Is BepInEx Safe? Malware or False Positive?

Brendan Smith
Brendan Smith - Cybersecurity Analyst
11 Min Read
BepInEx safety check with verified mod files and risky unknown modpack warnings
BepInEx safety check comparing verified mod files with an unknown risky modpack.

BepInEx is not malware by default. It is an open-source Unity, XNA, and .NET game modding framework, and the official GitHub project describes it as a plugin/modding framework for supported games. The risk starts when the alert comes from a third-party modpack, a repacked installer, a random Discord upload, or a BepInEx-looking DLL in a folder you cannot explain.

That is why the useful answer is not simply “allow it” or “delete it.” Check where the files came from, whether the archive matches an official release or a trusted game-mod package, what exactly your antivirus flagged, and whether anything added startup tasks, browser changes, or unrelated executables. If the source is unclear, keep the files quarantined until you verify them.

What Is BepInEx?

BepInEx is a mod loader and plugin framework used by many Unity-based games. Its normal files can include items such as BepInEx.dll, BepInEx.Preloader.dll, winhttp.dll, a BepInEx folder, a plugins folder, and configuration files inside the game directory.

Those files can look unusual to security software because a mod loader changes how a game starts and loads plugin code. That behavior is expected for a modding framework, but it is also the kind of behavior malware can imitate. The file name alone is not enough to prove safety.

When BepInEx Is Usually Safe

  • You downloaded it from the official BepInEx GitHub releases page or from a trusted mod manager/package that names the exact BepInEx version.
  • The files are inside the game folder you intentionally modded, not in %APPDATA%, %TEMP%, Startup, or a random downloads folder.
  • The package contains normal BepInEx folders and DLLs, not unrelated executables, password-protected archives, scripts, or “launcher” tools.
  • Only one or two scanners flag a generic or heuristic name, while the source, version, and community package are otherwise consistent.
  • Removing the mod files stops the alert and the game returns to its unmodded state.

A public BepInEx GitHub discussion from November 2024 shows the exact kind of false-positive question users ask: a release archive was reported as flagged by Gridinsoft in a multi-scanner check, with files such as winhttp.dll and .doorstop_version mentioned in the report. The thread was later closed as fine by the reporter, but it is still a good reminder to verify source and context instead of treating every mod-loader alert the same way.

When To Treat It As Risky

Treat a BepInEx alert as suspicious when it is tied to a bundle rather than the official framework. The biggest red flags are not the BepInEx name itself; they are the delivery path and the extra behavior around it.

  • The download came from a crack site, fake “FPS booster,” cheat loader, Discord DM, shortened link, reuploaded ZIP, or unknown modpack.
  • The archive asks you to run an installer as administrator when manual extraction would normally be enough.
  • The package includes unrelated files such as setup.exe, update.exe, browser.exe, password-protected archives, PowerShell scripts, or random DLLs outside the expected plugin set.
  • The alert repeats after you remove the game mod folder or after reboot.
  • Startup entries, scheduled tasks, browser extensions, Defender exclusions, or unknown installed apps appear on the same day.
  • The warning is for a named stealer, trojan, loader, or backdoor rather than a single generic false-positive label.

How To Check A BepInEx Malware Alert

  1. Keep the detected file quarantined first. Do not restore or whitelist it while you are still unsure about the source.
  2. Identify the exact source. Write down the game, modpack name, download URL, archive name, version, and whether it came from GitHub, Thunderstore, Nexus, a mod manager, Discord, or a random mirror.
  3. Compare the file set. Normal BepInEx packages should look like a mod framework and plugin folder, not a general Windows installer with unrelated executables.
  4. Check the path. A BepInEx DLL in the game folder you modded is different from a copy in Startup, Temp, AppData, or a browser profile folder.
  5. Scan the exact archive or DLL. If most detections are generic and the source is official, it may be a false positive. If detections name stealers, loaders, or backdoors, do not allow the file.
  6. Remove the mod folder as a test. Move the BepInEx files and the mod plugins out of the game directory, verify game files through the platform, and see whether the alert stops.
  7. Look for persistence. Check Startup apps, Task Scheduler, installed apps, and browser extensions if the alert returns after removing the mod files.

For broader false-positive logic, compare this case with the Gridinsoft guide to Malware.AI false-positive checks. The same principle applies: a detection name matters, but source, behavior, folder, and repeat symptoms decide the risk.

Should You Allow It In Your Antivirus?

Allow or exclude BepInEx only after the source and file set make sense. An exclusion is reasonable for an official BepInEx release or a well-known modpack you intentionally installed, especially when the alert is generic and you can remove the files by restoring the game folder.

Do not create a broad antivirus exclusion for the whole Downloads folder, mod archive folder, or game library. If you need an exclusion, make it narrow and temporary: the specific game folder or the exact verified file. Remove the exclusion if you stop using the mod.

If The Warning Came From An Unknown Modpack

If the package came from a crack, cheat, random mirror, or private upload, handle it like a suspicious download rather than a normal BepInEx false positive. Remove the files, restore the original game through Steam/Epic/GOG or the publisher launcher, and do not sign in to important accounts from that Windows profile until you have checked the system.

A shady modpack can use BepInEx as camouflage while adding a separate loader, stealer, browser extension, or scheduled task. Gridinsoft Anti-Malware can check for hidden files, startup entries, scheduled tasks, bundled apps, browser changes, and persistence that may remain after you delete the visible mod folder.

Scan before you restore or allow the file.

A false positive is possible, but restore only after checking that the system has no companion detections, startup entries, scheduled tasks, or hidden files tied to the same source.

Scan before allowing this mod file

If you already ran a suspicious game mod and then saw account warnings, Discord/Steam activity, browser password prompts, or unexpected sign-ins, use the post-game-mod infostealer recovery checklist. For cheat loaders specifically, the ExLoader safety and cleanup guide explains why mod/cheat ecosystems are higher risk than ordinary cosmetic mods.

How To Remove BepInEx From A Game Safely

  1. Close the game and any mod manager.
  2. Back up only your save files and configuration you recognize.
  3. Remove the BepInEx folder, BepInEx DLLs, Doorstop files, and mod plugin files from the game directory.
  4. Use the game platform’s “verify files” or “repair” feature to restore the clean game files.
  5. Restart the PC and confirm the alert no longer appears.
  6. If the alert returns outside the game folder, check startup entries, scheduled tasks, and installed apps before reinstalling mods.

Do not delete random system DLLs because a forum comment mentions winhttp.dll. In a BepInEx setup, that file is usually part of the game-folder hooking method. A same-named file in a Windows system folder or unknown startup path is a different investigation.

FAQ

Is BepInEx a virus?

No, BepInEx itself is a legitimate open-source modding framework. It becomes risky when a third-party modpack, cracked installer, cheat bundle, or random mirror includes modified or unrelated files under the BepInEx name.

Why does antivirus detect BepInEx?

Mod loaders can trigger heuristic detections because they load plugin code into a game process and may include DLLs used to alter startup behavior. That can be a false positive for official files, but the same behavior also means source verification matters.

Is winhttp.dll from BepInEx safe?

A winhttp.dll file in the game directory can be part of a normal BepInEx/Doorstop setup. A copy in a startup folder, Temp, AppData, or another unexplained path should be treated as suspicious and scanned before allowing it.

Can a BepInEx mod steal accounts?

BepInEx is only the framework. A malicious plugin or bundled executable can still steal data if you run it. Be extra cautious with mods from private links, cracks, cheat packs, and archives that ask for administrator permissions.

Should I whitelist BepInEx?

Whitelist only a verified official release or a trusted game-specific package, and keep the exclusion narrow. Do not whitelist a whole downloads folder or mod folder full of unknown archives.

References

  1. BepInEx project. “BepInEx/BepInEx.” GitHub, accessed June 24, 2026. https://github.com/BepInEx/BepInEx
  2. BepInEx project discussion. “BepInEx is being flagged to contain malware by Gridinsoft when scanned in VirusTotal.” GitHub, November 2024, accessed June 24, 2026. https://github.com/BepInEx/BepInEx/discussions/1014
  3. AV-Comparatives. “False Alarm Test March 2025.” AV-Comparatives, revised April 9, 2025, accessed June 24, 2026. https://av-comparatives.org/tests/false-alarm-test-march-2025/
sdaCollector.vbs: Is It Safe?
Viewmenuprices.com Redirect Removal
Operation Ramz Cuts Phishing and Malware Servers in MENA
Mobility-search.com Removal
Easy Online Templates Adware Removal
TAGGED:
Share This Article
ByBrendan Smith
Cybersecurity Analyst
Follow:
Brendan Smith has spent over 15 years knee-deep in cybersecurity, chasing down malware from the gritty reverse-engineering of old-school trojans all the way to wrangling full-blown incident responses for small-to-medium businesses that couldn’t afford a full-blown breach. Over at Gridinsoft, he’s the guy piecing together those double-checked guides on nasty stuff like AsyncRAT ransomware—take last year, for instance, when his breakdowns caught more than 200 sneaky variants right in live scans, knocking user cleanup jobs down by a solid 40% and saving folks hours of headache.
Previous Article Fake driver updater pop-up pulling a Windows laptop away from safe driver update options. Fake Driver Updater Cleanup: Remove Pop-Ups and Leftovers
Next Article AutoHotkey safety decision between verified macro script and suspicious behavior alert AutoHotkey Malware or False Positive?
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?