Anti Virus software we use internally (ClamAV - https://github.com/Cisco\-Talos/clamav/) is reporting a virus detection in UnrealAndroidFIleTool.exe. This seems like a likely false positive, but searching around I’ve not seen others report anything about this particular binary. We’ve used a couple different versions of ClamAV (1.0.1 and 1.4.2) with a recent (4-30-25) virus database and consistently got a detection on this and only this binary in the installation. We’re wondering if others have seen this, and if indeed we can treat this as a false positive?
Steps to Reproduce
Run ClamAV (https://github.com/Cisco\-Talos/clamav/) version 1.4.2 against a 5.4 Launcher installed version of Unreal.
Sample Output:
----------- SCAN SUMMARY -----------
Known viruses: 8706501
Engine version: 1.4.2
Scanned directories: 0
Scanned files: 203063
Infected files: 1
Data scanned: 60450.87 MB
Data read: 34188.02 MB (ratio 1.77:1)
Time: 8422.562 sec (140 m 22 s)
Start Date: 2025:05:07 14:35:50
End Date: 2025:05:07 16:56:13
Infected Files:
- /Epic Games/UE_5.4/Engine/Binaries/DotNET/Android/UnrealAndroidFileTool/win-x64/UnrealAndroidFileTool.exe
/Epic Games/UE_5.4/Engine/Binaries/DotNET/Android/UnrealAndroidFileTool/win-x64/UnrealAndroidFileTool.exe: Win.Dropper.Nanocore-7890545-0 FOUND
Hey Brian,
I’ve checked my local version of this file in 5.4 from the launcher and it it’s not reported by any of the vendors supported by Virustotal but a local scan with clamscan 1.4.2 (with an increased max-filesize limit) and an up-to-date database does indeed produce the same detection.
Could you provide me with the hash (md5 or sha-1) of that file, so I can confirm we’re testing the same file?
With 5.4.4. installed through the launcher I’m getting the following SHA-256 Hash (via the Get-FileHash powershell cmdlet):
SHA256 CAF3D3EE9EED9AB973E803A95E824D33166B0FF548DEA01BBCBB9982E259ABF9
Best,
Sebastian
Thanks for checking!
I’ve investigated a bit more and have the following findings:
Both the version shipped in 5.5 and 5.4 are reported by clamav.
Earlier versions and the ones in 5.6 and Main branch are not reported.
UnrealAndroidFileTool is a C# application that is packaged to run as a standalone executable.
For 5.6 and later we have changed how be build this tool, specifically we enabled the PublishTrimmed option in UAFT-win-x64.pubxml. This removes unused code and dependencies from the executable and results in a much smaller executable (~30mb instead of 100+).
I have locally rebuild the 5.5 version and confirmed it’s still reported and then built it a second time with PublishTrimmed enabled.
The trimmed version of 5.5 does no longer trigger a detection in clamav.
At this point my assumption is that whatever triggers the clamav signature is part of the dependencies and very likely unused code.
It’s also likely not related to the source code of the tool itself since that did stay the same in both configurations.
Given the fact that no other vendor flags the executable and that it doesn’t seem dependent on the source itself I’d say it’s very likely a false positive.
If you are particularly concerned about this you could build the tool from source yourself and replace the installed version with a trimmed one.
Also, regarding your initial question on whether others have seen this, this has not been reported internally yet.
Kind Regards,
Sebastian
Appears to be the same:
sha256sum installers/Epic\ Games/UE_5.4/Engine/Binaries/DotNET/Android/UnrealAndroidFileTool/win-x64/UnrealAndroidFileTool.exe
caf3d3ee9eed9ab973e803a95e824d33166b0ff548dea01bbcbb9982e259abf9 installers/Epic Games/UE_5.4/Engine/Binaries/DotNET/Android/UnrealAndroidFileTool/win-x64/UnrealAndroidFileTool.exe
Thanks for the update Sebastian, I think we have some good options for moving forward now!