Skip to main content

Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics
SalesBundles
Jobs
TagsGame Engines

Malware scanning/warnings

A topic by Dr-Flay created Mar 05, 2020 Views: 10,962 Replies: 6
Viewing posts 1 to 4
(+1)

Other game stores have a more robust AV process due to the way they operate, so I think we should consider what free or low-cost options are available and suitable.

Can you please integrate the free VirusTotal or OPSWAT API ?
There are several Open Source browser extensions which could be forked and utilised.
The side effect would turn the launcher into a handy crowdsourced virus submission platform.
itch.io launcher has more insight into the installed games and folders, so could easily send the hashes of the game files

Users do not need a key for checking files, only to upload samples.
This is often an extra option in most tools, though there is no reason you could not use a key for itch (as long as you hide the key).
Following the standard and giving a users a way to add their key is more preferable in many ways but will limit the amount of uploads of new samples.

As developers here can use whatever download links they like on project pages, the one part of the end user experience that can be controlled by itch, is what happens when the user clicks the jscript powered DL button.
At that point if it is hosted by the CDN, then the hash can be sent for checking, and if it is anything else, eg. a web drive link or upload service, itch could show a warning that the file cannot be vouched for, and should be tested with AV first.
itch could send the URL to VirusTotal/OPSWAT where if the file was fetchable a report will be generated.

If integrated at an earlier stage such building the distros,  users of the standard Butler distro system could be given simple but useful info to populate their project pages, such as file hashes, and if for android then a list of permissions.
Good and trustable authors will value showing such details, and malware authors may be discouraged from using itch.

Pinned ReplyAdmin (2 edits) (+3)

Hello, sorry for not replying to this topic sooner!

We actually do have automated virus scanning. VirusTotal is not accurate enough in a lot of cases for us to automatically suspend content, so typically content gets put into a review queue where we human review it. For example, the games you reported were actually suspended from review by us before we saw your topic about them.

Regarding the safety of files in general, keep in mind that anyone can publish a project page on itch.io. You should use the same discretion you use when downloading any program off the internet. If you think something is suspicious then don’t download it and report it. No virus scanner is perfect. We try to keep the files hosted safe and secure, but due to the nature of how we are a self publishing platform servicing a large number of publishers, we can’t guarantee we’ve tested and verified of piece of software uploaded.

For added security you may want to investigate the sandbox within the itch.io app. It’s able to run games on a separate user account with restricted privileges. This can help block malicious software from having access to your files.

Alternatively, if you’re concerned about downloading software off the internet, we have a large selection of HTML5 games that can be played directly in your browser.

Thanks

All fine except that they were android games, and had been marked as malware for a while by multiple vendors, so your automated scan wasn't much use. In fact much less use than either VT or OPSWAT in this case.
I know VT is not perfect, none are and the main issue with VT comes from being up to 1 month behind the current definitions, but in this case they were aware of the malware.
The first of the uploads was available for a considerable amount of weeks before I noticed it.
I would say that shows you need to revamp your process. If mods can't get through the list in time and the AV scanner is not flagging something for early review, what happens if you get twice as popular with twice the uploads ?
Deal with it soon before necessity forces your hand when you have no choice and you are trying to clean up a mess.

There are easy ways to integrate VT or OPSWAT APIs into the site and client for the users safety that do not have to change your internal structure of operations.

Note: Compared to PCs the AV software install count on mobile devices is low as many rely on the builtin protection.
Google Play Protect did not recognise any of them as a threat. This means vast amounts of users would blindly trust them due to false validation.

VirusTotal is not reliable, they are using other anti-virus software companys to test the program. we all know these company can not tract or find actual virus because they only have made a list checking requirement not a full on test kit. That goes double on OPSWAT they only use MetaDefender and nothing else.

(2 edits)

This thread is due to experience in this site, leading to my thread where I will post any offending profiles and evidence.
https://itch.io/t/700501/malware-accounts-to-be-removed

1) These packages were obvious malware even before inspection, due to several reasons.
Age of games, size of distro, text saying these big name demos are exclusive to itch, and the nature of the shiny tempting bait.
Lets just say, everything about it made my spidey-sense hit me round the head with giant alarms, whistles, gongs and klaxons. 

2) Using VT corroborates the suspicion due to the exceptionally heavy weight of evidence against the packages.
VT definitions can be at most 1 month out of date. This is where it actually fails.
Often malware writers will release their new code the day after VT update so they have a longer window of operation.
When you see a file get between 1 to 3, maybe 5 hits, depending on the AV brands you can often discount it as a false-positive.
When you see over 40 AV (including the most trusted 5) all agree something is malware, you'd have to be a fool to decide they are wrong, unless you either wrote the offending code, or are yourself a top rate security and crypto coder.

3) OPSWAT Metadefender is a client which uses either the online AV engines or a locally installed core on the network.
It uses multiple AV engines though not as many as VirusTotal, however it does use all the regular top 5 contenders for detection, inc. Avira, Bitdefender, Kasperky, and more.

4) Both use a remote sandbox for running executable samples and will see what they actually try to do. This often triggers more warnings that the sample may be malicious.
It is also  useful way for devs to work out why their software is being detected as a false-positive.

I can probably undelete the samples and let you have them if you are so sure they are fine.

This is what happens: https://itch.io/t/701487/game-file-marked-as-virus-when-downloading

you cant trust those "anti-softwares" because they are just a list of popular programs and anything that isnt just gets mark as a dangerous thing to computer. What is consider dangerous depend on the company.

(+3)

True, but it would still be better than nothing. Itch.io desperately needs to implement some kind of security QA.