"In order to find out which Antivirus programs cause more troubles with the tools of NirSoft, I decided to generate a report with the number of false positive alerts of every Antivirus program. I have created a small program that downloads the Antivirus scans result of all .exe files of NirSoft from VirusTotal Web siteand then processes the collected information and generates the desired report. I have also decided to generate score for every Antivirus program according to their false positive issues." http://blog.nirsoft.net/2015/10/18/...ccording-to-false-positives-of-nirsoft-tools/
I agree with the points raised in the NirSoft blog , all very valid . But given the choice , I'd prefer to get the FPs , and deal with them on case-by-case basis , rather than get no notifications at all . If you download and/or run one of those NirSoft tools , and you get a warning , surely it's going to be fairly obvious what caused the warning ..... or not ?
I wonder how many of the detections were potentially unsafe applications which cover legitimate tools that have been seen to be misused for malicious purpose and how many of them were detected as malware. Malware detection could be counted as FP while PUA detection not as it's exactly what PUA is supposed to detect and this detection is fully optional. Also it's disabled by default in ESET's products.
I an interesting read, and I agree with points raised. I've thought the same for some time now, security software needs to provide more detailed descrptions. A potentially unwanted program, is just that, but the average user who see an alert saying that a PUP has been detected is going to think it is something harmful. The same goes for heuristics. It should be made clearer that the file detected may be harmful, not an a definite threat.
So why is it then that I downloaded 4 different Nirsoft tools and all were detected by ESET as potentially unsafe applications, ie. not detected by default and only with user's consent ? I have a hunch that the author of the blog confused Trojan detection with optional PUA detection. Moreover, ESET products show a link to a KB article with explanation what PUAs are if such application is detected and the user is prompted for an action.
You're right. However, if talking about false positives only trojan detections should be included, otherwise it makes an impression on readers that PUA detections are actually false positives. It's even explicitly written in the article: "The good news in this report is that there are 12 Antivirus engines without any false positive and they got the best score possible (100)" I think we all will agree that products with 0 trojan alerts should not be counted and had 0 false positives like those with 100 score.
@Marcos while I get your point, I can understand the point of view of the author of the article. Usually when PUA detections are made, it is not made clear that the item detected is not a threat. Since, I have not had any extensive use of your products for a few years now, I can't comment on how your products handle PUAs vs actual threats. While often PUAs are of little use, there is some software I use which gets detected as unwanted my some antivirus software. Personally, I add such items to the ignore list when they are detected. But, I'm sure many people will just remove them, thinking they they must be harmful since they were detected.
Interesting that Qihoo 360, a AV which people complain has too many false positives showed zero on Nirsoft. Did avast have PUP detection on?
Eset's PUA detection is the most aggressive for any AV/AM product I have ever used. That is perfectly fine as far as I am concerned. I hate crapware!
+1 for itman. And even more aggressive. Especially for a place where softwares from huge companies behave rogue.
A while back nirsoft dot net found itself on URL blacklists, including Safe Browsing if I remember correctly. NirSoft's tribulations are inherent in both the under-the-hood nature of the software and the ignorance, overzealousness, or good intentions (pick one) displayed by other developers. I have been a user of NirSoft for over a decade and have sixty eight of his apps on my system. Some of them, I actually use. I sincerely hope Mr. Sofer finds some relief from this grief, but I feel it will be his cross to bear, in some form or another, for some time to come. Which reminds me, I have to send him another donation. You (you know who you are) should do likewise. Anyhow... This is a cyber-age old discussion, hailing back to the HIPS days. You know, HIPS. That tool we don't need/want anymore. Because of the alerts. It ranges, in a perfect world, from those who want a fully detailed and expertly documented report in every pop-up with a choice of a half dozen actions to those who want complete silence and automated resolution. The former for me and itman, the latter for Aunt Matilda and Mr. Bucks, the accountant. Either perfect world design to the extreme is unattainable considering the inexhaustible and volatile nature of the technology while the middle ground is muddied by the (often puzzling) creativity of the developers and the faith in their designs. And therein lies the root of... "Antivirus programs and VirusTotal Web site don't provide clear explanation about the alerts they display..." Things will be different once the AI machines take control.
from my view, its ok. the behavior of nirsoft tools are really quite special and can be compared to malware. same for sysinternals tool - if i set process explorer as default task manager many malware search programs would find that hijack. nevertheless i dont give a dime on av programs because nirsoft tools are essential for my work at the helpdesk and people rely on that opinion. more education is needed! cheers.
I have the entire NirSoft (and Sysinternals) suites downloaded via Windows System Control Center (in GEGeek Toolkit). WSA, Bitdefender in EAM, and MBAM all flag some of these utilities. OK'ing them is a PITA. I guess a donation is in order
I've always found ESET and Kaspersky to be good with these tools. Norton usually just deletes them and tells you after they are gone. Windows Defender will ask what you want to do. I'm fine with that. I don't like them just deleted as though they were malware.
