Detecting virus in WoW folder

From my Windows Security virus & threat protection:

Threat detected: Behavior:Win32/DefenseEvasion.P!ml
Alert level: Severe
Date: 12/21/2019 8:20 PM
Category: Suspicious Behavior
Details: This program is dangerous and executes commands from an attacker.

Affected items: file: D:\Blizzard\World of Warcraft\Data\data\wow-us\lru_shard_0

Should I be concerned about this?

My computer is doing the same thing. Is Windows defender detecting “Warden”?

Seeing this too. Tempted to reimage. Any info Blizz?

edit: this was found in the ‘wow-classic-us\lru_shard_0’ file, relative to the ‘data’ directory noted by Mandane above.

Same here.
i´m a bit worried.

So… I deleted the lru_shard_0 file without thinking and seems like it’s not affecting the game in any way. Can we get a clarification on what the file is for and what’s the consequences for deleting it?

Can you check to see if it was recreated automatically? Also, wondering if an addon could possibly be injecting a program into game files…

Which addons are you guys running?

You can safely delete the file. Once you get in-game the directory will be re-created and the files themselves will also be re-created during logout (at least during my testing). Can’t replicate the detection on my end though.

Did you all recently have your virus definitions in Windows updated? To check for updates in Windows Defender, follow these steps:

  1. Start Windows Defender if it is not already open. To do this, click Start , click Programs , and then click Windows Defender .
  2. Check for new definitions. To do this, click Check for Updates Now .

It should also display the version. Go ahead and post what version you’re on.

My windows defender detected the same thing. It says my threat definition is updated and its version is 1.307.856.0

That released recently from the looks. Just to go on the side of caution, feel free to delete those files/folders since it won’t affect your gameplay and they’ll be recreated. Going to dig into this a bit more to make sure it isn’t a false positive.

I would be curious to know what addons you all may have in common as well. Like Lapierre mentioned, it is possible for them to inject stuff if it is purposely malicious.

1 Like

EDITED WITH UPDATED INFO
My windows defender is updated (1.307.901.0) but it was 1.307.856.0 when it was detected. I did a full scan on the whole ssd that wow is installed and nothing was detected. (So i guess its a false positive?).
I´m using the following addons (Updated via Twitch) :
Prat 3.0 (Prat-3.0-3.7.45.zip) , MoveAnything (MoveAnything 17.0.7.zip) , Weakauras 2 (WeakAuras-2.15.5.zip), eAlign Updated (eAlignUpdated.zip), World Quest Tracker (WorldQuestTracker-v8.2.5.386.zip), Bartender4 (Bartender4-4.8.9.zip), SavedInstances (SavedInstances-8.2.6.zip) , Mogit (MogIt-3.9.0.zip) , Details! Damage Meter (Details-v8.2.5.7229.150.zip) and Bagnon (Bagnon8.2.21-8.2.5.zip).

My Windows Defender version is 1.307.892.0.

Addons (downloaded from curseforge) that I have in the AddOns directory are listed as below :
BattlePetBreedID
DBM
HandyNotes
HandyNotes_DraenorTreasures
Immersion
MaxDps
MinimalArchaeology
MogIt
PoMTracker
Rematch
SkillHelper
tdBattlePetScript
tdBattlePetScript_Rematch
TinyDPS
TomCats-Mechagon
TomCats-Nazjatar
TomTom
Whammy
WorldQuestsList

Sorry, I’m not sure how to check my addon version…:sweat_smile:

Windows Defender version: 1.307.901.0.

Addons (managed through Twitch, I might add):
Bagnon-8.2.16-1.13.2.zip
NeatPlates-1.13.3.1.zip
Atlas-v1.45.01.11302.zip
Atlas_ClassicWoW-v1.45.00.11302.05.zip
AtlasLootClassic-v1.4.3-classic.zip
AuctioneerSuite-8.2.6512.zip
Bartender4-4.8.9-classic.zip
ClassicAutoQuest.zip
ClassicCastbars-v.1.2.0-hotfix-classic.zip
DetailsClassic.1.133.187.141.zip
Leatrix_Maps-1.13.40.zip
Leatrix_Plus-1.13.41.zip
Masque-8.2.8-Classic.zip
Masque_Apathy-8.2.6-Classic.zip
Masque_Caith-8.2.6-Classic.zip
Masque_Entropy-8.2.5-Classic.zip
Masque_Goldpaw-1.0.6-Release.zip
Masque_Raeli-r19-release-classic.zip
Pawn-2.3.12-Classic.zip
Quartz-3.5-classic-5.zip
Questie-v5.4.0.zip
Recount-v8.2.5d.zip
ShadowedUnitFrames-v4.2.1-Classic.zip
SimpleEnergyBar-v1.0.11.zip
TitanPanelClassic-1.1.5.11303.zip
WorldQuestTracker-v8.2.0.381.zip

Hey hey everyone!

So this file is totally normal for WoW, it’s possible someone accidentally flagged it with Windows Defender. We recommend reporting this as a false positive to Microsoft so it can be looked into.

Report

Thank you for the help, i was having the same problem. I stepped away from the game for 45 minutes to get some lunch and came back and it was deleted! I thought i had contracted malware or something, a bit of a relief tbh

Btw my defender is the same, at 1.307.901.0 and i was using many of the same addons, i cannot find a way to access a list of the version numbers but the ones that were similar were:
Bagnon
Bartender
Pawn
Recount
Worldquesttracker
TomTom
Weakauras2

Flagged, or code matches to what was supposed to be in the affected file? If you could look into it more, that would be appreciated. If someone has an affected file that wasn’t deleted yet, would you not want to inspect it? Won’t reimage for now, but this isn’t a good enough answer.

I tried to take a peak into that file, I’m assuming that 38882 sets of encrypted varchar (4 characters in each set) is normal yeah? If the file is encrypted those 3rd party addons shouldn’t be able to use the file to do anything right?

Hi there guys,

Just got this on startup, forgive me for not typing it out. Defender won’t allow me to copy the text and it’s quite a bit. If more error info is needed, it can be seen here:
https://imgur.com/a/m8fNGw0

Threat detected: Behavior:Win32/DefenseEvasion.P!ml
Alert Level: Severe

Affected items: file: D:\Program Files (x86)\Battle.net\World of Warcraft\Data\data\wow-us\lru_shard_0

Any issue or false alarm?

Thanks for your time!

I got the same threat detected (Behavior:Win32/DefenseEvasion.P!ml), however my affected item is this:

file: D:\World of Warcraft\Data\data\shmem

Security Intelligence Update for Windows Defender Antivirus - KB2267602 (Version 1.307.1002.0)

Hey folks,

I can confirm that these are false positives. We have these files in our own installs in office and we’re running business security apps. This happens from time to time when someone flags the wrong files in a security software, which is why you’re seeing this with specific builds of defender. Please report this to Microsoft as mentioned above.