False Positives or Paranoid Anti-Virus Cos. ??

Discussion in 'other anti-virus software' started by AvinashR, Feb 21, 2010.

Thread Status:
Not open for further replies.
  1. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Please do note that i am totally against piracy and i do not encourage anyone to do the same. But for educational & testing purposes i always download various Keygens, Patches and other malicious files from the dark corner of Internet .

    Today the main motive of creating this thread is to have a healthy discussion on various aspects and detection quality of AV's. I mean do you think that AV cos. are trying to be more sensitive and paranoid then us?

    Today i have downloaded a keygen which was well detected by many Top Notch AV's but to my surprise when i analyzed this keygen over Sunbelt CWSandbox and Comodo Instant Malware Scan. I found that the same keygen was doing nothing...:rolleyes: , but still many AV's detected it as a malware. So now the question arise, Do these AV's are more paranoid or they are just giving us false positive reports on which we are relying now? o_O o_O
     
  2. Mack Jones

    Mack Jones Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    174
    Location:
    France
    Here is a thorny issue my dear, a thorny issue...

    According to some, it's due to links between the software's industry and AV vendors.
    As you can read on a famous illegal site," most keygens, cracks and patches are detected as trojans by your antivirus program just because of cooperation between commercial software companies and antivirus software manufacturers".

    Is it real ? I dunno. :shifty:
    Better avoid KG, cracks and hacktools like the plague and you'll increase your chances to stay safe online.
    That's simply safehex...;)

    Kinda regards,
    Mack
     
  3. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Here i understand your point of view....But i would like to discuss whether they are more paranoid or something else. Sandbox report is showing something else and they are reporting something else.
     
  4. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    Some, like Ikarus, flag keygens as malware just because they're keygens.

    Some detect them by heuristic or if keygens are packed with something they can't unpack.

    Some follow what others detect as malware.
     
  5. progress

    progress Guest

    I think that's the main reason :rolleyes:
     
  6. AlexDBR

    AlexDBR Registered Member

    Joined:
    Feb 17, 2010
    Posts:
    18
    I think there is a connection between software industry and AVs... You can see this when the keygens/cracks are marked as "hack tools" or "potentially unwanted programs"...
    But another reason for being detected as trojans/viruses is because they sometimes use dubious exe compression/encryption (methods employed a lot by malware creators).

    Anyway I think it's better to stay away from this stuff, or at least run in a sandbox all suspect files...
     
  7. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London
    2 issues here:


    1. Analysing a sample in a public sandbox does not prove it "does nothing"...it just proves that this file does nothing in a sandbox environment. For all we know it could be sandbox aware and refuse to do anything dangerous in order to avoid detection.

    2. Keygens and cracks use exotic packers that are sometimes also frequently used by malware authors (after all, why would the "scene" want to share their secrets).

    This basically poses an issue to antivirus companies which use a blanket detection on some packers which have a high malware to genuine use ratio. In this case some antivirus companies may remove detection for particular keygens but keep the general packer detection algorithm...or refuse to remove detections for keygens as these programs have no legitimate function, it is a waste of manpower/resources and leads to a bloating of the AV database if the file is stored in a local whitelist.... besides, the user can create a local override for any particular detection in most cases anyway.

    Also of note is the fact that cracks/keygens are a very enticing opportunity for malware writers to spread their creations...after all, how else could you willingly get people to run unknown executable code on their computers!
    Some av companies impose a policy of detecting keygens and cracks especially for this reason (mainly if their clients are corporate, in which case they would especially not want any illegal content such as cracks on their network, due to the legal implications)...the main difference being some detect it as an "optional" category such as a PUP whilst others label it as a default threat which will be dealt with regardless of user input.

    I have also seen some keygens which have a suspicious or malformed PE header, which can also cause it to be flagged as malicious due to smart heuristics which attempt to prevent file infectors and other bad files executing.
     
  8. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,078
    This is what happens if you report a FP of a clean keygen detected by an AV:

    This is to inform you that false-positive with Keygen.exe
    (SHA1:e11e4eac0c59d7450eb6e9b999540b6f6aff080a)has been checked and found to be a keygen. Generally Patchers, loaders, trainers, keygens won't be seen as goodware. If you plan to use this file further, you can add it to exclusion list.
     
  9. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    I agree that many malwares are Sandbox/VM aware, but does this mean that analysing samples in public sandbox have no value? I mean what if we cannot able to find the malicious activities of a file which is of high risk and still undetectable ? This means Sandbox failed?
     
  10. skokospa

    skokospa Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    177
    Location:
    Srbija
    in 99% of cases keygen contain virus.
    there's nothing wrong with them Ikarus detected as a virus.
     
  11. pbust

    pbust AV Expert

    Joined:
    Apr 29, 2009
    Posts:
    1,173
    Location:
    Spain
    Approximately 1 out of every 6 malware samples we receive every day in 3rd level PandaLabs (called "critical malware" = most dangerous) is VM-aware and will either not run or run differently in a VM or sandbox environment. There's also readily-available tools to runtime-pack or crypt malware with detection of VM, Norman sandbox, Anubis, CWSandbox, etc.

    Here's some of the more recent examples:
    crypter anti-sandbox.JPG
    crypter-2.png
     
    Last edited: Feb 22, 2010
  12. PC__Gamer

    PC__Gamer Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    526
    no, id say its the other way around,

    if i were to download 100 keygens right now, id probably get 1 virus.

    but of course, it depends on the source its come from.

    I do agree with the OP - some AV's (prevx included) seem to detect these purely because they are a keygen, or purely because they are labeled so.

    :thumbd:
     
  13. skokospa

    skokospa Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    177
    Location:
    Srbija
    on which the facts?see post before and you will be more clearly...
     
  14. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Hi Bro,

    I do agree with you. There is recent example on which i and pbust is working. I have downloaded a Keygen which is of Team CORE and its working fine without producing any malicious activities but many top notch AV's except a-squared and PrevX deteced that keygen as Trojan.

    When i analyzed that keygen file in various public sandbox, i found that keygen is doing nothing. Even i ran that file in my Test as well as in my VM machine, but i haven't found anything malicious.
     
  15. SourMilk

    SourMilk Registered Member

    Joined:
    Mar 31, 2006
    Posts:
    630
    Location:
    Hawaii
    Keygens, hack patches, illegal copy downloads are like unknown snakes. They may be poisonous or harmless. You don't pick them up to find out! :doubt: There are many ways to trick many antiviruses like multiple compression or encrypted payloads that are decrypted by the downloaded program or "updates" to stolen or rogueware.

    If you see one, leave it alone or suffer the consequences of either infection or not knowing for sure.

    (Always keep a clean disk image offline. Always)

    SourMilk out
     
  16. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    619
    Location:
    Sydney Australia
    I can just imagine what would be hitting the fan if AntiVirus companies started white listing keygens and cracks.
     
  17. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Nobody is asking to white list the keygens, but we should know each and every details. If a keygen is not malicious then it should not be flagged as malware. I have saw many keygen files which are doing nothing, but still they flagged as malwares.
     
  18. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,012
    Location:
    on my zx10-r
    as said a lot depends on the way the file is packed. i can make a exe that simply opens a notepad file to say "just for testing" but depending on how i pack it it may be picked up. this is very common. please know i also do not condone the use of them i just know how to work with different types of packers and i have wrote small software before and i have been through this myself after people told me my file was flagged i had to learn how to work with others. that was one thing that drove me nuts with norton. it flagged things that were in no way malicious or keygens etc or anything similar as hack tools beause of the way they are packed.
    also as stated there are now programs like what pbust showed to get around detections as well
     
  19. Patrician

    Patrician Registered Member

    Joined:
    Jun 3, 2005
    Posts:
    132
    The above statement is completely without foundation.
     
  20. NoIos

    NoIos Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    607
    Yes, but it's also the only engine I've seen that often tells you that it's a clean keygen...something like this: not-a-virus.keygen.*

    Actually I believe Ikarus is the only one who has the courage to do it. Declaring a keygen as clean could sometimes mean asking for legal troubles ( in any case this could be discussed for ever ). It takes a lot of work, since I believe that declaring a keygen clean for a certain software requires also human intervention.

    You are wrong but actually it's great to be wrong this way. If you don't trust or don't use the keygens you are more safe.

    ----
    Now about the issue AVs detecting all keygens as malware.
    My opinion is that behind this there is no conspiracy or fancy theories. It's just plain and good old laziness, lack of resources and efforts to cut badgets. It's great to be able to flag millions of files as malware without actually analyzing them, isn't it? And of course nobody can tell them nothing because then...there is the politically correct anti-piracy crowd that will call you without much of a thought a pirate. For this reason and in this thread AvinashR in his first post wrote a phrase in bold.

    If detecting malware is "science", at least an exact "diagnosis" and eventually a "cure" should be provided. Most antiviruses fail to provide exact "diagnosis" and a "cure". Generic detections have not "scientific value". They have only practical value for our security and yes it's important.

    My opinion is that above all, AV companies have little to do with science or educating the people about security. They are businesses. They like the malware naming chaos...actually this is 100% advantage for them...they love the words generic and packer...they love automatic analysis...they love us to get infected or download infected files ( you get the paid version that disinfects that, you send infection data to their cloud db etc ).

    The important thing for them is to buy their product or if you use their free product to contribute to their databases with data.

    I have to admit though that AV companies have to survive in real tough conditions. Many products in the market and all tough players to compete. Many new technologies that you have to follow to stay on top. And all these require investments.

    Their big fortune...the big fat enterprise-corporate-governative cow. We (the home users) are their lab animals. Unfortunately we are the only lab animals that pay a rent for the lab cage.
     
    Last edited: Feb 24, 2010
  21. kmr1685

    kmr1685 Registered Member

    Joined:
    Aug 22, 2009
    Posts:
    62
    LOL i really like this line.;) :) my 2 cents, use always legimate software becoz software creator and company has to survive these days.:p :doubt: and i also have many issue with top notch security suite where it let me down through infected my PC:blink: :ouch: , but now i understand:isay: one great moral:'( (i.e.) learn how to live with virus and related (instead of you had paid for your protection ;) )
     
  22. NoIos

    NoIos Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    607
    I'm glad you liked my phrase. Believe it or not, even if I have the opinion you have read above, I pay for security software. Sometimes I also use free software but never cracked. Only exceptions...some test boxes I have and even there not security products.

    It's oxymoron but although I have full consciousness that they treat me like a lab animal, with that consciousness I pay my "rent" regularly.
     
  23. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Even i liked your phrase. Its a very sensible phrase u can say...I agree that Security companies do not analyze many of malicious files manually. And the very good example is of Keygen files.

    I have saw many keygen files flagged as malware but after thorough analyzing it on Sandbox, i found them clean. But when i try to contact AV companies about that, then either they didn't reply or refuse to agree that particular 'x' files is not malicious.

    Touch wood i have never paid anything for my paid security softwares, but i wonder who pay for their security softwares and still they don't get proper or you can say right information about the malware or malware infected file.
     
  24. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Paranoia is here to destroy you! :eek:

    TH
     
  25. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Paranoia destroying me? I am not at all paranoid, i guess AV companies are more paranoid than all of us.
     
Loading...
Thread Status:
Not open for further replies.