[resolved] Just Got A Notification From Norton When Playing Train Simulator Classic

I have recived the notification from Norton when playing Train Simulator Classic:
--------------------------------------------------------
Threat name: Script:SNH-gen [Trj]
Threat type: Trojan Horse - This threat pretends to be something else (e.g., picture, document, or other file) to trick you into running it and infecting your computer.
Status: Aborted
Detected by: Safe Web
Origin: Downloaded from: http://www.railsimdownloads.com/cdn/slideshow_v1.php
--------------------------------------------------------
At the same time, I no longer get a loading screen when loading the route.
Other than that, the game is okay.

Even if I visit: http://www.railsimdownloads.com/cdn/slideshow_v1.php, it reads
"This site can’t be reached". Whether I'm the only person or is it the same with everyone, i just dont know.
I couldn't even copy that notification, Norton (while it protects the computer) can sometimes annoy us.

Any ideas?
Alistair Cowell

 

I am seeing a similar error from Windows Defender. Started to appear yesterday. Problem occurs on both on V75.8 and the current version V79.0. Threat warning occurs just after starting any scenario.

Wayne

 

My message read:

 

I'm getting it too. I doubt it's actually unsafe, but maybe DTG have messed something up... Wouldn't exactly be the first time.

 

Yes, every time I fire up TSC I get a warning from Windows 11 saying a threat was found. I scan and find nothing.

 

I’m getting this message too. I turned off real-time protection in Windows 11, but now when the scenario is loading, the screen is black — no images are shown, only audio and that blue line at the bottom. However, the game itself is working fine. I turned real-time protection back on, no threats were found, but the images still aren’t showing when the scenario loads.

 

Just started TSC and got no virus warning. I use Windows Defender.

 

Does anyone know when it first started happening?

 

I first noticed this two days ago, but only found out that it was TSC causing the issue today.

 

Any reference to "gen" is not a specific virus or threat, it is a detected pattern which the anti-virus definitions "think" might be. There's usually a way of referring anything like this to the AV provider and they will check and usually put right in their definitions quickly if it is a false detection.

John

 

I find that if I ignore the notice from Norton, it'll show up an hour later. I was having it happen when I run TSC via RW64.exe or via Steam. I thought I was the only one. I think it came for whatever update happened last week because I found that my profile no longer has a fav route/fav loco, which I found odd because I've been playing since TS2014.

 

Same here

 

Hello Alistair,

I am using Norton Security and also had exactly same message as you. I did play TS a few times after the update last week but only had this yesterday after I installed the new patch from Just Trains (V.1.06 for Southampton Salisbury Extension)

 

I have a feeling that the domain hasn't been renewed, or its certificates. Might be the domain that host splash screens/screenshots that gets loaded in TSC. The domain did expire on February 6th 2026.

 

Railsimdownloads.com is the website dtg use to host the loadscreen images they can update and cycle through

 

Seems like the domain for the load screens http://www.railsimdownloads.com/cdn/slideshow_v1.php has either expired or the certificate has or that website has been compromised so when RSSlideshow.swf and the other menu related .swfs in Railworks\Data\Scaleform open it for the loadscreens it triggers the antivirus

 

I did notice that the splash screens haven't been updated since Christmas, and there was no screenshot competition in January. I think they said they're going to do away with the monthly TSC screenshot competition.

Obviously it’s the weekend and indeed the DTG office is closed until Monday, which means it is pretty much unsupported until then.

What is www.railsimdownloads.com anyway?

 

Railsimdownloads.com did belong to DTG, used for ads/splash screens etc. in the menu.

If you follow this guide you might be able to disable it
https://steamcommunity.com/sharedfiles/filedetails/?id=1468029149

 

I followed the instructions in the first part of that guide to Block Railworks.exe in Windows Firewall and that stops the problem
I disable the block briefly and went back in to the game for a min - the Trojan report appears again.
So I re-enabled it and problem solved.

The store is blocked out but that might be in my Settings
I don't know if it affect Career statistics but I don't bother with them

 

I am also getting a similar 'threat' warning. Nothing has happened with my TS install and nothing is popping up when I play TS. It seems to have happened after DTG pushed that new update. TS is obviously showing its age...

 

Rather more likely that your chosen anti-virus software is showing its age.

As said above, Dovetail are going to take this up with them.

John

 

Yeah, certificate expiry is a reasonably common trigger for this kind of thing. I play DCS a fair bit and have seen that exact same scenario play out from time to time on some dependencies that installs. The common way around it (if you trust the publisher) is to whitelist individual files or even the relevant installation folder.

 

More likely the AV software is detecting a false positive, happens all the time. Loads of reasons, like the aforementioned cert expiry, etc.

If an old domain is still referenced in software but registration lapsed, that's another reason why it might flag, since such vulnerable domains are then open to abuse by scammers who exploit the fact something tries to download from them by buying them up and putting malware on them. AV software will sometimes flag this as a potential risk since better safe than sorry.

 

I had the same problem
And I'm using Windows Defender on a Win11 machine so I think my AV is up to date

 

Sorry if I'm labouring the point but I'm not talking about AV definitions being up to date. I'm talking about "guessing" there is a problem when there isn't. As I said before, any reference with "gen" is not identifying any specific issue, it is just guesswork based on patterns. And as I said before, easily solved by submitting the issue to your provider.

John

 

I've already notified my Norton Security about this, hopefully others do the same with their providers too!

brummie

 

No notifications to me. I have an exception to my whole steam folder in my windows defender so guess that helps me not get the warning.

 

There is nothing to fix; it is just a false positive which happens alot not just when running TSC. I don't get the false positive error.

 

Well, despite trevkiwi confident assertion to the contary, what ever someone has done or not done, my trainsim no longer throws the error that it was yesterday so thank you DTG Jamie and the team.

 

Will no one on Steam or RWA have been complaining about viruses?

 

So if this is not happening then what issue have DTG found and put out a fix for? Also FYI this exact issue has been mentioned on Steam and a few Discord servers too. If multiple people are reporting an issue and a fix for the issue has been made, said issue must have existed in order for a fix to be put out

 

FYI, this hasn't been mentioned on Steam, which I visit 2 or 3 times a day.

 

Could've sworn I saw a post mentioning it the other day... anyway problem solved so end of story

 

There's not "Nothing to fix", clearly something WAS fixed. A bunch of people reported this issue, they identified the cause and that it was something which could, indeed, be fixed, and they clearly stated:

Which was swiftly followed by:

And they fixed it so that now nobody is getting it. There are MANY ways to fix such an issue, but it often does require active work on the part of the dev to make sure certs for their domains are up to date, etc. Just because you didn't get it, does not mean it was not there. It just means whatever was mistakenly flagging it in people's AV did not currently do so in yours, and now hopefully it never will, if they keep on top of it.

 

There was nothing to fix, as many others on Steam and RWA were not reporting getting false virus reports.

 

Dude, that's not how this works and you know it. Just because a problem does not affect everybody does not mean it doesn't need to be fixed to stop affecting those it does impact. Stop acting as though you are too stupid to know this just to be contrarian. At some point, repeatedly saying "nuh-uh" just descends into spam.

DTG Jamie, I don't think this calling you a liar is going to stop, could you please explain in broad strokes what you folks needed to do at your end in order to make the issue people were experiencing go away?

(Without, of course, exposing in detail any potentially exploitable security holes, even if they may have been plugged)

 

Usually with this stuff, one or both of two things happens:

- The root cause of the false positive is fixed (e.g. if its an expired certificate then a certificate is renewed, or some weird anomaly is patched). Obviously the false positive might only affect certain anti-virus/malware products as not all scanners work the same.

- The anti-virus/malware product(s) get patched to whitelist the false positive. Bear in mind a lot of products will ask to push files with detected threats within up to the vendor for further analysis and may also track users who locally specify a common issue as a false positive, so if they're satisfied there is no threat after further analysis this can happen relatively quickly.

Like you say, a problem won't go away with absolutely nothing at all changing but you might well not notice anything did change.

 

No one has explained to me why no one on the TSC forums on Steam and at Rail Works America hasn't reported getting the virus warning.

 

And it matters because...?


Does this look made up to you?

 

Do we look like their babysitters?
Millions of possible reasons why a couple of specific sample sizes we don't know the demographics of might not have, we couldn't possibly list them all.

On the Railworks America point, I'd surmise that since the problem emerged early morning UK time and was fixed early afternoon UK time, most Americans slept through it.

 

That explains why I didn't get it on the other side of the world in New Zealand.

 

I have a strange warning on another game(Smite 2 also on Steam) and then when I looked in info there was something called hemingway . exe.
Do not really know what that is.

I uninstalled the game.
Restarted the computer.
And then installed it again.
And then it worked normaly.

 

Hemingway.exe has something to do with your game, Smite 2. Just Google Hemingway.exe.

 

The ignore button also works well for trolls trying to get a rise out of people.

 

I see that one person did mention the virus error on RWA.