Windows Defender thinks SpongeForge is a virus

It’s a sunny day here in Italy, everything goes well, besides the current situation, and I’m ready to do stuffs with Sponge. So I write a bunch of code, I run the test server aaaaand… “Windows Defender found a virus”. Oh crap, what could it be? Well, I don’t know why, I don’t understand why it would, but appearently Windows Defender thinks that the SpongeForge jar contains a virus :frowning:. Yes, I know, I should get a decent antivirus, but why it suddendly did this? Again, is just from today, yesterday it was all fine :sweat_smile:
And I know I shouldn’t worry about it, but I’m just curious on why it detects like this

It maybe activity that is occuring within sponge due to a plugin. What plugins do you have and what does your plugin do?

It throws the alert just by downloading the jar. So even the jar itself in the downloads folder throws the alert :man_shrugging:t2: The test server has currently the latest stable sponge forge jar and a plugin I’m making that for now the only thing it does is saying “Hello” on the console when an event occur, that’s it

I can replicate it, it means SpongeForge has been reported as a virus to the windows defender. Im not sure how it gets reported on Windows defender, I know some virus scanners automaticly flag files as viruses if abnormal activity is detected, some will be more advanced.

Oddly enough, Sponge Vannila (which shares a lot of code with SpongeForge) does not get detected. This probably means that if it is automaticly flagged, then its a mod that has been interacting with SpongeForge (easy to do even accidently) to act as a virus on peoples servers.

So does this mean I should actually worry about it?
By the way it does with the 7.2.1 RC builds too, but not with the last 7.1.1 build (1.12.2-2838-7.1.11-RC4007)

Nope you shouldnt worry about it, Spongepowered is open source, if you are worried then you can download and compile the version from GitHub (which shows all code, so any viruses would be displayed on the Github page which the public would have picked up (yes there are people such as myself who read code)).

My guess with Windows defender is it checks the instance of the file, to make sure it doesnt detect a incorrect file as the virus file.

Good evening,

I faced the same problem as @Francesco_Jimi. Windows defender told me that SpongeForge contains a virus.

I checked the SpongeVanilla version with an online virus checker and it told me the same as Windows defender !

I also checked the spongeForge “source” jar and this time no virus was found.

The online virus checker I used is :

I think the threat might be real, although I hope the virus is a false positive.

Please consider my message with the utmost importance !

Best Regards.

The “source” jar has only the source code within, something windows defender will not check, instead it checks the compiled code. Thats why windows defender (or your online one) isnt picking it up on source. Interesting that the online one picks up compiled spongeforge

@dualspiral What do you think is happening? Also wouldnt this harm the downloading on sponge forge? (As browsers such as Google chrome have hooks into anti viruses to prevent the downloading of known viruses)

I’m not an AV programmer and I have no idea why Sponge is tripping up now. Rest assured Sponge does not contain a virus or trojan.

We have checked our own downloads and they are as we expect - clean. In most AVs that have false positives, we’re seeing that PacketPhaseUtil.class is the problem - and that’s not changed for some time. All “trojan” types that are being flagged are those that indicate that the heuristics engines have picked it up - that is, the predictive part of the AV engines - it’s important to note that detections are not detecting anything specific, they just are saying “hey, maybe it looks like something’s a bit off”. Don’t forget, Sponge does bytecode transformation at launch - it’s injects itself into Minecraft and changes how it runs. It’s a mod! I’m surprised this hasn’t happened sooner!

The best I can suggest is:

  • Make sure you ALWAYS download Sponge from our download sites ONLY - We cannot guarantee the authenticity of anything downloaded from elsewhere.
  • Check that the SSL certificate is valid on our websites and that the connection is secure, if there is no padlock, do not trust the site. On Firefox, I see this:
    It’s similar for Chrome.
  • If you trust us enough, whitelist the Sponge jar in your AV. I personally know it’s fine, but it still pays to keep your wits about you. This is the internet people!
  • Report the Sponge JAR to your AV provider using any tools for reporting false postives - the do rely somewhat on user reports to patch over thes false positives.

I have reported it to Avast but got no response - though that is probably because they don’t give a response and someone said that after I submitted it, it was fine. Based on this, people should do the same for their AV provider. How they do that is an exercise for the reader.


For those that are curious, as I am, although I do not know very much about the subject:

Modern Antivirus no longer looks merely for specific exploits, but rather mostly they use very advanced algorithms that detect code in data and detect if the code loads more code. Between that and a few other checks, the antivirus will flag that code as dangerous.

What I do not know much about is how this translates between languages. From my understanding the algorithms that do the analysis are pretty abstract and based more in mathematics, so it seems like it would work across several different languages.

But then again I have no idea how antivirus works.