-
-
Hello Guest!
We posted an announcment regarding upcoming changes to Paid Content submissions.
Please see this thread for more information.
vamm v0.1
- Thread starter kretos
- Start date
Probably a scam that was reported and removed.
Well, I've downloaded it yesterday and it does what author says. It had some errors (ie. didn't removed dependencies) but overall it had big potencial. So why it was removed again? Is it enough to make single report from single user to remove sth?
I don't know the package, just guessing a possible reason.
- Messages
- 743
- Reactions
- Points
- 93
This was a new user posting an .exe that needs to be run as administrator. And the .exe was compiled in a way that makes it hard to decompile to investigate. The fact that it was originally hosted on a site that required users to install software before being able to download it was just icing on the red flag cake.
This program could do *anything*.
Maybe it's completely legit. But it seems too dangerous for us to feel comfortable hosting it on the hub.
This program could do *anything*.
Maybe it's completely legit. But it seems too dangerous for us to feel comfortable hosting it on the hub.
Follow Zero Trust Protocols even if it hurts you
and make your intent fully and clearly visible, your software is nothing special protection of anything unnecessary
this alone will make it much easier to authenticate yourself and your intent
and make your intent fully and clearly visible, your software is nothing special protection of anything unnecessary
this alone will make it much easier to authenticate yourself and your intent
Last edited:
Few notes:
- not all vars are scanned - some are skipped - i have over 9k vars, vamm shows around 7k
- some are reported (and moved) as invalid - example of invalid var - https://hub.virtamate.com/resources/iron-grip.12898/
- maybe you shouldn't move invalid files but report them? I don't like software that touch my files
- it would be good to see the origin of var (directory)
- after uninstall you leave all the dependencies - maybe put dependencies under subdirectory (it doesn't matter for VAM if addons are flat or structured)
move var is to prevent scan next time.invalid is meaning the var’name is not valid or it is duplicated.I can prevent move them.
Depedencies is not removed because they may be used by other vars.I can analyze to make sure uninstall only the not used vars.
This tool cost me two weeks spare time,it is the very beginning form,it is just version 0.1 and I just post it to see the reaction.
I think the only way we would allow this on the Hub is if you open source the project and we build it for you and host it so it could be "trusted". It also seems like you are breaking some IP and copyright rules with ripping assets and code right out of VaM to make another Unity project and exe using those assets. In this case I would allow since this was obviously done to help VaM itself. You can't however, publicly post that code. So I think if you did that you would have to send us the project for us to build. I'm not sure we have the time to deal with that and I'm not sure if you are even willing to do that.
As it is, it is a big risk to host exe files or other projects like that here on the Hub, so we are choosing not to allow it. Your software could unintentionally or intentionally do malicious things. I don't see how we can just blindly trust you, especially since you are a new member and this is the first thing you have posted.
As it is, it is a big risk to host exe files or other projects like that here on the Hub, so we are choosing not to allow it. Your software could unintentionally or intentionally do malicious things. I don't see how we can just blindly trust you, especially since you are a new member and this is the first thing you have posted.
Also - curious to know how this works. My guess is you put all vars in separate folder and then only present VaM with a limited set of vars to deal with for a specific scene to make sure all the dependencies are there, and then remove them or disable them when switching? That is a cool idea. It does limit users wanting to then customize scenes further with other resources, but it is good for the consuming content as-is portion.
I reverse engineering vam to make this tool.if you think it is not legal I will stop developing this tool.
I optimize the file manager and file browser to make it work faster.
My optimize method is reduce gc,cache the only thing it needs,decouple logic.
I am glad to help vam to be better.
I understand your concern and I would not post it again without permission.
Your guess is right.I use symlink to install var,uninstall is just delete the symlink. cache all the dependencies info in cache/allpackagesjson directory to speed up install process.
T
thank you for your support
We removed due to security risk and asking users to run with admin privileges. While it certainly seems like this is a legit application, we can't take the time to decompile this and review it to make sure. And it could be continuously updated. We are not in a content certification business so we cannot take this on. It just isn't feasible. I am sorry the author spent a lot of time on this only for it and other resources to be removed.
We let the author know they could put their removed resources back up on the Hub with the following terms:
1. Must be externally hosted
2. We will add a non-removable warning to the resource overview page about potential risks with these types of resources (we are going to do this for all the ones we find on the Hub like this, not just this one)
3. User cannot ask users to run with admin privileges
I do personally believe this application and the others by this user are legitimate and free of malicious code, but it is up to users to individually decide if they want to accept this risk or not.
If I were evil and wanted to install a root kit on a lot of users computers, this is exactly the method I would employ. Find a big community for a game that supports addons. Create a legitimately good application for it so it gets wide acceptance and install base. Put in my malicious code. Make it so the application only works if users run as admin.
We let the author know they could put their removed resources back up on the Hub with the following terms:
1. Must be externally hosted
2. We will add a non-removable warning to the resource overview page about potential risks with these types of resources (we are going to do this for all the ones we find on the Hub like this, not just this one)
3. User cannot ask users to run with admin privileges
I do personally believe this application and the others by this user are legitimate and free of malicious code, but it is up to users to individually decide if they want to accept this risk or not.
If I were evil and wanted to install a root kit on a lot of users computers, this is exactly the method I would employ. Find a big community for a game that supports addons. Create a legitimately good application for it so it gets wide acceptance and install base. Put in my malicious code. Make it so the application only works if users run as admin.
As an IT professional, I do sympathise with your point of you and I'm glad that you are trying your best to find a way to make this plugin available in spite of its, let say unorthodox nature.
Agree that Github would be the best solution. Then the adventurous souls let ut can download it from there without having to put undo burdon on the hub admins to host an secure an application that needs admin privileges to function proporly.
As I agree with your post as a whole, this point cannot be fullfilled in a current state. In Windows you can't make symlinks without admin rights as I know.
