Document false positives when using Embed Pck on Windows#4600
Document false positives when using Embed Pck on Windows#4600Calinou merged 1 commit intogodotengine:masterfrom
Conversation
| antivirus programs. Therefore, it's recommended to avoid using it unless | ||
| you're distributing your project via Steam as it bypasses code signing and | ||
| antivirus checks. |
There was a problem hiding this comment.
Would you mind explaining why this should be the case? I see no reason why using Steam would bypass any AV checks let alone PE signature checks.
There was a problem hiding this comment.
Steam was always given a free pass over code signing on Windows and macOS. This happens because Steam doesn't set the typical "downloaded" flag that web browsers do when it downloads games.
It's kind of like magic, I can't really explain why but it works.
There was a problem hiding this comment.
I'd say it's a specialty of Windows, that is does not enforce a binary to have a valid authenticode signature and just happily runs it even with invalid one (unless you have properly configured AppLocker or your PC is in an enterprise environment, where this is usualy enforced by group policies).
Anyway, this has nothing to do with any antivirus checks. Generally speaking, an AV will check every newly created/spawned/dropped executable no matter its digital signature and using Steam won't prevent false positive in this case. Only that specific AV vendor in the original issue could possibly remove a badly crafted detection.
If it was up to me, I'd just mention that: "On Windows, PCK embedding is also known to cause false positives in some antivirus programs."
|
Cherry-picked to the |
This closes godotengine/godot#45563.