Search Unity

  1. Unity Asset Manager is now available in public beta. Try it out now and join the conversation here in the forums.
    Dismiss Notice

Beta 6 - Windows Defender detected 'Severe Trojan' "Oneeva.A!ml"

Discussion in '2021.2 Beta' started by Freakish, Aug 5, 2021.

  1. Freakish

    Freakish

    Joined:
    Jun 3, 2015
    Posts:
    81
    Hi, I just had a rather odd encounter after installing Beta 6.

    I just started a new empty project, installed OpenXR and OpenXR toolkit. When adding an XR rig to my scene.

    Windows Defender detected "Trojan:Script/Oneeva.A!ml" in Library\TempArtifacts\Primary\f29e0ae9b05bf\

    Not sure if this is a real issue of false positive, but alarming none the less.

    No idea what happens in the TempArtifacts or what gets put into it and from where, has anyone else experienced this with Beta6.?

    It has not happened when opening the project again, which is even more strange.

    Is is possible to know from where or what has written to the TempArtifacts\Primary\BlahBlah directory, so I may try and dig deeper?

    The directories are empty, so it was written or created from within unity or perhaps a packagemanager thing. As I backed up this folder minutes before, and the folders were empty during the backup.
     
  2. Freakish

    Freakish

    Joined:
    Jun 3, 2015
    Posts:
    81
    Ok, so I did a bit more testing....

    I restored the file that was flagged as a threat.

    At the moment the file was detected, I was dragging and dropping a folder from a previous project. The folder itself is clean, and is from the Oculus Integration Package. So no problems there.

    The temp file that was created by Unity into the TempArtifacts\Primary directory seems to have something to do with that copy (drag and drop) operation.

    As when I open the (suspect) file with a text editor I can see certain references to things like //RootNode, Hands:b_l_grip, hands:1_hand_world, amongst a whole bunch of nonsensical gibberish.

    But at least I trust that this is false positive,

    The (54Kb) file itself comes up completely clean from Virustotal, so it seems like a recent Defender update, is heuristically seeing something in the tempfile created by Unity during the copy operation.

    I can repeat this issue, by dragging the Oculus folder into my project, each time Windows Defender will force quit unity, resulting in a crash.... So I've now crashed it 30 times to track down the specifically

    "Oculus\SampleFramework\Core\CustomHands\Animations"

    If I copy the entire Oculus directory or just the Animations folder, than immediately a suspect temp file is created and flagged by MS Defender....

    It's all rather bizarre!
     
    soleron likes this.