Last update: 12/19/2017 6 am PST Forgot to remove a sentence about the game being disabled for everyone, it has since been reactivated/installable/playable since an update on the 13thish. I wanted to make a few clarifications as to what's going on here, as there seem to be some misinformation and exaggerations here. First of all, it is vitally important to understand that there is no evidence here of malicious damage to people's computers or malicious intent per se. There are however, some factors of questionable legality and very concerning activity by the program. The behavior demonstrated by the December 4th version of Sonic Gather Battle, exhibits a variety of questionable factors. First, it -requires- administrator access to run. No fan game, should actually require making active changes to your system, especially at that level of access. This in of itself, is rather concerning, however, there's more. Two, it edits a variety of registry keys and other small system files. Uninstalling does leave some artifacts on your system however, so a proper uninstaller needs to be created. However, it should be noted that said artifacts are PROBABLY harmless, but there's no way to be completely sure. Update: Individual claimed to be the dev (probably legit) has said the following on these last two points: " It was confirmed that "Run as administrator" solves an issue when the game crashes at the loading screen, but logging on other than 'administrator' will get the asking window. Creating and modifying registry keys are not completely done by the game; information is automatically stored while executing Microsoft function processes. " While that's fine and dandy, the program having a function to require admin or not run intentionally, is highly suspicous and concerning to many. Also, one may find the ambiguity of the statement "not completely done by the game" to be of concern. Three, one of the more insidious features is it's application closing ability. It was originally suspected that perhaps they were harvesting search histories to do this, but it was later determined to not be limited to browsers. API investigations determined that it was actually via looking at window names that the application determines what to close and what not to. Any window with words like "cheat", "hack" or other key words in the header, will be automatically closed. Update: An individual claimed to be the dev(probably legit but unconfirmed) has stated this on this feature: "The game searches for window headers using Microsoft function 'FindWindow'. The feature of closing windows upon detecting keywords is removed in the current version. Now the game closes itself instead.". This is exactly in line with what's described above. Apparently, he's just released a new version, that closes the game itself, instead (a much more appropriate response frankly, although reading of other windows may still be considered intrusive). Four, the game has an api call for raw hard disk access. This is very odd for a game like this. It is believed at this time, the game uses this to check your PC to determine if you have certain applications installed, such as hexeditors and things like cheat engine. While it's true such programs could be used to cheat in the game, they also have a variety of perfectly legitimate educational purposes. Despite that, for some users (not all, appears to be oversights on the dev's part), when one of these programs is found on their system by the game, the protection system of the game is triggered. This causes the strange ghost like effects and weird behavior reported by many and seen in various youtube videos. Update: Individual claimed to be the dev has stated, presumably in response to this issue: "The game does not scan registry keys or installed applications. Creating and modifying registry keys are not completely done by the game; information is automatically stored while executing Microsoft function processes." While this is good to hear, it does not address why that api call is there. Perhaps it is being triggerd by a microsoft function process? It is possible. Five, the game uploads some sort of identifying info on the user, to some where. It's possible but not yet determined if other data is exchanged as well or what data that may be. The application is constantly communicating with cloud storage service, OpenDrive. Due to the raw hdd access and lack of disclosure, literally anything could be uploaded from or downloaded to your system, by this game. There's no way of knowing what. What we DO know, is this system interacts with a blacklist/white list file of sorts. (tbc) This is where things get even shadier. The dev, likely through control of the blacklist/whitelist file, is able to remotely disable or reenable the game for individual users. That in it itself (controlling what's on YOUR system), has some very severe ethical implications. However, the above would not be possible without uploading some sort of personally identifying information from your machine, without disclosing that it is doing so and thus, is of highly questionable legality. Also, as indicated, the potential for abuse is extremely high. Update: The dev (*unconfirmed if really him but likely) states that this, as we thought, is done via the download and loading of a file stored on cloud storage. The dev* has stated, that apparently no identifying infromation or ip addresses is used, yet also states that the blacklist is set up to not send to "certain users" who are detected of cheating. Yet the dev* can remove someone from that blacklist. This process could not be possible without some sort of means of identifying that user. It's also confirmed that the game communicates with whatismyip.com, leading one to question the the contradiction in the dev's* statements on this point. Perhaps some unknown mechanisim that we have not considered is used to differentiate which users are black listed and which are not? Maybe as a hashing of some sort? Lastly, there's other small behaviors the progam exhibits that are concerning. It exhibits a variety of very odd and "malware like" behaviors that are rather spooky, such as writing it's own dll file (b.dll), loading it and then immediately deleting it, among other small bizarre api calls and activity. Update: The statement, supposedly from dev(unconfirmed) has stated on this issue: "This game does not create "b.dll" in hard disk, and releases memory in a normal manner (* using Microsoft function "FreeLibrary"). It runs on Microsoft library.". This statement seems to contradict various analysis results and will have to be scrutinized further to determine what's going on here. Update: Unconfirmed but probably legit dev also stated: "Regarding the sandbox report on https://pastebin.com/T07nCABx : The DNS records are from websites viewed such as [whatismyip]. The involved codes are remnant codes I forgot to remove after debugging and were used to display ip address during multiplayer." Whether you believe that it's using that to feed your ip to a blacklist or is simply an oversight or whether you feel that any of that changes the severe concerns stated in this text file, is up to you. It also does not address the call at the bottom that appears to interact AVG Antivirus software. It also does not address other concerns that arrise from this pastebin, such as lines 207 and 208 and what that information could even be for. It also does not address the massive list of dns queries, including what appears to be some ad services, why it's modifying IE history files. While some of this could be explained by the above and natural microsoft functions, the extensiveness comes off as very concerning. The classification of this fan game as malware is somewhat debatable and subject to one's opinion. However, the fact remains that closing or interacting with unrelated applications on YOUR machine, without YOUR permission, is of extremely questionable ethics. The fact that it uploads some sort of personally identifiable information, without disclosure or consent, is of highly questionable legality. At the end of the day however, it's important to note that there is no proof yet that the game causes explicit harm to one's PC, nor has it been determined if any other data besides perhaps a mac address or system configuration, is uploaded to a remote location. The problem lies in the increadibly powerful access rights, questionable activity by the program and possibly illegal hidden data exchanges are deeply concerning and could, potentially, be abused to harm people's systems. It's like having a gun to your head and being told "not to worry cause the safety is on, it's fine, you can trust the guy with a gun to your head". So while it should noted that while the dev, Leemena has not "pulled the trigger" on anything malicious that we know of just yet (unless you consider the closing of windows with certain key words to be malicious, that's debatable), but his program is well situated in a way where it could be easily used to download and upload just about anything from a user's system with out any way of anyone knowing til it's much too late. Password files from firefox, chrome and IE, for example. The above is a decent rundown of our investigations so far. We will continue to publicize our findings. Fortunately for most, once again, the scene has policed itself quite effectively. Sonic Fan Games HQ (oldest, largest sonic fan gaming site, since 1998), teamed up with Sonic Stuff Research Group, Sonic Retro and /r/SonicTheHedgehog to expose this rather concerning issue. As a result, the dev wigged out and disabled the game for -everyone-. It can't even be installed now. As in he disabled the game, on other people's machines, without their consent. That's the sort of thing that's an issue here. There is -no- confirmation of someone's "web data" being accessed however. Don't let this one "bad egg" discourage you from trying out indie and fan made games however. Like I said, we police ourselves rather well, so stuff like this is increadibly rare! Anyway, that's the run down, have a great day everybody! Update: 12/11/2017 Various dumps have found that it is likely that it may hook into AVG, to avoid it reporting about it's online activity, as it seems to go out of it's way to look for such software. To what end or extent is yet to be fully determined. Update: 12/12/2017 Reponse from whom we believe to be the dev finally made to many of the points listed here. Txt has been updated to reflect his response in the interest if fairness. An attempt at mildly skeptical objectivity will be made from here on out, again, in the interest of fairness. As stated originaly, it could very well be a case of extremely overzealous copy protection attempts without consideration for the implications those protections would have to many users. Let's hope that's the case.