shortly after it was released, which was fixed within 24 hours by Avast, and the other was this, today. So, I'm still a fan.

SirenofEntropy

Lord_Draevan wrote: »

I got the same warning, but I was able to play once it was done repairing. I just installed Avast this weekend, so I thought this was just because it was new.

Same here, Avast gave me the warning, but the patch just continued as normal and I was able to play just fine after it was finished.

SPECVSTV30_ESO

Screwed again, can not play due to this error. I am really getting sick of this garbage.

Phinix1

Arizona_Willie wrote: »

I'm thinking this should be the last straw.

They allow their coding machines to get infected by a virus and send it out with an update without even checking for virii?

What kind of fools are they? [...]

Arizona_Willie wrote: »

I didn't react ... AVAST did it's job and reacted to bad programming that triggers the virus detection.

Defend these clowns all you want, fanboi ... but they couldn't program a 2 car funeral.

Triggering our virus programs is simply TERRIBLE programming any way you slice it.

SPECVSTV30_ESO wrote: »

Screwed again, can not play due to this error. I am really getting sick of this garbage.

If you don't understand what you are talking about, please don't knee-jerk react on a public forum with insults and accusations. People will be more willing to help you that way.

Having a false positive detection has NOTHING to do with "bad coding." If it did there are plenty of Microsoft, Apple, and Symantec products that must be equally poorly coded as they have throws false positives for me in the past.

There are tools you can use (Process Explorer and others by SysInternals for one) that can help you profile what libraries are loaded and what IP addresses are being accessed, and what files are being accessed/altered by a running process, to help you do a bit of research on your own.

If you are not so inclined again, I encourage you to ask your questions in a civil and respectful manner, without immediately leaping to insults and accusations when you clearly have no idea what you are talking about.

I realize virus (even falsely labeled ones that aren't actually) are scary, but that is no reason to be rude about seeking help.

Divayth_Fyr

I also received this after using the launcher after maintenance!