From my Windows Security virus & threat protection:
Threat detected: Behavior:Win32/DefenseEvasion.P!ml
Alert level: Severe
Date: 12/21/2019 8:20 PM
Category: Suspicious Behavior
Details: This program is dangerous and executes commands from an attacker.
Affected items: file: D:\Blizzard\World of Warcraft\Data\data\wow-us\lru_shard_0
Should I be concerned about this?
My computer is doing the same thing. Is Windows defender detecting âWardenâ?
Seeing this too. Tempted to reimage. Any info Blizz?
edit: this was found in the âwow-classic-us\lru_shard_0â file, relative to the âdataâ directory noted by Mandane above.
Same here.
i´m a bit worried.
So⌠I deleted the lru_shard_0 file without thinking and seems like itâs not affecting the game in any way. Can we get a clarification on what the file is for and whatâs the consequences for deleting it?
Can you check to see if it was recreated automatically? Also, wondering if an addon could possibly be injecting a program into game filesâŚ
Which addons are you guys running?
You can safely delete the file. Once you get in-game the directory will be re-created and the files themselves will also be re-created during logout (at least during my testing). Canât replicate the detection on my end though.
Did you all recently have your virus definitions in Windows updated? To check for updates in Windows Defender, follow these steps:
It should also display the version. Go ahead and post what version youâre on.
My windows defender detected the same thing. It says my threat definition is updated and its version is 1.307.856.0
That released recently from the looks. Just to go on the side of caution, feel free to delete those files/folders since it wonât affect your gameplay and theyâll be recreated. Going to dig into this a bit more to make sure it isnât a false positive.
I would be curious to know what addons you all may have in common as well. Like Lapierre mentioned, it is possible for them to inject stuff if it is purposely malicious.
EDITED WITH UPDATED INFO
My windows defender is updated (1.307.901.0) but it was 1.307.856.0 when it was detected. I did a full scan on the whole ssd that wow is installed and nothing was detected. (So i guess its a false positive?).
I´m using the following addons (Updated via Twitch) :
Prat 3.0 (Prat-3.0-3.7.45.zip) , MoveAnything (MoveAnything 17.0.7.zip) , Weakauras 2 (WeakAuras-2.15.5.zip), eAlign Updated (eAlignUpdated.zip), World Quest Tracker (WorldQuestTracker-v8.2.5.386.zip), Bartender4 (Bartender4-4.8.9.zip), SavedInstances (SavedInstances-8.2.6.zip) , Mogit (MogIt-3.9.0.zip) , Details! Damage Meter (Details-v8.2.5.7229.150.zip) and Bagnon (Bagnon8.2.21-8.2.5.zip).
My Windows Defender version is 1.307.892.0.
Addons (downloaded from curseforge) that I have in the AddOns directory are listed as below :
BattlePetBreedID
DBM
HandyNotes
HandyNotes_DraenorTreasures
Immersion
MaxDps
MinimalArchaeology
MogIt
PoMTracker
Rematch
SkillHelper
tdBattlePetScript
tdBattlePetScript_Rematch
TinyDPS
TomCats-Mechagon
TomCats-Nazjatar
TomTom
Whammy
WorldQuestsList
Sorry, Iâm not sure how to check my addon versionâŚ
Windows Defender version: 1.307.901.0.
Addons (managed through Twitch, I might add):
Bagnon-8.2.16-1.13.2.zip
NeatPlates-1.13.3.1.zip
Atlas-v1.45.01.11302.zip
Atlas_ClassicWoW-v1.45.00.11302.05.zip
AtlasLootClassic-v1.4.3-classic.zip
AuctioneerSuite-8.2.6512.zip
Bartender4-4.8.9-classic.zip
ClassicAutoQuest.zip
ClassicCastbars-v.1.2.0-hotfix-classic.zip
DetailsClassic.1.133.187.141.zip
Leatrix_Maps-1.13.40.zip
Leatrix_Plus-1.13.41.zip
Masque-8.2.8-Classic.zip
Masque_Apathy-8.2.6-Classic.zip
Masque_Caith-8.2.6-Classic.zip
Masque_Entropy-8.2.5-Classic.zip
Masque_Goldpaw-1.0.6-Release.zip
Masque_Raeli-r19-release-classic.zip
Pawn-2.3.12-Classic.zip
Quartz-3.5-classic-5.zip
Questie-v5.4.0.zip
Recount-v8.2.5d.zip
ShadowedUnitFrames-v4.2.1-Classic.zip
SimpleEnergyBar-v1.0.11.zip
TitanPanelClassic-1.1.5.11303.zip
WorldQuestTracker-v8.2.0.381.zip
Hey hey everyone!
So this file is totally normal for WoW, itâs possible someone accidentally flagged it with Windows Defender. We recommend reporting this as a false positive to Microsoft so it can be looked into.
Thank you for the help, i was having the same problem. I stepped away from the game for 45 minutes to get some lunch and came back and it was deleted! I thought i had contracted malware or something, a bit of a relief tbh
Btw my defender is the same, at 1.307.901.0 and i was using many of the same addons, i cannot find a way to access a list of the version numbers but the ones that were similar were:
Bagnon
Bartender
Pawn
Recount
Worldquesttracker
TomTom
Weakauras2
Flagged, or code matches to what was supposed to be in the affected file? If you could look into it more, that would be appreciated. If someone has an affected file that wasnât deleted yet, would you not want to inspect it? Wonât reimage for now, but this isnât a good enough answer.
I tried to take a peak into that file, Iâm assuming that 38882 sets of encrypted varchar (4 characters in each set) is normal yeah? If the file is encrypted those 3rd party addons shouldnât be able to use the file to do anything right?
Hi there guys,
Just got this on startup, forgive me for not typing it out. Defender wonât allow me to copy the text and itâs quite a bit. If more error info is needed, it can be seen here:
https://imgur.com/a/m8fNGw0
Threat detected: Behavior:Win32/DefenseEvasion.P!ml
Alert Level: Severe
Affected items: file: D:\Program Files (x86)\Battle.net\World of Warcraft\Data\data\wow-us\lru_shard_0
Any issue or false alarm?
Thanks for your time!
I got the same threat detected (Behavior:Win32/DefenseEvasion.P!ml), however my affected item is this:
file: D:\World of Warcraft\Data\data\shmem
Security Intelligence Update for Windows Defender Antivirus - KB2267602 (Version 1.307.1002.0)
Hey folks,
I can confirm that these are false positives. We have these files in our own installs in office and weâre running business security apps. This happens from time to time when someone flags the wrong files in a security software, which is why youâre seeing this with specific builds of defender. Please report this to Microsoft as mentioned above.