Battling BitDefender

[Originally from onemanmmo.com.]

There is nothing like trying to get software running in an environment that is actively screwing with it.

[Rolling Strike Force Alpha]  

I borrowed a laptop with a 3K (3200x1800) screen from a friend to do some debugging on high resolution displays. Bugs like Windows reporting the 3K laptop's screen resolution as 1067x603?! (I wasn't calling SetProcessDPIAware early enough.) There were an assortment of minor issues I was able to quickly fix, but when I went to test them, things really started to go off the rails.

Miranda is designed so that I can easily set up a standalone game and patch server on a PC for testing, so I set this up on my development PC, then downloaded and ran the signed and elevated installer on the 3K test PC. Easy peasy.

First try, the installer immediately stopped with an error, the log showed that the web server was returning an HTTP 403 Forbidden error code downloading laircrashreporter.exe (LairCrashReporter is a tool I wrote to - you guessed it - report crashes to Secret Lair Games.) Oddly enough, checking the logs on the server, it showed 200 OK status instead. Somewhere between the server and the installer the status code was being changed. Weird.

I tried downloading the file using Mozilla Firefox and up popped an error message from BitDefender, the antivirus software installed on the 3K PC, stating that laircrashreporter.exe is in fact Gen:Variant.Kazy.721075 - a Trojan. My first concern was that my development system might be compromised despite the antivirus software it runs, but some testing quickly confirmed that laircrashreporter.exe was in fact just laircrashreporter.exe. BitDefender was reporting a false positive. I then ran laircrashreporter.exe against virustotal.com which tests a file against 56 different virus scanners, 8 of those reported it was Gen:Variant.Kazy.721075. That could be a problem.

Once I modified the installer to report the 403 error and point the user at their antivirus software, BitDefender mysteriously changed its MO. The next test the installer downloaded the file perfectly and it was successfully written to a temporary location while it waited to be moved to its final location. A moment later when the installer went to move the file to its final location, the installer crashed on an unhandled exception. Oops, my bad that.

Checking the log, the installer had failed trying to move the laircrashreporter.exe file to its final location because the file it just wrote had vanished. I took a look at BitDefender again, and sure enough, BitDefender had "fixed" the temporary file for me by deleting it. Awesome.

I spent a lot of time thinking about how to address these attacks by BitDefender, but in the end, all I could really do was provide additional error messages and hope the user figures it out before they contact Tech Support. Unlike a lot of software projects, Miranda verifies its installation on startup so at least it is guaranteed that players can't get into game with a damaged installation.

After two days of struggles, I had to admit defeat and add exceptions to BitDefender for the locations where the installer writes files in order to be able to get through the installation. But the first time LairCrashReporter attempted to report a crash, BitDefender chimed in yet again with The application laircrashreporter.exe attempted to connect to the internet using TCP protocol on port 50482. BitDefender Firewall detected malicious activity and denied access for this application. So I manually added a firewall exception for laircrashreporter.exe. This issue could probably be addressed by encrypting the crash data but I'll leave that hack for another day.

Steam has a page all about false positives in antivirus software so obviously I'm not the first developer to encounter this. Still it feels like a problem I just shouldn't have to deal with. Going through all of this made the software better, but it is sort of like the devs of Guild Wars figuring out that 1% of their game crashes are actually hardware failures. Oh, and since I'm picking on BitDefender, it is completely DPI-dysfunctional, I practically needed a magnifying glass to read it on the 3K laptop.