584,805 active members*
4,748 visitors online*
Register for free
Login
Page 1 of 2 12
Results 1 to 20 of 21
  1. #1
    Join Date
    Nov 2014
    Posts
    729

    Mach4 trojan warning

    Mach4 has been running fine ever since I built the CNC router a little over 2 years ago. Today I ran a quick job and on the last line of code, thankfully, the software locked up. I didn't think much of it, just figured it was a Windows 7 thing although it hasn't done this before.

    I can't tell you which build I was running on Mach4 but it was probably way back around 4.2.0.3188, possibly 3196. It was working so I didn't see any reason to update it. I am running Windows 7 Home Premium and using Kaspersky Total Security, neither of which has given me any issue.

    So I shut the CNC down, restarted the computer, and then restarted the CNC. When I tried to launch Mach4 I got trojan warnings from Kaspersky and it proceeded to delete the 'offending malware'. I went to the FTP site and downloaded several of the updates and tried to install one. Each one I downloaded came with a malware warning but I downloaded them anyway, figuring that Kaspersky and Mach4 have all of a sudden decided not to play nicely together.

    I tried the install and it goes about 5% and then Kaspersky finds the Mach4 core dll file to be bad and deletes it. I tried several versions of the updates. I can disable Kaspersky and the install goes just fine and Mach4 starts and runs the CNC without issue. If I enable Kaspersky again and try to run Mach4 then errors and warnings start popping up again. Once that happens Mach4 will no longer run even if I disable Kaspersky again, I have to do the process over.

    Kaspersky is updated with the latest database and is set to pretty much default settings except that I have auto updates disabled on it and on the computer. Windows Defender is disabled, as well. I use Dropbox for my files so this computer is connected to the Internet and will stay that way. I realize a lot of folks don't like the controller computer to be connected to the Internet but using Dropbox is the way I transfer files, don't want to use a thumb drive. I have the ability to disable Wi-Fi on this computer and it is often NOT connected when I'm running larger files with longer run times. For short jobs that only take a few minutes I leave it connected.

    So the question - is the issue with Mach4 or Kaspersky? Why would they all of a sudden stop playing nicely together? I've done full scan of the computer with Kaspersky and it finds no issue once the Mach4 core dll is gone. I can see if there's a way to exclude that file so that Kaspersky leaves it alone but again, this has worked without issue for over 2 years.

    Thanks!
    David
    David
    Romans 3:23
    Etsy shop opened 12/1/17 - CurlyWoodShop

  2. #2
    Join Date
    Mar 2003
    Posts
    35538

    Re: Mach4 trojan warning

    It's most likely Kaspersky detecting a false positive. It happens more often then you'd think.
    Gerry

    UCCNC 2017 Screenset
    http://www.thecncwoodworker.com/2017.html

    Mach3 2010 Screenset
    http://www.thecncwoodworker.com/2010.html

    JointCAM - CNC Dovetails & Box Joints
    http://www.g-forcecnc.com/jointcam.html

    (Note: The opinions expressed in this post are my own and are not necessarily those of CNCzone and its management)

  3. #3
    Join Date
    Nov 2014
    Posts
    729

    Re: Mach4 trojan warning

    Quote Originally Posted by ger21 View Post
    It's most likely Kaspersky detecting a false positive. It happens more often then you'd think.
    That's what I was thinking, Gerry. But I just wonder why it has gone so smoothly for the last 2+ years and now all of a sudden it dies on the vine...

    David
    David
    Romans 3:23
    Etsy shop opened 12/1/17 - CurlyWoodShop

  4. #4
    Join Date
    Nov 2014
    Posts
    729

    Re: Mach4 trojan warning

    Well, now it gets interesting... I had an IT guru friend download one of the Hobby files from the Mach4 FTP site and run that file through a Sandbox to see what came back. He is in a different location than me and used his own gear to do this test so it wasn't connected or related to anything I gave him. The file was a 100% hit for a known malicious hash. Since two separate AV engines flagged the files I'm guessing their site has been compromised.

    Right now everything is working because I added the files and folders to the exclusion list in Kaspersky. But that's not very reassuring so I hope they do something about this.

    David
    David
    Romans 3:23
    Etsy shop opened 12/1/17 - CurlyWoodShop

  5. #5
    Join Date
    Mar 2003
    Posts
    35538

    Re: Mach4 trojan warning

    Have you contacted Artsoft? I haven't heard of anyone else having this issue, and I read the Machsupport forum daily.
    Gerry

    UCCNC 2017 Screenset
    http://www.thecncwoodworker.com/2017.html

    Mach3 2010 Screenset
    http://www.thecncwoodworker.com/2010.html

    JointCAM - CNC Dovetails & Box Joints
    http://www.g-forcecnc.com/jointcam.html

    (Note: The opinions expressed in this post are my own and are not necessarily those of CNCzone and its management)

  6. #6
    Join Date
    Nov 2014
    Posts
    729

    Re: Mach4 trojan warning

    I posted basically the same thing on the Mach4 forum today but haven't contacted them directly. I'll do that shortly.

    David
    David
    Romans 3:23
    Etsy shop opened 12/1/17 - CurlyWoodShop

  7. #7
    Join Date
    Mar 2003
    Posts
    35538

    Re: Mach4 trojan warning

    I'm pretty sure it's a false positive, as I said before. Looking at your post over there, I see it's only the one main .dll file
    Gerry

    UCCNC 2017 Screenset
    http://www.thecncwoodworker.com/2017.html

    Mach3 2010 Screenset
    http://www.thecncwoodworker.com/2010.html

    JointCAM - CNC Dovetails & Box Joints
    http://www.g-forcecnc.com/jointcam.html

    (Note: The opinions expressed in this post are my own and are not necessarily those of CNCzone and its management)

  8. #8
    Join Date
    Nov 2014
    Posts
    729

    Re: Mach4 trojan warning

    Quote Originally Posted by ger21 View Post
    I'm pretty sure it's a false positive, as I said before. Looking at your post over there, I see it's only the one main .dll file
    That's what I thought at first, Gerry, but many other files were deleted, as well. Also the entire exe file(s) I downloaded. Here's a screenshot of what I'm seeing and there are a fair number of listings below the ones visible. But I don't see two different AV engines returning a false positive on the same file, not when the two different AV engines are so different from each other. I guess it's possible, though.

    Click image for larger version. 

Name:	Mach4 - files infected - 1-29-19.jpg 
Views:	1 
Size:	227.7 KB 
ID:	411336

    David
    David
    Romans 3:23
    Etsy shop opened 12/1/17 - CurlyWoodShop

  9. #9
    Join Date
    Mar 2003
    Posts
    35538

    Re: Mach4 trojan warning

    If it was a virus, you wouldn't be the only one reporting it.

    UCCNC had a similar issue a few months back, where all of a sudden it started getting flagged. They added some code to try to trick the virus scanners from flagging their legitimate code.

    Must be something in CNC control code that looks like viruses.
    Gerry

    UCCNC 2017 Screenset
    http://www.thecncwoodworker.com/2017.html

    Mach3 2010 Screenset
    http://www.thecncwoodworker.com/2010.html

    JointCAM - CNC Dovetails & Box Joints
    http://www.g-forcecnc.com/jointcam.html

    (Note: The opinions expressed in this post are my own and are not necessarily those of CNCzone and its management)

  10. #10
    Join Date
    Nov 2014
    Posts
    729

    Re: Mach4 trojan warning

    I definitely agree, Gerry. I just have a hard time believing that no other user's AV hasn't flagged the files given that mine did and the Sandbox did.

    But here's an update: my IT friend dove into the files and commented back to me this morning - "A couple of AV reference sources marked the file "lua52.exe" as malicious. Classified it as “Trojan.WisdomEyes.16070401.9500”. Since it’s checked against 50+ reference sources, my gut tells me it’s OK and is a false positive." Since Lua is the scripting language I would think this is ok, as well.

    So we're back to where we started - false positive. Still odd that nobody else has seen this and that it has worked without a hitch for over two years, then all of a sudden everything associated with Mach4 shows as being Trojan and suspect.

    Oh, well, it's working now so I'll leave it alone.

    David
    David
    Romans 3:23
    Etsy shop opened 12/1/17 - CurlyWoodShop

  11. #11
    Join Date
    Jan 2012
    Posts
    6

    Re: Mach4 trojan warning

    I am seeing exactly the same thing. I haven't used my machine for a month and it was working last time I used it. Now Kaspersky kills it.

  12. #12
    Join Date
    Mar 2003
    Posts
    35538

    Re: Mach4 trojan warning

    Kaspersky probably made some changes that caused it to start flagging it.
    Gerry

    UCCNC 2017 Screenset
    http://www.thecncwoodworker.com/2017.html

    Mach3 2010 Screenset
    http://www.thecncwoodworker.com/2010.html

    JointCAM - CNC Dovetails & Box Joints
    http://www.g-forcecnc.com/jointcam.html

    (Note: The opinions expressed in this post are my own and are not necessarily those of CNCzone and its management)

  13. #13
    Join Date
    Nov 2014
    Posts
    729

    Re: Mach4 trojan warning

    Probably so but I still wonder why it happened the way it did. I'm glad my file got to the last line of code before it got hosed, of course, but I also wonder why the Sandbox flagged it, as well. Maybe there's some new virus signature out there that all the AV engines will begin using and more will get flagged. Oh, well, now I'm on to trying to replicate my previous setup because it also stripped out all of my backup files - ugh!

    David
    David
    Romans 3:23
    Etsy shop opened 12/1/17 - CurlyWoodShop

  14. #14
    Join Date
    Mar 2003
    Posts
    35538

    Re: Mach4 trojan warning

    I use Windows Defender, and have an exception for my Mach4 folder, as it starts considerably faster. It's an older version of Mach4, though. Since I'm not running a machine with it, I haven't installed the latest version(s).
    Gerry

    UCCNC 2017 Screenset
    http://www.thecncwoodworker.com/2017.html

    Mach3 2010 Screenset
    http://www.thecncwoodworker.com/2010.html

    JointCAM - CNC Dovetails & Box Joints
    http://www.g-forcecnc.com/jointcam.html

    (Note: The opinions expressed in this post are my own and are not necessarily those of CNCzone and its management)

  15. #15
    Join Date
    Jun 2011
    Posts
    692

    Re: Mach4 trojan warning

    Mach gets pretty deep into Windows to be able to run pseudo-realtime. It may be it's getting picked up now by multiple scanners because it has code that looks like, or is identical to some code used in a new attack.

  16. #16
    Join Date
    Dec 2013
    Posts
    3

    Re: Mach4 trojan warning

    I have exactly the same problem , Kaspersky kills my mach4 exe

  17. #17
    Join Date
    Nov 2014
    Posts
    729

    Re: Mach4 trojan warning

    So either Kaspersky is really on top of things or it's a bit too sensitive, hence the false positive. But it's still odd that the Sandbox, using an entirely different AV engine, flagged Mach4 as well. I did hear back from ArtSoft and I can tell you they didn't appreciate that I asked about the possibility of their site being compromised. Oh, well, two different AV engines flagged your files so I thought I should let you know, ArtSoft...

    David
    David
    Romans 3:23
    Etsy shop opened 12/1/17 - CurlyWoodShop

  18. #18

    Re: Mach4 trojan warning

    I know the reason why Mach4 gets flagged. It's because of the used DRM Software. Mach4 uses EnigmaProtector with some very aggressive techniques to obfuscate the code. This is considered highly suspicious by anti virus software because it requires manual labor from kaspersky to analyze the files and whitelist it as no automated analysis can guarantee that it is safe.

    Mach4 does this not to hide malicious code but rather to prevent debugging / modding and thus prevent circumventing the licensing system. Although it wasnt successfull at that since some shady chinese sellers already provide cracked versions of mach4.

  19. #19
    Join Date
    Aug 2009
    Posts
    230

    Re: Mach4 trojan warning

    If I were still running a Windows based CNC (I'm not - I'm running custom version of Grbl-Mega), I wouldn't have it on the internet at all - and therefore, wouldn't need anti-virus software on it.

    IMHO, running anti-virus software on a real-time system is asking for trouble...

  20. #20

    Re: Mach4 trojan warning

    True. But I have it hooked to my LAN so that i can send gcode from the office (where i do the CAD) to the machine without wandering around with USB sticks. So some protection may not be a bad idea.

Page 1 of 2 12

Similar Threads

  1. Mach4 Help Needed: Potentially Paid Mach4 & CNC Consulting
    By rappinadam in forum Mach Software (ArtSoft software)
    Replies: 0
    Last Post: 11-26-2018, 06:49 PM
  2. Trojan threat
    By redbone1 in forum UCCNC Control Software
    Replies: 8
    Last Post: 10-01-2018, 12:51 PM
  3. UCCNC Trojan Horse?
    By DDgitfiddle in forum UCCNC Control Software
    Replies: 6
    Last Post: 08-09-2017, 03:17 PM
  4. AntiVirDog Trojan
    By MrWild in forum Community Club House
    Replies: 9
    Last Post: 09-18-2010, 05:47 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •