From my Windows Security virus & threat protection:
Threat detected: Behavior:Win32/DefenseEvasion.P!ml
Alert level: Severe
Date: 12/21/2019 8:20 PM
Category: Suspicious Behavior
Details: This program is dangerous and executes commands from an attacker.
Affected items: file: D:\Blizzard\World of Warcraft\Data\data\wow-us\lru_shard_0
So⌠I deleted the lru_shard_0 file without thinking and seems like itâs not affecting the game in any way. Can we get a clarification on what the file is for and whatâs the consequences for deleting it?
You can safely delete the file. Once you get in-game the directory will be re-created and the files themselves will also be re-created during logout (at least during my testing). Canât replicate the detection on my end though.
Did you all recently have your virus definitions in Windows updated? To check for updates in Windows Defender, follow these steps:
Start Windows Defender if it is not already open. To do this, click Start , click Programs , and then click Windows Defender .
Check for new definitions. To do this, click Check for Updates Now .
It should also display the version. Go ahead and post what version youâre on.
That released recently from the looks. Just to go on the side of caution, feel free to delete those files/folders since it wonât affect your gameplay and theyâll be recreated. Going to dig into this a bit more to make sure it isnât a false positive.
I would be curious to know what addons you all may have in common as well. Like Lapierre mentioned, it is possible for them to inject stuff if it is purposely malicious.
EDITED WITH UPDATED INFO
My windows defender is updated (1.307.901.0) but it was 1.307.856.0 when it was detected. I did a full scan on the whole ssd that wow is installed and nothing was detected. (So i guess its a false positive?).
I´m using the following addons (Updated via Twitch) :
Prat 3.0 (Prat-3.0-3.7.45.zip) , MoveAnything (MoveAnything 17.0.7.zip) , Weakauras 2 (WeakAuras-2.15.5.zip), eAlign Updated (eAlignUpdated.zip), World Quest Tracker (WorldQuestTracker-v8.2.5.386.zip), Bartender4 (Bartender4-4.8.9.zip), SavedInstances (SavedInstances-8.2.6.zip) , Mogit (MogIt-3.9.0.zip) , Details! Damage Meter (Details-v8.2.5.7229.150.zip) and Bagnon (Bagnon8.2.21-8.2.5.zip).
Addons (downloaded from curseforge) that I have in the AddOns directory are listed as below :
BattlePetBreedID
DBM
HandyNotes
HandyNotes_DraenorTreasures
Immersion
MaxDps
MinimalArchaeology
MogIt
PoMTracker
Rematch
SkillHelper
tdBattlePetScript
tdBattlePetScript_Rematch
TinyDPS
TomCats-Mechagon
TomCats-Nazjatar
TomTom
Whammy
WorldQuestsList
Sorry, Iâm not sure how to check my addon versionâŚ
So this file is totally normal for WoW, itâs possible someone accidentally flagged it with Windows Defender. We recommend reporting this as a false positive to Microsoft so it can be looked into.
Thank you for the help, i was having the same problem. I stepped away from the game for 45 minutes to get some lunch and came back and it was deleted! I thought i had contracted malware or something, a bit of a relief tbh
Btw my defender is the same, at 1.307.901.0 and i was using many of the same addons, i cannot find a way to access a list of the version numbers but the ones that were similar were:
Bagnon
Bartender
Pawn
Recount
Worldquesttracker
TomTom
Weakauras2
Flagged, or code matches to what was supposed to be in the affected file? If you could look into it more, that would be appreciated. If someone has an affected file that wasnât deleted yet, would you not want to inspect it? Wonât reimage for now, but this isnât a good enough answer.
I tried to take a peak into that file, Iâm assuming that 38882 sets of encrypted varchar (4 characters in each set) is normal yeah? If the file is encrypted those 3rd party addons shouldnât be able to use the file to do anything right?
Just got this on startup, forgive me for not typing it out. Defender wonât allow me to copy the text and itâs quite a bit. If more error info is needed, it can be seen here: https://imgur.com/a/m8fNGw0
Threat detected: Behavior:Win32/DefenseEvasion.P!ml
Alert Level: Severe
Affected items: file: D:\Program Files (x86)\Battle.net\World of Warcraft\Data\data\wow-us\lru_shard_0
I can confirm that these are false positives. We have these files in our own installs in office and weâre running business security apps. This happens from time to time when someone flags the wrong files in a security software, which is why youâre seeing this with specific builds of defender. Please report this to Microsoft as mentioned above.