Results 1 to 4 of 4
  1. #1
    2 Star Lounger
    Join Date
    Oct 2009
    Location
    Shoreline, Washington, USA
    Posts
    147
    Thanks
    0
    Thanked 1 Time in 1 Post



    PERIMETER SCAN

    Anti-malware apps flag legitimate utilities


    By Ryan Russell

    Malicious code isn't the only thing anti-malware applications catch when they scan your PC and e-mail. Legitimate utilities get flagged, too.

    It's good that security software errs on the side of caution, but PC users need to know when to trust their security tools and when to trust their online sources for apps.

    The full text of this column is posted at WindowsSecrets.com/2010/06/17/06 (paid content, opens in a new window/tab).

    Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.
    Last edited by revia; 2011-01-19 at 18:27.

  2. #2
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,482
    Thanks
    176
    Thanked 152 Times in 129 Posts
    I had a NirSoft utility on my computer (Blue Screen Viewer), and Malwarebytes was flagging it as containing adware (Rotator). Apparently, something in the uninstaller for this utility was heuristically similar to a known adware component. More recent definitions updates (and a program version update) have remedied the situation. I suspect the uninstallers used by NirSoft's utilities are being flagged by some AV heuristics algorithms on a similar basis. Some AV Vendors have corrected this issue, while others have not.

    In a situation like this one, Virus Total can give conflicting results, as noted in the article. And this only further confuses many users. I finally told Malwarebytes to ignore the NirSoft utility uninstaller until the AV company updated their engine and the NirSoft uninstaller was no longer being flagged.

    Super Antispyware, Comodo and Avast did not find anything suspicious in the NirSoft Uninstaller.
    -- Bob Primak --

  3. #3
    New Lounger
    Join Date
    Jan 2010
    Location
    Emeryville, California, USA
    Posts
    6
    Thanks
    0
    Thanked 0 Times in 0 Posts
    A lot of the AV engines used by Virustotal show nothing, especially when a piece of malware is new. So the aggregate scan is very useful. Since I was scanning the entire collection of Nirsoft stuff, there were over 100 programs for any of the engines to take a shot at flagging.

    The heuristics are problematic; To be fair, some of the things that Nirsoft utilities do are darn close to a lot of (portions of) malware. One of the points of my article was that it can boild down to intent, which no AV program has any hope of determining.

  4. #4
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,482
    Thanks
    176
    Thanked 152 Times in 129 Posts
    Quote Originally Posted by Ryan Russell View Post
    A lot of the AV engines used by Virustotal show nothing, especially when a piece of malware is new. So the aggregate scan is very useful. Since I was scanning the entire collection of Nirsoft stuff, there were over 100 programs for any of the engines to take a shot at flagging.

    The heuristics are problematic; To be fair, some of the things that Nirsoft utilities do are darn close to a lot of (portions of) malware. One of the points of my article was that it can boild down to intent, which no AV program has any hope of determining.
    I think you are right -- some of us rely too much on AV heuristics, and that's where a lot of false positives come from. And it is true, that no heuristics algorithm has yet been devised which can discern intent, nor accurately predict the end-result of letting certain malware-like processes run their course. The attitude (and I sort of agree with this) is "better safe than sorry". In other words, "Deny first, then allow once the application is proven safe". That's good advice if you can quarantine or sandbox an application (which I can do now, thanks to Comodo Sandbox), but it is a bit strict when dealing with a lot of freeware system-level utilities, such as the NirSoft family.

    In the case of NirSoft, maybe the Virus Total results give good guidance, but I have found some cases (of other safe freeware) where the results have been a lot less clear-cut. That's all I was pointing out in my post.

    I was mainly pointing out that the NirSoft uninstaller may have been the focus of the false-positive I got (from Malwarebytes), and perhaps this is the specific cause of any false-positives others may have gotten for the NirSoft family of utilities. It helps to be able to narrow down one's focus when evaluating possible causes of false-positives.
    -- Bob Primak --

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •