It's most likely Kaspersky detecting a false positive. It happens more often then you'd think.
Mach4 has been running fine ever since I built the CNC router a little over 2 years ago. Today I ran a quick job and on the last line of code, thankfully, the software locked up. I didn't think much of it, just figured it was a Windows 7 thing although it hasn't done this before.
I can't tell you which build I was running on Mach4 but it was probably way back around 4.2.0.3188, possibly 3196. It was working so I didn't see any reason to update it. I am running Windows 7 Home Premium and using Kaspersky Total Security, neither of which has given me any issue.
So I shut the CNC down, restarted the computer, and then restarted the CNC. When I tried to launch Mach4 I got trojan warnings from Kaspersky and it proceeded to delete the 'offending malware'. I went to the FTP site and downloaded several of the updates and tried to install one. Each one I downloaded came with a malware warning but I downloaded them anyway, figuring that Kaspersky and Mach4 have all of a sudden decided not to play nicely together.
I tried the install and it goes about 5% and then Kaspersky finds the Mach4 core dll file to be bad and deletes it. I tried several versions of the updates. I can disable Kaspersky and the install goes just fine and Mach4 starts and runs the CNC without issue. If I enable Kaspersky again and try to run Mach4 then errors and warnings start popping up again. Once that happens Mach4 will no longer run even if I disable Kaspersky again, I have to do the process over.
Kaspersky is updated with the latest database and is set to pretty much default settings except that I have auto updates disabled on it and on the computer. Windows Defender is disabled, as well. I use Dropbox for my files so this computer is connected to the Internet and will stay that way. I realize a lot of folks don't like the controller computer to be connected to the Internet but using Dropbox is the way I transfer files, don't want to use a thumb drive. I have the ability to disable Wi-Fi on this computer and it is often NOT connected when I'm running larger files with longer run times. For short jobs that only take a few minutes I leave it connected.
So the question - is the issue with Mach4 or Kaspersky? Why would they all of a sudden stop playing nicely together? I've done full scan of the computer with Kaspersky and it finds no issue once the Mach4 core dll is gone. I can see if there's a way to exclude that file so that Kaspersky leaves it alone but again, this has worked without issue for over 2 years.
Thanks!
David
Similar Threads:
David
Romans 3:23
CurlyWoodShop - www.etsy.com/shop/CurlyWoodShop
David Falkner - www.youtube.com/user/difalkner
difalkner - www.instagram.com/difalkner
It's most likely Kaspersky detecting a false positive. It happens more often then you'd think.
Gerry
UCCNC 2017 Screenset
[URL]http://www.thecncwoodworker.com/2017.html[/URL]
Mach3 2010 Screenset
[URL]http://www.thecncwoodworker.com/2010.html[/URL]
JointCAM - CNC Dovetails & Box Joints
[URL]http://www.g-forcecnc.com/jointcam.html[/URL]
(Note: The opinions expressed in this post are my own and are not necessarily those of CNCzone and its management)
David
Romans 3:23
CurlyWoodShop - www.etsy.com/shop/CurlyWoodShop
David Falkner - www.youtube.com/user/difalkner
difalkner - www.instagram.com/difalkner
Well, now it gets interesting... I had an IT guru friend download one of the Hobby files from the Mach4 FTP site and run that file through a Sandbox to see what came back. He is in a different location than me and used his own gear to do this test so it wasn't connected or related to anything I gave him. The file was a 100% hit for a known malicious hash. Since two separate AV engines flagged the files I'm guessing their site has been compromised.
Right now everything is working because I added the files and folders to the exclusion list in Kaspersky. But that's not very reassuring so I hope they do something about this.
David
David
Romans 3:23
CurlyWoodShop - www.etsy.com/shop/CurlyWoodShop
David Falkner - www.youtube.com/user/difalkner
difalkner - www.instagram.com/difalkner
Have you contacted Artsoft? I haven't heard of anyone else having this issue, and I read the Machsupport forum daily.
Gerry
UCCNC 2017 Screenset
[URL]http://www.thecncwoodworker.com/2017.html[/URL]
Mach3 2010 Screenset
[URL]http://www.thecncwoodworker.com/2010.html[/URL]
JointCAM - CNC Dovetails & Box Joints
[URL]http://www.g-forcecnc.com/jointcam.html[/URL]
(Note: The opinions expressed in this post are my own and are not necessarily those of CNCzone and its management)
I posted basically the same thing on the Mach4 forum today but haven't contacted them directly. I'll do that shortly.
David
David
Romans 3:23
CurlyWoodShop - www.etsy.com/shop/CurlyWoodShop
David Falkner - www.youtube.com/user/difalkner
difalkner - www.instagram.com/difalkner
I'm pretty sure it's a false positive, as I said before. Looking at your post over there, I see it's only the one main .dll file
Gerry
UCCNC 2017 Screenset
[URL]http://www.thecncwoodworker.com/2017.html[/URL]
Mach3 2010 Screenset
[URL]http://www.thecncwoodworker.com/2010.html[/URL]
JointCAM - CNC Dovetails & Box Joints
[URL]http://www.g-forcecnc.com/jointcam.html[/URL]
(Note: The opinions expressed in this post are my own and are not necessarily those of CNCzone and its management)
That's what I thought at first, Gerry, but many other files were deleted, as well. Also the entire exe file(s) I downloaded. Here's a screenshot of what I'm seeing and there are a fair number of listings below the ones visible. But I don't see two different AV engines returning a false positive on the same file, not when the two different AV engines are so different from each other. I guess it's possible, though.
David
David
Romans 3:23
CurlyWoodShop - www.etsy.com/shop/CurlyWoodShop
David Falkner - www.youtube.com/user/difalkner
difalkner - www.instagram.com/difalkner
If it was a virus, you wouldn't be the only one reporting it.
UCCNC had a similar issue a few months back, where all of a sudden it started getting flagged. They added some code to try to trick the virus scanners from flagging their legitimate code.
Must be something in CNC control code that looks like viruses.
Gerry
UCCNC 2017 Screenset
[URL]http://www.thecncwoodworker.com/2017.html[/URL]
Mach3 2010 Screenset
[URL]http://www.thecncwoodworker.com/2010.html[/URL]
JointCAM - CNC Dovetails & Box Joints
[URL]http://www.g-forcecnc.com/jointcam.html[/URL]
(Note: The opinions expressed in this post are my own and are not necessarily those of CNCzone and its management)
I definitely agree, Gerry. I just have a hard time believing that no other user's AV hasn't flagged the files given that mine did and the Sandbox did.
But here's an update: my IT friend dove into the files and commented back to me this morning - "A couple of AV reference sources marked the file "lua52.exe" as malicious. Classified it as “Trojan.WisdomEyes.16070401.9500”. Since it’s checked against 50+ reference sources, my gut tells me it’s OK and is a false positive." Since Lua is the scripting language I would think this is ok, as well.
So we're back to where we started - false positive. Still odd that nobody else has seen this and that it has worked without a hitch for over two years, then all of a sudden everything associated with Mach4 shows as being Trojan and suspect.
Oh, well, it's working now so I'll leave it alone.
David
David
Romans 3:23
CurlyWoodShop - www.etsy.com/shop/CurlyWoodShop
David Falkner - www.youtube.com/user/difalkner
difalkner - www.instagram.com/difalkner
I am seeing exactly the same thing. I haven't used my machine for a month and it was working last time I used it. Now Kaspersky kills it.
Kaspersky probably made some changes that caused it to start flagging it.
Gerry
UCCNC 2017 Screenset
[URL]http://www.thecncwoodworker.com/2017.html[/URL]
Mach3 2010 Screenset
[URL]http://www.thecncwoodworker.com/2010.html[/URL]
JointCAM - CNC Dovetails & Box Joints
[URL]http://www.g-forcecnc.com/jointcam.html[/URL]
(Note: The opinions expressed in this post are my own and are not necessarily those of CNCzone and its management)
Probably so but I still wonder why it happened the way it did. I'm glad my file got to the last line of code before it got hosed, of course, but I also wonder why the Sandbox flagged it, as well. Maybe there's some new virus signature out there that all the AV engines will begin using and more will get flagged. Oh, well, now I'm on to trying to replicate my previous setup because it also stripped out all of my backup files - ugh!
David
David
Romans 3:23
CurlyWoodShop - www.etsy.com/shop/CurlyWoodShop
David Falkner - www.youtube.com/user/difalkner
difalkner - www.instagram.com/difalkner
I use Windows Defender, and have an exception for my Mach4 folder, as it starts considerably faster. It's an older version of Mach4, though. Since I'm not running a machine with it, I haven't installed the latest version(s).
Gerry
UCCNC 2017 Screenset
[URL]http://www.thecncwoodworker.com/2017.html[/URL]
Mach3 2010 Screenset
[URL]http://www.thecncwoodworker.com/2010.html[/URL]
JointCAM - CNC Dovetails & Box Joints
[URL]http://www.g-forcecnc.com/jointcam.html[/URL]
(Note: The opinions expressed in this post are my own and are not necessarily those of CNCzone and its management)
Mach gets pretty deep into Windows to be able to run pseudo-realtime. It may be it's getting picked up now by multiple scanners because it has code that looks like, or is identical to some code used in a new attack.
I have exactly the same problem , Kaspersky kills my mach4 exe
So either Kaspersky is really on top of things or it's a bit too sensitive, hence the false positive. But it's still odd that the Sandbox, using an entirely different AV engine, flagged Mach4 as well. I did hear back from ArtSoft and I can tell you they didn't appreciate that I asked about the possibility of their site being compromised. Oh, well, two different AV engines flagged your files so I thought I should let you know, ArtSoft...
David
David
Romans 3:23
CurlyWoodShop - www.etsy.com/shop/CurlyWoodShop
David Falkner - www.youtube.com/user/difalkner
difalkner - www.instagram.com/difalkner
I know the reason why Mach4 gets flagged. It's because of the used DRM Software. Mach4 uses EnigmaProtector with some very aggressive techniques to obfuscate the code. This is considered highly suspicious by anti virus software because it requires manual labor from kaspersky to analyze the files and whitelist it as no automated analysis can guarantee that it is safe.
Mach4 does this not to hide malicious code but rather to prevent debugging / modding and thus prevent circumventing the licensing system. Although it wasnt successfull at that since some shady chinese sellers already provide cracked versions of mach4.
If I were still running a Windows based CNC (I'm not - I'm running custom version of Grbl-Mega), I wouldn't have it on the internet at all - and therefore, wouldn't need anti-virus software on it.
IMHO, running anti-virus software on a real-time system is asking for trouble...
True. But I have it hooked to my LAN so that i can send gcode from the office (where i do the CAD) to the machine without wandering around with USB sticks. So some protection may not be a bad idea.