Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • December 07, 2016, 06:35:12 AM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Fabricated virus warnings.  (Read 1855 times)

Dmytry

  • Participant
  • Joined in 2010
  • *
  • default avatar
  • Posts: 9
    • View Profile
    • Donate to Member
Fabricated virus warnings.
« on: March 22, 2010, 10:33:39 AM »
Hmm,  I came across <a href="http://www.autohotke...orum/topic53129.html">interesting thread on AutoHotKey forums</a> related to donationcoder.
In my opinion, if you let bully push you around even a little, you're well on the road to complete submission, to handling over your hard earned lunch money to bully and doing a funny dance. Today you stop using UPX, tomorrow you stop using -O2 compiler flag in GCC, and the day after tomorrow you'll be buying code signing certificates coz any unsigned code gets flagged as malware. Then, to program you'll need a license and 'proofs' of being a good-behaving fella, 'just like for buying a gun'. All while big software vendors are whitelisted and could still do anything coz they can easily fight back with a libel lawsuit.

I'm entirely with AutoHotkey people on this issue. They have the courage to stand up for themselves.
On technical side - the notion that UPX is associated with malware is laughable. UPX - the original unmodified version that the good guys in question use - is an executable packer. Ironically, UPX is the most antivirus-friendly packer there is - it is free open source, thus unpacker can be incorporated into antivirus, and license even forbids packing binaries with a custom versions of UPX that would not unpack with the vanilla UPX - that's why good guys are using unmodified UPX. Whereas bad guys aren't going to use packer that is being flagged as malware, simple as that, so even if it was once true that some malware was being 'detected' by this "if it reads as UPX archive, call it malware" heuristics, this heuristic has immediately rendered itself obsolete for any new threats.

So what do you think. Should the independent developers quit using any free technology that became a target for automated libel, losing without any fight? Or should we try to stand for ourselves and hold the ground? The UPX issue may seem trivial - but it is just one step of retreat - there can be little doubt that antivirus vendors would come up with some other but similar 'heuristic' if their false positive rate is way below what they consider acceptable.
« Last Edit: March 22, 2010, 10:40:58 AM by Dmytry »

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 36,408
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Fabricated virus warnings.
« Reply #1 on: March 22, 2010, 10:43:18 AM »
I completely respect what you are saying, and in the beginning that was basically my position -- that these antivirus companies are only hurting themselves with these bullshit lazy false positives.

I tried to rally autohotkey to more aggressively confront the antivirus companies and try to get them to stop.. but it just didn't take.  And at a certain point the damage it's doing to ahk applications is real and ongoing, and is hard to recover from.

I think maybe the solution is to tackle this on two fronts -- in the short term i think it's best to stop using UPX to pack ahk scripts -- and then at the same time try to get the antivirus companies to shape up -- to that end i've proposed trying to draw attention to a set of guidelines for excellence in antivirus behavior, and i've written about a site/award i want to start to encourage antivirus companies to be better.

Dmytry

  • Participant
  • Joined in 2010
  • *
  • default avatar
  • Posts: 9
    • View Profile
    • Donate to Member
Re: Fabricated virus warnings.
« Reply #2 on: March 22, 2010, 04:43:18 PM »
I completely respect what you are saying, and in the beginning that was basically my position -- that these antivirus companies are only hurting themselves with these bullshit lazy false positives.
Are you sure that they're hurting themselves?
I'm not sure there's more people did not buy antivirus because they heard of false positives on UPX than people whom bought the antivirus software *because* of false positive (see "buy full version to fix the file"). What's about all the people whom do have common sense and don't run viruses, whom would quit paying for antivirus if it never finds anything? Think of all the regular people, friends and family, whom you helped set up their PC, are you so sure that they wouldn't choose one of the antiviruses that 'detects the virus' over those which 'fail to detect the virus'? That they would and could tell apart situation when antivirus A has false positive from situation when antivirus B has false negative? Surely, everyone understands that antivirus can fail to detect a virus - but are you sure everyone understand that antivirus can lie that it detected a virus? What's about enormous commercial success of fake/fraudulent antivirus software?

All in all, i'm not convinced that antivirus companies are hurting themselves with their false positives. Hurting others, sure, but themselves, i'd assume they would work to determine optimal false positive rate, for the best balance between negative publicity and the extra sales to scared people, and would stay close to this optimal false positive rate.
« Last Edit: March 22, 2010, 04:57:59 PM by Dmytry »

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 36,408
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Fabricated virus warnings.
« Reply #3 on: March 22, 2010, 06:58:01 PM »
I think what you are saying about their reputation not being hurt by excessive false positives is exactly right, and exactly the problem.
Antivirus companies don't get judged on false positives by reviewers or the public at large, and so have no disincentive to improve.  That's where the idea to try to shine the light on good policies with the award comes from -- to try to incentivize better behavior regarding false positives.

Innuendo

  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 2,255
    • View Profile
    • Donate to Member
Re: Fabricated virus warnings.
« Reply #4 on: March 22, 2010, 08:50:35 PM »
I tried to rally autohotkey to more aggressively confront the antivirus companies and try to get them to stop.. but it just didn't take.

IMHO, one shouldn't be trying to rally the autohotkey users. One should be rallying the users of AV products that flag things like this with false positives & convince them to use an AV product that doesn't.

Last time I used NOD32 it didn't have this problem. Outpost Security Suite doesn't have this problem. I'm sure there are others.

Educating the AV users is the key & punishing the lazy AV companies right where they live: their bottom lines.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 36,408
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Fabricated virus warnings.
« Reply #5 on: March 22, 2010, 08:54:29 PM »
the idea with the new antivirus award was to try to offer a positive REWARD in terms of publicity and acknowledgment and support to companies that do good, and maybe shaming the companies that don't.  i just don't think the other leverage points have much hope of working.