Saturday, October 4, 2008

Current AVG False Positives

Messages like "You have a Virus in your software" are received into my Inbox on daily basis, and a lots of them comes from AVG Antivirus. So I decided to check the current status of AVG false positives, by scanning the utilities folder of my site.
First, I copied the utils folder of my site into a new place (I don't really want that AVG will touch my original site folder...), and then I allowed AVG Antivirus to scan the folder.
After AVG finished the scan, it splited the scan result into 2 categories: Infections and Spyware.
Most of the alerts on my utilities folder appeared under the 'Spyware' section.
I really would want to understand what is going in the minds of AVG guys when they decided to detect my software as Spyware.

Anyway, I used my own SysExporter utility to grab the scan result from AVG and display it as HTML. Luckily, SysExporter is not detected as infection by AVG, otherwise, it wouldn't allow me to run and use it.
So here's the AVG "False Positive" list, the Spyware section:

C:\Utils\asterie.zip Potentially harmful program HackTool.DOI
C:\Utils\asterie.zip:\asterie.exe Potentially harmful program HackTool.DOI
C:\Utils\netpass.zip Potentially harmful program HackTool.FAJ
C:\Utils\netpass.zip:\netpass.exe Potentially harmful program HackTool.FAJ
C:\Utils\netpass_setup.exe Potentially harmful program HackTool.FAJ
C:\Utils\netpass_setup.exe:\netpass.exe Potentially harmful program HackTool.FAJ
C:\Utils\netpass_setup.exe:\ziz1384.tmp:\netpass.exe Potentially harmful program HackTool.FAJ
C:\Utils\pspv.zip Potentially harmful program HackTool.CBX
C:\Utils\pspv.zip:\pspv.exe Potentially harmful program HackTool.CBX
C:\Utils\sniffpass.zip Potentially harmful program HackTool.FMT
C:\Utils\sniffpass.zip:\SniffPass.exe Potentially harmful program HackTool.FMT
C:\Utils\sniffpass_setup.exe Potentially harmful program HackTool.FMT
C:\Utils\sniffpass_setup.exe:\SniffPass.exe Potentially harmful program HackTool.FMT
C:\Utils\sniffpass_setup.exe:\ziz1384.tmp:\SniffPass.exe Potentially harmful program HackTool.FMT
C:\Utils\vncpassview.zip Potentially harmful program HackTool.EEI
C:\Utils\vncpassview.zip:\VNCPassView.exe Potentially harmful program HackTool.EEI



And this one is the Infections section:


C:\Utils\lsasecretsdump.zip Trojan horse Generic10.SZR
C:\Utils\lsasecretsdump.zip:\LSASecretsDump.exe Trojan horse Generic10.SZR


And finally, here's another issue with AVG and other Antivirus software:
When you exit from the Antivirus software, it won't display any Virus/Trojan/Spyware warning, but the service of the Antivirus is still running in the background, and prohibits you from running any file that is detected as infected.
This mean that if you try to run one of my tools that are detected as Spyware/Virus while AVG application is not running, you'll get the following error message:
"Windows cannot access the specified device, path, or file. You may not have the appropriate permission to access the item".

Most people that get this kind of error, think that there is a bug in my software, and don't know that the Antivirus is the one that cause the problem.

4 Comments:

Blogger domestic empire said...

Avast anti virus (the Home version is free), makes far fewer false positives in my view. Never troubles me over legitimate software such as yours.

But I really came to say a big THANK YOU Nir for OperaCacheView. I wrote asking if such a untility was possible but never expected to see it so soon. Perhaps it was already in the planning?

I've blogged about it on my Opera blog here, and I shall do like wise at the Opera community forums, if I've not already been beaten me to it.

Many thanks (";)

October 4, 2008 4:57 PM  
Blogger Irreligious said...

I can tell you what is going on in the minds of the AVG guys when they add your software as "spyware". They're thinking some of the utilities can be used to reveal passwords or cache items, and so on... Hence they are forensic tools and should be detected.

Other utilities such as NirCmd are detected because it can be used to kill processes. Maybe it would help to imagine the case where a parent wanted to help prevent their child from using a utility to kill security or parental-control processes.

Most AV software I've used detects some of your software in this general manner, including the one I'm using now, Avira AntiVir Premium.

October 6, 2008 8:03 AM  
OpenID r2mahara said...

I just tried to use NirCmd at work and got a Sophos alert that it was adware :-(

October 21, 2008 8:00 AM  
OpenID xylog said...

Symantec Enpoint Protection 11 detects some of your utils as threats:

Date and Time,Risk,Action,Filename,Risk Type,Original Location,Computer,User,Status,Current Location,Primary Action,Secondary Action,Logged By,Action Description
11/19/2008 7:07:07 AM,Trojan Horse,Quarantined,LSASecretsDump.exe,File,C:\Program Files\NirSoft\,Infected,Quarantine,Clean security risk,Quarantine,Auto-Protect scan,The file was quarantined successfully.
11/19/2008 6:54:50 AM,ProduKey,Access Denied,ProduKey.exe,Other,C:\Program Files\NirSoft\,Infected,C:\Program Files\NirSoft\,Quarantine,Leave alone (log only),Auto-Protect scan,
11/19/2008 6:54:48 AM,DialupPwd,Access Denied,dialupass2.exe,Other,C:\Program Files\NirSoft\,Infected,C:\Program Files\NirSoft\,Quarantine,Leave alone (log only),Auto-Protect scan,
11/19/2008 6:54:47 AM,Hacktool,Cleaned by deletion,rdpv.exe,File,C:\Program Files\NirSoft\,Deleted,Deleted,Clean security risk,Quarantine,Auto-Protect scan,The file was deleted successfully.
11/19/2008 6:54:46 AM,Trojan Horse,Quarantined,LSASecretsDump.exe,File,C:\Program Files\NirSoft\,Infected,Quarantine,Clean security risk,Quarantine,Auto-Protect scan,The file was quarantined successfully.
11/19/2008 6:54:46 AM,Hacktool,Cleaned by deletion,HeapMemView.exe,File,C:\Program Files\NirSoft\,Deleted,Deleted,Clean security risk,Quarantine,Auto-Protect scan,The file was deleted successfully.
11/19/2008 6:54:45 AM,Hacktool,Cleaned by deletion,asterwin.exe,File,C:\Program Files\NirSoft\,Deleted,Deleted,Clean security risk,Quarantine,Auto-Protect scan,The file was deleted successfully.
11/19/2008 6:54:45 AM,W32.IRCBot.Gen,Cleaned by deletion,pspv.exe,File,C:\Program Files\NirSoft\,Deleted,Deleted,Clean security risk,Quarantine,Auto-Protect scan,The file was deleted successfully.
11/19/2008 6:54:43 AM,Hacktool.PassReminder,Access Denied,mspass.exe,Hack Tools,C:\Program Files\NirSoft\,Infected,C:\Program Files\NirSoft\,Quarantine,Leave alone (log only),Auto-Protect scan,
11/8/2008 8:00:40 PM,Backdoor.Trojan,Log only,nwcwks.dll,File,Y:\xylog\,Log only,Y:\xylog\,Clean security risk,Quarantine,Auto-Protect scan,The file was left unchanged.
11/7/2008 11:12:18 PM,Backdoor.Trojan,Log only,nwcwks.dll,File,Y:\xylog\,Log only,Y:\xylog\,Clean security risk,Quarantine,Auto-Protect scan,The file was left unchanged.

November 19, 2008 7:12 AM  

Post a Comment

<< Home