CCE False Positive

A moderator directed me to post this here. CCE detected several (~18) .nif files and a single folder as Rootkit.HiddenFile and Rootkit.HiddenDir respectively, within a Skryim mod directory. The mod in question is Realistic Lighting Overhaul. This is a very popular mod as you can see if you follow the link, and no Google searches turn up anything even remotely hinting at this issue for other users. This is not even taking into account the fact that .nifs are just meshes for a game engine, and I’m not terribly sure how they could even be a threat.

As I know it’s part of the procedure, I did upload to VT to verify, but none of them came back with any issues and in interest of keeping things simple, I will link to only one as there were, again, about 18. They all were equally clean, but with the ‘synchronization error’ on the second tab. I don’t know if that even means anything, I don’t use VT that much.

The folder that was marked at Rootkit.HiddenDir I couldn’t upload, as it was just a folder. There were more subfolders inside of it, but nothing within it was flagged, just the folder itself. I provided a link to the entire mod above, and I no longer have the scan window open as this was hours ago, but from memory, the files flagged in particular were:

(Long names, lots of subfolders, bear with me. Makes installing/uninstalling the mod easy, makes reporting this a pain.)

Every .nif in the following location was flagged as Rootkit.HiddenFile. 15 .nif files in all: Realistic Lighting Overhaul 4_0_6 Manual Install-30450-4-0-6\Realistic Lighting Overhaul 4_0_6 Manual Install\RLO Optionals\Skyrim Particle Patch\Skyrim Particle Patch Optionals\Blackreach Mushrooms\data\meshes\clutter\blackreach blackreachepicmushroom01.nif, blackreachgiantmushanim01.nif, blackreachgiantmushanim02.nif, blackreachgiantmush03.nif, blackreachgiantmushanim04.nif, blackreachgiantmushanim05.nif, blackreachgiantmushhoriz01.nif, blackreachgiantmushhoriz02.nif, blackreachgiantmushhoriz03.nif, blackreachgiantmushhoriz04.nif, blackreachgiantmushroom01.nif, blackreachgiantmushroom02.nif, blackreachgiantmushroom03.nif, blackreachgiantmushroom04.nif, blackreachgiantmushroom05.nif

Also from the Skyrim Particle Patch Optionals subdirectory: Mineral Pools\data\meshes\landscape\volcanic There are only two files in here, again, just .nif meshes. mineralpoolbig01.nif, mineralpoolsm01.nif

Again, From the Particle Patch Optionals: \Windhelm Tower\data\meshes\architecture\windhelm The only .nif in this folder was flagged. whshorttower.nif

The folder tagged as Rootkit.HiddenDir was also in the Skyrim Particle Patch subfolder: Solitude Doors and Market Stalls\data\meshes\architecture

These are just mesh files made through Nifskope for use in games like Skyrim so I’m not sure what could have made CCE even possibly think there was an issue here, but there it is. I scanned with Avast, Spybot, and Malwarebytes, nothing was found wrong with these files. Ran TDSSkiller just for the jollies, nothing.

Hi Kynera ,

Thank you for reporting this.
We’ll check it and get back to you soon.

Best regards


Thanks for reporting.
Could you please submit the detected file at
Comodo Firewall | Get Best Personal Firewall Software for $29.99 A Year.


They’ve been uploaded. There were 18 files, as I said, and it took some time, as I kept getting Server Errors unless I broke up the upload even further than the 5 file limit. The folder that was detected as Rootkit.HiddenDir can’t be uploaded, as CCE was only flagging the folder itself as being ‘hidden’, and there’s nothing to submit.

I honestly think this is more related to either the base folder’s name length, or the sheer volume of subfolders (because of how Skyrim categorizes meshes and textures). Perhaps how CCE determines if something is attempting to ‘hide’. Especially seeing as every scan of these files comes up clean with other programs, and the PC as a whole is showing clean, with no strange activity based off of Avast, Spybot Search and Destroy, Malware Bytes, TDSSKiller, and a Hitman Pro scan. And the mere Quick Scan of CCE isn’t showing anything either. This only pops up when it scans for Hidden Files/Directories or Registry Entries. The folder when scanned without those options shows up with no issues detected.