I just tried to download the official Github export templates through Godot. I used the Template Export Manager at Project>Export>Manage Template Exports. Webroot removed the resulting ~\AppData\Roaming\Godot\export_templates\4.4.stable\windows_debug_x86_64.exe on the grounds that it was in malware group Trojan.Dropper.Gen.
What should I be doing here to get export templates?
ed. I went through the link below the main downloads on godotengine.org, and those unzipped successfully. Iād say it fixed itself, but I donāt know why the other method results in a trojan detection.
Hhhm. I selected āOfficial Github releases mirrorā from the manager menu, as Github itself was not an option, so I canāt literally say I know what mirror it meant, coming to think of itā¦ (the other option, which I did not select, was ābest available mirrorā).
Ah. I realize though that this doesnāt matter-- first attempt got me templates for 4.4.stable and the site link had 4.4.1 so while Iām delighted at making hashes for the first time, this tells me nothing. Let me see if the site has older templates and Iāll make a more valid comparison
For that file (which was immediately deleted by Webroot), from Webrootās log, for windows_debug_x86_64.exe: 73E9EDBEEF8522484184DF8885B31C7C From Powershell, in MD5, for the same filename but from Godotās site (which I still have and hasnāt caused any trouble): DD1D9A0214A41971E7D4A13A38973828
So, Webroot didnāt like that.
From its error, log, for the 4.4.stable windows_debug_x86_64.exe from the godotengine .org downloads at Download Godot 4.4 (stable) ā Godot Engine, I got the same hash and same trouble as the originally flagged file. My system seems ok, but I have no idea whether it is a false positive or whether there is a āsafeā file it could be compared against. I just know that the template managerās official Github mirror and the Godot site had the same flagged-virusy thing as each other for the 4.4.stable template.
Frankly, I donāt enjoy the adrenaline, so I donāt think I want to try downloading one like it again! Since the 4.4.1 templates donāt have this problem at least that seems like itāll work for my purposes.
So I havenāt resolved what is going on here, but I have a workaround for at least the one version: should I flag a post with āsolutionā?
Idk, you could just leave it open, and thanks for checking. Im curious to dive a little deeper myself. Although, there are many people contributing and only handful of employees overseeing pull requests, but there usually is a review from trusted users. I think it would be pretty hard to integrate malware into the code base, someone would probably need to replace the GitHub zip some how, or modify the mirror url.
I will also add that Godot is an unsigned application on Windows which could draw lots of scrutiny from antivirus software, there is a recent discusion on this, and Godot was recently utilized as a platform to deliver malware. Which could be the reason binaries of Godot could match signatures now because of the incident. See Godloader bulletin.
So for Godot 4.4, the download manager, and the web download, I get a match of 73E9EDBEEF8522484184DF8885B31C7C.
I noticed that the export manager pulls from the godotengine/godot repo, where as the web download pulls from the godotengine/godot-build repo, the godot-build repo publishes checksums of the zip and i compared those with the two versions and they all match. my bet is this is a false flag from webroot.
that DD1D9ā¦ MD5 sum you shared looks like it came from the Godot 4.4.1 exports (I also checked the latest)
yeah, that what what I realized and why I went looking for the matching version. I figure it is a false positive too but of course itās not like I could confirm either way