CrossOver Support - Community Forums

Hi Folks,

We are finding that a lot of customers are having trouble with CrossOver and their anti virus programs. The issue is that Wine now builds it's main files in 'PE' format - that is, 'control.exe' instead of 'control.exe.so'. Unfortunately, the anti virus programs all use 'smart' algorithms and those 'smart' algorithms find that unusual enough that they throw a false positive on our file.

We had encountered this during our beta cycle, and found that by building with a newer compiler, the 'smart' algorithms were content, and we were not getting many false positives. However, the virus makers update their threat definitions daily, and after we shipped 19.0, their updated threat files now report false positives against a wide range of our .EXE files.

We are frantically researching this and trying to find a good path forward. Disabling your anti virus and installing a clean copy of CrossOver will work, although that has obvious draw backs. We're working to develop a set of instructions for setting up exceptions for each program, which we will share as we progress. We're also working up a recipe to repair any bottles that are damaged by the scanners.

At the same time, we're trying to brain storm some solution that would help us to avoid the false positives. Ideally, we would persuade the virus makers to update their 'smart' algorithms to be a little less 'smart' :-/.

We'll post more details as we learn more, but I thought I'd let people know what we are aware of the problem, and we are working as hard as we can to come up with a good resolution for our customers.

Cheers,

Jeremy

Thank you!

I know you'll crack it. Crossover 19 is working so much better than my previous version. My bottle software used to be somewhat buggy but not anymore. I've uninstalled AVG because it quarantines each bottle....if you restore the quarantined files, the bottle doesn't work anymore. Uninstall AVG and everything works as it should. Go figure.

Hello,

I just purchased Crossover and I'm running into this problem. Is there a way of getting notified when a fix will be available?

Thanks,
Mike

Hi Mike,

Which antivirus software do you have installed? Our understanding is that most of them are not currently flagging CrossOver files, presumably because of the number of users who reported the results as incorrect.

In the meantime, I have created a tutorial here which includes which locations need to be added as exceptions in order for your A/V software to ignore CrossOver.

Thanks,
Anna

This still seems to be an issue for Symantec Endpoint Protection on Mac (and unfortunately it's a corporately managed installation so I can't whitelist Crossover). Is there any sign of this being resolved?

I would suggest if you haven't already reported the false positives to Symantec Endpoint Protection to do so. We believe that this has been resolving the issue slowly as their algorithms correct themselves. If you could get other people with that A/V software to report as well, it might speed the process along :)

Resolving the issue on our side is extremely complicated because we are not actually doing anything wrong or dangerous, so we are trying to guess what we could tweak to make the A/V software happy without crippling our own software. This is made more complex by the fact that their algorithms change over time, so if we tailor some changes to one A/V program at one point in time, they could change their algorithm and suddenly they would be flagging us again (this happened on a small scale already).

I have also put a false positive report into Norton.

System: iMAC & MBP
OS: Catalina v10.15.3

Found installing RootsMagic and deletes cxwget.exe during install. Also, post-install if Norton is removed before installation of RootsMagic/Crossover then Norton reinstalled it will still find cxwget.exe and delete it!

Perhaps you could contact the virus protection. I have an iMac and MacBook and run McAfee virus protection and "it" said I had a Trojan. The Chat section on the RM website advised to disable the virus protection. I did that and all working fine now! Just have to remember to put virus protection back on. Thanks!

Okay, so I'm not generally receiving these for a bunch of files, only for a single DLL, "/Applications/CrossOver.app/Contents/SharedSupport/CrossOver/lib/wine/twain16.dll" which is being reported by Bitdefender as containing "Trojan.GenericKD.34055591".

Here's my problem with the 'exclusion workaround' proposed: Locally, CrossOver downloads files off the internet to populate bottles. What is being done to ensure that none of the downloaded "source files" contain any sort of malware? What malware checking is done on that source content? Just having us turn off all protections for all CrossOver downloaded files is a poor solution if you're not also going to provide assurances that all files downloaded by CrossOver are extensively checked at source to ensure they do not contain malware.

I'd really appreciate it if you could provide explanation on how the source content that local CrossOver apps download from is confirmed to be free of malware (at source)? Thanks!

Heads up for others having issues on Mac, with Sentinel One endpoint security I was getting errors like this:

preloader: Warning: failed to reserve range 0000000000001000-0000000000010000
preloader: Warning: failed to reserve range 0000000000010000-0000000000110000
preloader: Warning: failed to reserve range 0000000000110000-0000000068000000
wine: Invalid address.
preloader: Warning: failed to reserve range 0000000000001000-0000000000010000
preloader: Warning: failed to reserve range 0000000000010000-0000000000110000
preloader: Warning: failed to reserve range 0000000000110000-0000000068000000
wine: Invalid address.

Quit annoying as SO didn't report an event or communicate any .EXE had been killed or disabled. Disabling SO fixed the problem.

McAfee was doing the false detection thing on CrossOver for months. McAfee never fixed it, so I got my machine moved to SentinelOne. Can confirm the problem that John Fisher reported. Can't create bottles or run programs while SO is enabled. Very frustrating. May have to revert CrossOver to before the PE file format change.

Approaching viruses makers and asking them politely to make it their algorithm less smart is a very bad idea.

Besides, everyone has issues with false flags,, CrossOver is nothing special... But its the native of protecting users.... WHat if their A/V's were less smart.. no one would trust their program anymore, which is no the intention of products developers..

One grain runs against the other.. There are smart people who will always be smart,,, and "smarter"

The only way is to look for "virus-like" behavior.. and if that means it also pulls in legit stuff because its boarder line, then so be it... Just report it's, it all you can do..If you attempt to say "don't flag my software" whats to stop me uploading something from CroossOver bundle to Dropbox, and altering it i such a ways to make it an actual virus.... But since the virus makers were told not to detect it, you'll get infected..

It's a constantly moving target, like blocking spam. and reporting it seems to be effective.... So the same can be done for our antivirus tools..

The other thing, (not recommended) but if you wish to, just disable "Real time protection" every time you run/copy/move/create bundles, till a fix is available...

I would not uninstall A/V software for sake for not being protected at all.

Disabling "Real Time scanning" won't flag til you "automatically"... Its this that gets you in trouble... Read up on your A/V program,, usually goes by the name "Real Time Scanning", "Rel time Protection".

I would also disable any web scanners and file scanners, just to be on the safe side. Remember to turn them back on after to stay protected.

In case anyone finds this old thread, I wanted to report that CrossOver 20.0.2 and SentinelOne 4.6.10 seem to play nicely together. Not sure exactly when the issue was resolved.

This is still an issue with CrossOver 20.0.4 and the Zscaler Secure Web Gateway service. Tried to download the installation package and it is getting flagged as a trojan.

Marcus Portmann wrote:

This is still an issue with CrossOver 20.0.4 and the Zscaler Secure
Web Gateway service. Tried to download the installation package and
it is getting flagged as a trojan.

This isn’t a CrossOver issue but the security software giving a false positive, you should report this to the vender.

If they properly check the flagged binaries they’ll see there not a problem but instead there detection is rather lazily flagging wine provided PE binaries that Windows also provides.

Ongoing issue. I just tried installing Crossover 21, Sophos didn't like it.

Sounds like the antivirus algorithms need to be smarter (not less smart).

Is there any program (run by individual antivirus developers) whereby app developers register somehow for (semi-)trusted or exception status, then (presumably by paying a premium or royalty) get the antivirus developer to pay extra attention (e.g. including app developer assisted examination and testing by antivirus developer) to their apps?

Hi David,

When we first starting seeing the false positives with CrossOver 19, we reached out to several antivirus vendors asking if they would be willing to work with us for a solution, and we got no takers :/

Best,
Meredith

Problem still exist - just run update to latest version and all .exe files were detected as infected as some kind of trojan ... Using Telia antivirus / F-secure variant on my Mac Mini

Jukka Luotonen wrote:

Problem still exist - just run update to latest version and all .exe
files were detected as infected as some kind of trojan ... Using
Telia antivirus / F-secure variant on my Mac Mini

Please read the comment directory above you own for why this keeps happening

Meredith Johnson wrote:

Hi David,

When we first starting seeing the false positives with CrossOver 19,
we reached out to several antivirus vendors asking if they would be
willing to work with us for a solution, and we got no takers :/

Best,
Meredith

Aka The Anti-Virus vendors have no interesting in improving there detection to not incorrectly detect wine’s binaries.

OK, this is obviously a high priority for users – and the thread started about three years ago, is still alive, so must still be an issue. A few questions:

1. Is there a page with up to date simple instructions – I really don't like reading through forums for information that may or may not be current.

2. I don't know enough about this, but do not bottles run in a separate memory space? Can a virus get out of Crossover and attack my Mac?

3. Do we need to run AV software within the Crossover Windows emulator? I would think that if it has access to the same files, BitDefender would see it and a conflict would ensue.

Isa Alsup wrote:

OK, this is obviously a high priority for users – and the thread started about three years ago, is still alive, so must still be an issue. A few questions:

1. Is there a page with up to date simple instructions – I really don't like reading through forums for information that may or may not be current.

2. I don't know enough about this, but do not bottles run in a separate memory space? Can a virus get out of Crossover and attack my Mac?

3. Do we need to run AV software within the Crossover Windows emulator? I would think that if it has access to the same files, BitDefender would see it and a conflict would ensue.

1) https://www.codeweavers.com/support/wiki/mac/mactutorial/bitdefender

2) No windows software runs as if native and has access to everything you've allowed it to access.

3) No you shouldn't trying to run anti-virus software within CrossOVer that lightly wouldn't work anyway.

If your not pirating software and getting your windows software from reputable sources the lightly hood of getting some rouge virus is very small, however if that's not possible than you'd be better running a lockdown VM instead of using CrossOver.