Hello Guest it is April 13, 2021, 10:25:44 PM

Author Topic: Mach4 build files infected?  (Read 825 times)

0 Members and 1 Guest are viewing this topic.

Mach4 build files infected?
« on: February 01, 2019, 12:14:26 PM »
First post here though I visit for answers when I need them.  Here is a problem I just ran into -

Mach4 has been running fine ever since I built the CNC router a little over 2 years ago. A couple of days ago, at the end of running a short job, Mach4 froze on the very last line. I didn't think much of it, just figured it was a Windows 7 thing although it hasn't done this before.

I can't tell you which build I was running on Mach4 but it was probably way back around, possibly 3196. It was working so I didn't see any reason to update it. I am running Windows 7 Home Premium and using Kaspersky Total Security, neither of which has given me any issue.

So I shut the CNC down, restarted the computer, and then restarted the CNC. When I tried to launch Mach4 I got trojan warnings from Kaspersky and it proceeded to delete the 'offending malware'. I went to the FTP site and downloaded several of the updates and tried to install one. Each one I downloaded came with a malware warning but I downloaded them anyway, figuring that Kaspersky and Mach4 have all of a sudden decided not to play nicely together.

I tried the install and it goes about 5% and then Kaspersky finds the Mach4 core dll file to be bad and deletes it. I tried several versions of the updates. I can disable Kaspersky and the install goes just fine and Mach4 starts and runs the CNC without issue. If I enable Kaspersky again and try to run Mach4 then errors and warnings start popping up again. Once that happens Mach4 will no longer run even if I disable Kaspersky again, I have to do the process over.

Kaspersky is updated with the latest database and is set to pretty much default settings except that I have auto updates disabled on it and on the computer. Windows Defender is disabled, as well. I use Dropbox for my files so this computer is connected to the Internet and will stay that way. I realize a lot of folks don't like the controller computer to be connected to the Internet but using Dropbox is the way I transfer files, don't want to use a thumb drive. I have the ability to disable Wi-Fi on this computer and it is often NOT connected when I'm running larger files with longer run times. For short jobs that only take a few minutes I leave it connected.

Well, now it gets interesting... I had an IT guru friend download one of the Hobby files from the Mach4 FTP site and run that file through a Sandbox to see what came back. He is in a different location than me and used his own gear to do this test so it wasn't connected or related to anything I gave him. The file was a 100% hit for a known malicious hash. Since two separate AV engines flagged the files I'm guessing the ArtSoft site has been compromised, at least the FTP page for the downloads.

Right now everything is working because I added the files and folders to the exclusion list in Kaspersky. But that's not very reassuring so I hope they know about it and do something about this.

Re: Mach4 build files infected?
« Reply #1 on: February 02, 2019, 12:08:40 AM »
Would you mind posting the full name of the Trojan that is being detected?
Re: Mach4 build files infected?
« Reply #2 on: February 02, 2019, 02:29:20 PM »
Sure - see below

I just have a hard time believing that no other user's AV hasn't flagged the files given that mine did and the Sandbox did.

But here's an update: my IT friend dove into the files and commented back to me this morning - "A couple of AV reference sources marked the file "lua52.exe" as malicious. Classified it as “Trojan.WisdomEyes.16070401.9500”. Since it’s checked against 50+ reference sources, my gut tells me it’s OK and is a false positive." Since Lua is the scripting language I would think this is ok, as well.

So we're back to where we started - false positive. Still odd that nobody else has seen this and that it has worked without a hitch for over two years, then all of a sudden everything associated with Mach4 shows as being Trojan and suspect.

Oh, well, it's working now so I'll leave it alone.

Re: Mach4 build files infected?
« Reply #3 on: February 02, 2019, 08:08:43 PM »
I am seeing the same kind of thing.  I hadn't used my machine in quite some time and there was a popup form Kaspersky about an update.  When I went to run MACH4, Kaspersky blocked it.  Downloaded new files from the website and tried to reinstall.  Same thing.

Online smurph

  • *
  •  1,379 1,379
  • "That there... that's an RV."
    • View Profile
Re: Mach4 build files infected?
« Reply #4 on: February 04, 2019, 05:09:05 PM »
When the anti-virus software becomes the virus... 

Re: Mach4 build files infected?
« Reply #5 on: February 04, 2019, 06:03:17 PM »
Can't disagree with that, not at all.  But when it hits the immediate thought is 'my AV software is doing its job'.

Ah, well, Mach4 is in the exclusion list now so we'll just rock on!

Re: Mach4 build files infected?
« Reply #6 on: February 10, 2019, 10:42:04 AM »
Just ran in to this same issue after my Kaspersky Total Security 2019 did a recent update. 

When I started Mach 4 and Kaspersky stopped the program launch and then started to delete the program files.  When I went to re-install Mach 4 - it stopped the installation about 25% in - and then proceeded to delete the installation file!!!   When i copied a new installer onto a USB drive - Kaspersky deleted it from the USB drive!  All the while claiming that there was a Trojan virus detected...

I have spent the morning with Kaspersky support to try to resolve this.

For now they showed me how to add Mach4 to the trusted application list, and it appears that I'm back up and running.

I have sent them a link to the installer download, (they wanted me to email them the file - but it is too large to email) - so we'll see if they will follow through with amending their software.
Re: Mach4 build files infected?
« Reply #7 on: February 10, 2019, 09:10:49 PM »
Yes, it would be nice if they would address their AV engine rather than having to put the Mach files in exclusion.  That means something 'real' can creep into that excluded folder and go undetected and that's not a good thing.

Re: Mach4 build files infected?
« Reply #8 on: February 14, 2019, 08:32:49 PM »
I just received the following from Kaspersky:

Sorry, it was a false detection. Please run database update on your Kaspersky software (Open Kaspersky > Update > Run update) then test the issue within 24 hours.

I won't have time for the next few days to check this. but hopefully this will fix the issue...
Re: Mach4 build files infected?
« Reply #9 on: February 14, 2019, 08:46:17 PM »
That would be awesome if it works.  I may try it tomorrow.