LeakTests in bases

Eset added leak tests in their base.

__http://www.eset.eu/podpora/aktualizacia-2469?lng=en

__http://www.eset.eu/podpora/aktualizacia-2470?lng=en

Hm.. why?

 

Yes, it is strange. I thought they only liked to add TRULY malicious stuff.

 

thats interesting... maybe its so ESS seems to pass those tests? Havent checked the bases by the way... peace

 

Interesting naming of malware perhaps. But doubt you or the Owner are correct. I absolutely do not believe it's an attempt to cheat.

 

Nope, common named firewall tests,

Win32/Leaktest.AWFT, Win32/Leaktest.CopyCat (2), Win32/Leaktest.Ghost (2), Win32/Leaktest.PCAudit (3), Win32/Leaktest.Thermite, Win32/Leaktest.WallBreaker (2), Win32/Leaktest.Yalta

 

Just a guess, but perhaps it could be a basis for heuristic detections of malware using the same techniques that leak tests are using.

 

They are detected as potentially unwanted programs

From NOD32 v2 's Help file:

 

Doh, Thanks HiTech, didn't think of that.

 

That's right.

 

This is what matousec said about that :

" The sad and funny thing in once is that lots of them mark leak-testing software as viruses or malware. The better engines mark leak-testing software only as potentially unwanted software, which is much better, but still it seems that these products worry about leak-tests. Why? To perform our tests against these products we had to switch antivirus engines of such products off to get real results of their anti-leak protection. Such behaviour can be also marked as cheating on leak-tests."

 

Almost sounds like they have quoted from the NOD32 help file

Cheers

 

If that's the case, then I'd suggest ESET come up with a better naming convention for them, Avira's SPR/xxx or Kaspersky's not-a-virus:xxx for instance. Simply by looking at the names, there's no way of telling whether NOD32 is trying to mark them as PUPs or malicious trojans, and the suspicion of ESET trying to cheat their way through in leaktests will weigh heavily indeed.

 

Read Marcos' (post 9) response to my guess.

 

PUA's are called applications. Read my post, it's not just detection of the leak tests, it's a generic detection for malware that exploits the same "holes" as the tests do.

 

I've already read it. All I'm saying is that for people who haven't, the suspicion will be there, since it's not obvious at all that NOD32 is flagging them as PUAs.

 

I have to concur, my initial reaction was WTH, then I thought about it and realized the generic/heuristic detection idea. A different naming scheme might avoid accusations.

 

I recently installed McAfee security Center and it flagged Demo-leak test that I had previously installed as "potentially unwanted programs" (also got the message: "McAfee attempted to disable the program but some parts could not be removed"). I tried to remove them with McAfee and it said they cannot be completely removed. I thought I'd just uninstall them myself and be done with it. I can't find them in Programs or Add/Remove programs. The exec files are in a download folder I have. Would deleting the files take care of the problem? Or are they really deeply embedded somewhere?

On another note, FindKeyXP caused the same message. Should I somehow allow McAfee to ignore these?
Thanks, Alan