Houston, we have a problem: File Investigation "Reports"

Today, I had to help someone who was having trouble updating their Windows Live Messenger to the latest version. Turns out they didn't have trouble with the actual software, but with something they read in the internet thanks to the wonders of Google. Namely, this: http://www.prevx.com/filenames/X3453662875588857735-X1/WLCOMM.EXE.html

I thought that was rather "interesting", so I, too, googled around. And in a couple of seconds, found stuff like this, to name a few:

http://www.prevx.com/filenames/X637823902852059119-X1/SVCHOST.EXE.html

http://www.prevx.com/filenames/X658425073641589364-X1/TOTALCMD.EXE.html

What's the problem with these reports? That is left as an exercise for the reader. One little hint, though: Everyone who installs Windows Live Messenger 14 is going to have a file called wlcomm.exe on their system.

 

We aren't saying that all totalcmd.exe's (or other filenames) are malicious - just that some have been seen to be malicious. Whether this is a file infector or other threat, filenames are generally not a reliable way to deem a file as malicious but they are the only way for a user to find what they're talking about.

 

Yes, I realize that you're not saying all files with those names are malicious. A very diplomatic reply, by the way. What I don't realize is why your reports did not mention the little detail that all of those filenames are also used by completely legit pieces of software, indeed some of which are present in practically all systems running Windows...

Let's imagine a scenario: some Joe User updates his Live Messenger, and by some stroke of luck notices a strange new process called wlcomm.exe running. He googles it, and finds that investigation report among the first couple of results. Joe gets scared because the report says wlcomm.exe is a worm.

Honestly. Am I the only one who has a problem with that report not bothering to mention that files named wlcomm.exe are most often digitally signed executables from Microsoft and completely legit? Isn't it a "little" misleading to not mention that sort of thing when you do mention that some (much rarer) worm uses that filename? After all, wlcomm.exe is much more likely to be from Microsoft than a worm...

One could argue that this isn't mentioned for reasons of simplicity. In that case, I'd argue that simplicity was thrown out the window when phrases like this were entered into the report: "The process hooks code into all running processes".

To put it as nicely as I can: those reports are misleading and prone to confuse and frighten uninformed users instead of educating them. In my humble opinion, they look as if they were designed to frighten people, instead of inform them. The reports should be either removed entirely or corrected so that they make very clear that perfectly legit software is also using those filenames and that said legit software is much more common than malware using those filenames, and finally also that the legit software can be typically identified by path and digital signatures.

 

That's it? Joe gets scared? I was certain you were going to say that Joe deleted the file and his computer was trashed. But that aside, when Joe Googles it and finds the report you refer to, do you honestly think Joe stops right there, and allows all investigation to cease? Or do you think Joe Googles some more and gains further knowledge on the subject?

I agree with you that the reports should include a disclaimer of sorts. Keep in mind, however, that the report does begin by saying,

(my bolding & my italics). That indicates to some readers that the behavior is not all of the time.

 

I understand your points but it is very difficult to determine what the user is searching for. Generally, when a user is searching for a file, they suspect they may be infected so we give them the details on infected files with the name they're searching for so that users can determine if the behavior matches what they're experiencing.

If the user can't determine if the specific file they have is malicious or not, they can just download Prevx 3.0 and scan their PC, which will give a definitive answer as to if the file they have is malicious or not.

 

Not sure if I agree with that last statement. I've had several FPs this week relating to Real Player and Cyberlink software. None of these, upon further analysis, are worms/malware as claimed by PrevX

 

I think a user searching for a filename can only be searching for roughly three things: 1) what does this file do and how - is it a useful program, good game, etc? 2) is it malicious or not, and how? 3) where do I download it? That's about it. An anti-malware company would typically only be concerned about giving users answers to question #2. An anti-malware company would also know that users probably aren't very good in determining when and how they're infected (or they wouldn't be needing the services of anti-malware companies very much). This being the case, I would expect anti-malware companies to want to give users information as complete as practically possible. Like: "Wlcomm.exe is sometimes a worm that does X, Y, and Z. Sometimes wlcomm.exe is a legit software that is digitally signed by Microsoft. The wlcomm.exe worm is not digitally signed by Microsoft. Click here to learn how to check files for digital signatures."

I really don't think it would hurt to mention that such filenames are used by legit software, as well. It would make the reports far more useful, accurate and professional. As the reports are now, people are going to read them, and some are going to get needlessly scared, others paranoid, and some people are going to accuse you of spreading FUD. I'm not sure any of us like any of those happening, especially when it would be easy to make the information more accurate and avoid most of these things.

Apparently you were wrong, then. Joe might try to delete the file (and probably fail), or he might not. I think it's bad enough that Joe has to get all worked up about the file being a possible malware when it's rather likely to be a legit software.

Honestly speaking? I don't just think, I know many of the Joes will google some more and gain further knowledge, but unfortunately I also know that some Joes will stop right there and panic, try to delete the file or download something to try to remove it with. My point being, would it not be nice if Joe could get accurate information from security companies - information that clearly states that the filename is also used by very common legit software? I think there's more than enough misleading information out in the web without professionals adding to it.

Instead of a probably vague disclaimer (like: "some files named x may not be malicious") I'd much rather have the widely known and obvious facts if one is going to publish some sort of filename database like this. There really is no excuse to not mention that the filename is also used by a very widespread digitally signed executable from Microsoft. Everyone except Joe User knows that fact about the filename. Anti-malware companies most certainly know that fact.

What valid reason could there possibly be to not mention that fact? Simplicity? No. If simplicity was the reason, the report would be shorter and wouldn't use tech-jargon like "dynamic link library" or "process" or "hook" that Joe User isn't very likely to understand. How about accuracy then? Most certainly no. How about just lack of more complete information? Well, sure, perhaps it might be that, if we can be fooled into believing that an anti-malware company that performs in-the-cloud reputation-based scanning knows that filename X is sometimes malware but doesn't know that it's also "sometimes" a Windows system executable present on literally every Windows NT machine, or a Windows Live component signed by MS. So, yeah, I guess we're back to "no valid reason."

My point is simple: The reports are misleading, and information contained in them so incomplete that Joe User certainly cannot reliably use them to deem whether a file is malicious or not and is more likely to get the wrong impression of those files by reading the reports. Since this isn't a good thing, something needs to be done to the reports.

Yes, I've obviously kept that in mind. If I had not, or if that phrase had not been present in the report, I would have used much stronger language.


Well, I hate to make a scene, but Joe User is in trouble. He needs help. Bad guys are trying to con and play him left and right. What Joe User really, really does not need in addition to all that stuff, is the people who are supposed to be on his side giving him misleading information when they could be giving useful information. It's not too fun to be blunt, but sometimes you have to do it.

 

I'd call the info Prevx is providing eye-opening, especially in a world where, as you claim, "bad guys are trying to con and play him left and right". If he "has to get all worked up about the file being a possible malware", why is that such a terrible thing? Sounds to me like the Joe User you are describing needs some education.

 

Honestly, the only way to determine if the file in question is malicious would be to run it through a scanner. Our pages are there to help convey the possibility of infection (and we put ourselves through the same scrutiny: http://www.prevx.com/filenames/2216395111511951385-X1/PREVX.EXE.html)

A vast majority of filenames have at one time been infected or used to spread malware, either by file infectors or by malware authors using common names.

I think saying to the user that, for example, "svchost.exe" is clean in 99.9% of cases would be misleading when the user is searching for information on a new threat which is parading itself as svchost.exe (of which there are many, but no where near as many legitimate instances as svchost.exe is present on every XP+ system).

 

Yes, Joe User does need education. But what kind of education? If you want to educate him on some filename he's interested in, then do so. Tell him truthfully that the filename is used by some malware that does X, but also tell him that the filename is used by legit software (that you can recognize by doing Y). That way, Joe User has much more complete and accurate data. Isn't accuracy of data important if we're talking about security? If you instead want to educate Joe User that "anything could be malware", then just say that: "Any filename can be used by malware. Any file could be malware. Just run our scanner to remove it."

I don't think it's good if Joe User gets worked up because he read a report that fails to mention some filename is also used by extremely common legit pieces of software.

What I think is going to be eye-opening is when a user gets confused by one of those reports, downloads a ton of anti-malwares and runs all kinds of scans without getting any alerts, and then later reads or hears from a more computer savvy friend that the filename is also used by a critical system file. His eyes are going to be really open when he asks: "Why didn't that report tell me that in the first place?!"

Yes, I agree that filenames cannot reliably tell you whether a file is bad or good. That is obvious. Given this, what's the point of a report like this? Especially that PREVX.EXE report. What do you think happens when some newbie user opens that page, sees the word PREVX in the corner and possibly realizes he's reading an anti-malware company's site, and then notices the report saying that PREVX.EXE is a Cloaked Malware and Fraudulent Security Program? Reports like this are strongly misleading and confusing. Again, I cannot possibly see any valid reason not to mention it when a filename is used by a very common legit software. First, you tell the user PREVX.EXE has been known to be cloaked malware and fradulent security software. Then, you tell the user to download a file that's called PREVXCSIFREE.EXE to remove the infection. I can't be the only here who sees how little sense that makes.

If you want to convey the possibility of infection, you can do that without leaving out the fact that the filename is also used by legit software.
Mentioning that does not prevent anyone from conveying the possibility of infection. It's just more accurate information. Accuracy is good. Or do we disagree on the importance of accuracy?

Yes. As said, malware could be named anything. That's just one more reason why reports like this don't make much sense. If we're going to report that most any filename has been used by malware, why in the blue wonder can't we also report that it's not always malware that uses those filenames? Why can't we give some tips on how to recognize whether the file is malware or legit? Why is the question.

The problem with that is you don't know whether the user is searching for info on a new threat or if he just opened task manager for the first time in his life and wondered what all those six svchost.exes were. I think giving made-up percentages would be misleading, yes. But neglecting to mention that there are massively common and very much legit files with that name is much more misleading. If the purpose is just educating the user, then there's lots of data you could give him to do that. Giving just one side of the story is not a good idea. Especially if it's the side that labels pretty much any file as malware. Some would call that a scare tactic. I'll just call it unwise. But, seeing how it looks like I'm the only one in the thread who sees this as a problem, I think this is enough from me for now.

 

You are not. I clearly see your point and agree.

 

This also can lull a user into a false sense of security. The purpose of the pages are to show a user what a certain filename has been seen to do - which is exactly what the pages do.

If we were to say that X file is frequently seen as legitimate which would lead users to consider their svchost.exe from Microsoft to be legitimate, then logically there will be some users who dismiss their actually malicious svchost.exe as legitimate because Prevx said so.

Users aren't looking to see if the file is legitimate, they're looking to see if it is malicious. If a filename has never been seen as malicious, we make a point of saying that (i.e. on a file I just downloaded: http://www.prevx.com/filenames/84865042578825916-X1/SKYPESETUP.EXE.html). We then give the user information on what the file does and how it could be affecting their system so they can see if what they're experiencing matches with what the malicious reports show.

I think its self evident that just because something is named "virus.exe" doesn't mean it is a virus, which is why we have the line:
The unsafe files using this name are associated with the malware groups: If you look at other companies with similar charts, you'll see them weighed heavily to the malware side as well, simply because that is what real users see - they aren't searching to find why their clean system is working fine. (i.e. http://www.threatexpert.com/files/explorer.exe.html)

I'm not sure how we could better phrase the pages to not mislead users into a false sense of in/security but if you have any thoughts on this, please let me know

 

Yes, whenever you give the user an answer that isn't a simple yes or no, there's a chance the user will get the wrong idea and mistake malicious for legit and legit for malicious. That is rather hard to avoid entirely. But, on the other hand, the user will frequently get the wrong idea also if you give them a yes answer when there's a very real chance the real answer is actually no, and vice versa. Therefore it is ideal to give users information as complete as practical. Something like:
"xxx.exe has been seen to be:
- a malicious worm, most often located in Local Settings\Temp or Windows\System32
- a legitimate component of a Microsoft software, always located in Program Files\Windows Live\Contacts and digitally signed by Microsoft Corporation"

Here, the user has decently accurate information to determine whether the file is legit or not. He can check the path, and then check the digital signature - and there can of course be a short tutorial linked in the report on how to do these things. Let's be realistic: there's a pretty good chance the worm isn't digitally signed by MS.

When enough information is given to the user, there's a much better chance he can find out whether the file is bad or good. If there's only information that tells him the filename has been used by malicious software, and no mention of the filename being very commonly used by legit software, the user will get the wrong idea in a very substantial number of cases. And let's also consider the categorical imperative: if everyone only reported that some filename was used by malicious software, and never reported the fact it is also used by legit software, the average users would be hopelessly confused all the time.

Any user that wants to know if a file is malicious is by definition also interested in whether it's legit. Because if it's not malicious, then it's legit. And obviously the user is hoping the file is not malicious. In other words, the user is hoping to find out that the file is legit, but is concerned it might not be and is therefore doing the smart thing and looking around for info. And no, it really is not certain that the user is infected. I've seen many cases where people google around to find out what some completely legit file is. Often, it's because they're trying to be careful - they don't know what something is, so they look around. So, it's not necessarily the best idea for anti-malware companies to not mention in their reports whether some filename is also used by legit software.

As I said, some users are looking to find out what a filename they don't recognize is. It's not always the case that the user is having problems with the system - popups, fake warnings, slowdowns, such things. As for other companies, I think that ThreatExpert report is already a little better than the reports I linked in my first post. Notice how the ThreatExpert report says "the file "explorer.exe" was mostly identified as a threat", in other words, that it sometimes wasn't identified as a threat. It at least mentions that there are known cases where the file was not a threat. It doesn't say "explorer.exe - threat" right at the top in big letters, as the Prevx report about wlcomm.exe for example does (wlcomm.exe - worm). That's not to say that it couldn't be much better still. Ideally, it should state the file is also a very widespread legit piece of software, again, from Microsoft. As long as that isn't mentioned, the reports are somewhat misleading. There's no getting around that.

Well, I already gave some suggestions. But let's start at the top, as it were. The beginning of the report says "WLCOMM.EXE - worm". I suggest it would be better if it said something like: "WLCOMM.EXE - can be a malicious worm, or a safe-to-use Windows Live component, see below for further information". And then, you could explain, as you have, what kind of malicious stuff the worm does and such details, but in addition to that, also explain what the legitimate file is like (digitally signed by Microsoft Corporation). If you did this, the users would have a much better chance of finding out whether the file is good or evil, and wouldn't automatically assume even the legit files are malicious because the report doesn't mention any legit software using the filename. It would make for longer and more complicated reports, true, but when there is already stuff like "The Process is polymorphic and can change its structure" in the reports, I don't think "short and simple to understand for complete novices" is what you're going for...

But, I don't think I can say anything further that I haven't already said that could be of relevance here. Obviously it's up to you to decide what kind of reports you publish. But at least it's now been said that there are changes that could be made that would benefit some users, and also result in far more accurate reports. That can't be too bad. Thanks for listening. There are some places I know where a thread like this would have been closed. And I would have been banned.

 

Enlightenment is not about pushing views in a predefined direction by providing biased information. People should be educated to build their own opinion from a diversity of facts.

BTW: Our 3 PCs (my parent's and mine) have experienced not even one single infection attempt in recent years (confirmed by several different security applications (Prevx included) - despite surfing the web regulary and using downloaded software without caring for digital signatures. Everything runs smooth and stable.) Therefore I definitively live in a "false" sense of security - and I aasume there are many people here at Wilders with a "false" sense of insecurity.

 

A note on these FPs - after investigating them, it shows that all of them were caused by maximum heuristics.

If anyone is having FPs with maximum heuristics, I strongly recommend turning your settings down. Maximum heuristics are made to produce a whitelist-like environment where only trusted programs can be run and will logically produce significantly more FPs because of this.

 

Maybe it could help, showing an alert or note of that kind, if the heuristics are set to maximum.

 

You are a mind reader We are adding this functionality into the next release

 

Excellent news. In terms of the options under Heuristics, two of the three options have a recommended setting i.e. 'Low' for Program Age Heuristics and 'Low' for Program Popularity Heuristics. What is the recommended default for the third option, Advanced Heuristics?

Thanks

 

The default for Advanced Heuristics is Medium, which should drop your FPs down significantly