AV scanners and false positives
From time to time I receive sad/angry/informative messages from users that some antivirus scanner is reporting my programs as virus or trojan or suspicious file. Obviously those are “false positives” (the AV vendors are using this euphemism to replace “lies”). I have no idea why that happens. In the past I was publishing unsigned setup files, which could be part of the problem. But now everything is signed with my digital signature. The only reason for this to happen is the paranoid nature of some antivirus programs. Yesterday I had to deal with disappointed user who purchased my program just to see Nor**n saying it’s a virus and to stop the tool from working. I refunded the money, but no one could remove the bad taste feeling can’t be cured neither for me nor the user. According to nor**n, this tool is “suspicious” because is not very popular. Boy! I am writing niche software, I never intended to be popular with these tools. DrW*b directly says (lies) there is a virus in other of the tools I am publishing. Why? What virus? Kas***sky isn’t right now reporting any of my tools as virus, but it did that several times in the past… What is this? Why are antivirus programs lying about my programs?
They don’t care about me. They just want to prove to the end-users they are doing their job. Paranoid algorithm? OK, but why on my back? They don’t know my product (because my products aren’t so popular) and it is quite easy to say I am a bad guy, just in case. But what about me? What about my feelings? Seems that antivirus vendors are OK with destroying other people’s reputation (and building their reputation on my back). Well, how they will feel if I put a site online where developers like me to vote about the most stupid antivirus scanner? What if I publish a chart with the “most stupid antivirus” or “biggest lier” heading on top? It will be good way to educate end users what these “false positives” are (lies) and why those antivirus scanners are alarming people with false alarms (paranoid and/or stupid algorithms)… And I may claim (as the antivirus vendors are claiming) that I am making everything to increase people’s security (by informing them about unfair practices of antivirus vendors). And adding one “disclaimer” here and there will do the trick. Everybody’s happy… Except the end user (who doesn’t benefit of that) and software vendors (because to call you liar is the same as calling you virus maker).
The very existence of such situations is very ugly thing. And it comes back every now and then in my life. The “black” version of the Myth of the Eternal Return…
Finally, let me say it in plain text: I am software developer, not a virus maker. I don’t have viruses in my computers and I don’t distribute viruses. I am signing my products with my name (unlike antivirus software that uses soulless algorithms) and I really don’t know what more to do in order to prove my innocence. But as a victim I will continue trying to fight for my reputation and to see the justice to prevail.
December 15th, 2011 at 2:20 pm
Hi, after noticing your comment on WOT and reading your blog post here I double-checked your file and it would certainly appear that this was indeed a false positive. I have since removed my comment on WOT, voted your site positively and re-instated your listing on our site.
It is unfortunate when false positives cause harm like this but I’m sure you can appreciate we often need to rely on the “expertise” of anti-virus vendors for information on the potential dangers of some files, yes they do get it wrong sometimes and it’s seriously regrettable when they do and moreso when we act upon that incorrect information – I hope you don’t have any hard feelings towards us and wish you well for the future
December 22nd, 2011 at 10:42 am
Thank you so much for taking the time to remove the comment in WOT and to write to me! Most people wouldn’t bother to do that. Please, don’t think I have any hard feelings about you or any other AV user — I am using antivirus programs too and I know they tend to be paranoid. It’s for the good of all of us, although sometimes it isn’t very good for small publishers like me. But the world is full with bad people and we just have to use all possible tools to prevent ourselves, and antivirus programs are a must. Thanks again and all the best wishes!
December 28th, 2011 at 9:54 pm
I use your menu almost exclusively on my site (freetutorials.name). Check the reviews on N****n and you will see it has problems with many programs. The people who know do not use it. It is not the best for the price. See the reviews:
http://anti-virus-software-review.toptenreviews.com/ppc-index.html?cmpid=4559
-
falcon
December 29th, 2011 at 3:08 am
http://en.wikipedia.org/wiki/Antivirus_software
An incorrect decision may lead to a security breach. If the antivirus software employs heuristic detection, success depends on achieving the right balance between false positives and false negatives. False positives can be as destructive as false negatives.[1] Finally, antivirus software generally runs at the highly trusted kernel level of the operating system, creating a potential avenue of attack.[2]
Virus researchers find common areas that all viruses in a family share uniquely and can thus create a single generic signature. These signatures often contain non-contiguous code, using wildcard characters where differences lie. These wildcards allow the scanner to detect viruses even if they are padded with extra, meaningless code.[21] A detection that uses this method is said to be “heuristic detection.”
Some commercial antivirus software end-user license agreements include a clause that the subscription will be automatically renewed, and the purchaser’s credit card automatically billed, at the renewal time without explicit approval.
Norton Antivirus renews subscriptions automatically by default.[26]
In May 2007, a faulty virus signature issued by Symantec mistakenly removed essential operating system files, leaving thousands of PCs unable to boot.[29]
Also in May 2007, the executable file required by Pegasus Mail was falsely detected by Norton AntiVirus as being a Trojan and it was automatically removed, preventing Pegasus Mail from running.
On the basis that Norton/Symantec has done this for every one of the last three releases of Pegasus Mail, we can only condemn this product as too flawed to use, and recommend in the strongest terms that our users cease using it in favour of alternative, less buggy anti-virus packages.[30]
In April 2010, McAfee VirusScan detected svchost.exe, a normal Windows binary, as a virus on machines running Windows XP with Service Pack 3, causing a reboot loop and loss of all network access.[31][32]
-
falcon
January 4th, 2012 at 9:08 am
Thanks for pointing me to these examples. I feel better knowing that even the Windows itself can be “touched” by these false positives…