Why you can not rely....

Discussion in 'other anti-virus software' started by IBK, Aug 10, 2005.

Thread Status:
Not open for further replies.
  1. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    ... only on AV to know if a file is a real malware or not....
    The following file is a false positive. I think maybe some AV had this false positive and some other AV's followed them by adding this file to the signatures without having a deep look to the sample o_O. I am sure it will be fixed soon...
     

    Attached Files:

  2. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    current situation on this famous false positive:
     

    Attached Files:

    • 2.GIF
      2.GIF
      File size:
      8.8 KB
      Views:
      2,057
  3. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Based on quick comparison i can see only KAV and AVG fixed it.
     
  4. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    Can you please send me a sample so I can have a look at it?
     
  5. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    @RejZor: also F-Prot fixed it.
    @Stefan: sure, just sent it again. I think HBEDV and other companies got this file already some months ago. Maybe because it is compressed with Armadillo nobody even checks it deeper.
     
  6. SDS909

    SDS909 Registered Member

    Joined:
    Apr 8, 2005
    Posts:
    333
    Ok and your point iso_O

    It is just silly to expect every AV company to give every sample a deep analysis - especially the time it takes on some single samples! Companies get thousands of samples a week and you want them to examine each one for an hour? Please.

    Lets be realistic here, this thread is nonsense.
     
  7. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    Well, this is not an excuse to add a signature for a CLEAN file without even taking a look on what the file is. It is a shame for those companies IMO.

    And other thing this thread says is that peoples that rely exclusivly only on antiviruses to determine if a file is malicious or not and make tests with such files should see that this is not a good idea. even if 10 AV says it is malware, it can be a false positive copied by other av.
     
    Last edited: Aug 21, 2005
  8. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    Interesting is how so many have caused a false positive result.

    What are the results on an unpacked example ?
     
  9. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    The file is an Armadillo-packed version of "DC++" (p2p filesharing program); absolutly clean file. Armadillo is hard to unpack, so some companies just copied the false positive of the other company without notice that the file is clean. This file will be included in my future false positive test-set. How it is when the file is unpacked is not of interest in this case.
     
  10. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    You points are valid IBK. No doubt about it.But lets face it. How many legit programs are packed by Armadillo? Pack a legit program with Armadillo is just plain stupid. :rolleyes:



    tECHNODROME
     
  11. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    Then should all AV detect everything packed by Armadillo?:)
     
  12. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    You've made his point. If it's hard to unpack and few legit programs use it then extra attention is warranted by the AV companies.
     
  13. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    My tools are packed with Armadillo (can't remember exactly which version) and few others :p Had only one false positive "incident" long ago...
     
  14. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    Thanks for the info.
    I was going to ask if the contents was a known legitimate.
     
  15. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I found another example:

    "susp.dll" file.

    Antivirus Version Update Result
    AntiVir 6.31.1.0 08.21.2005 TR/Dldr.Agent.DE12
    Avast 4.6.695.0 08.20.2005 Win32:Trojan-gen. {Other}
    AVG 718 08.19.2005 Downloader.Agent.3.BT
    Avira 6.31.1.0 08.21.2005 TR/Dldr.Agent.3069
    BitDefender 7.0 08.22.2005 Trojan.Downloader.Agent.DE
    CAT-QuickHeal 7.03 08.22.2005 TrojanDownloader.Agent
    ClamAV devel-20050725 08.18.2005 Trojan.Downlader.Small-158
    DrWeb 4.32b 08.22.2005 Trojan.DownLoader.665
    eTrust-Iris 7.1.194.0 08.21.2005 no virus found
    eTrust-Vet 11.9.1.0 08.19.2005 no virus found
    Fortinet 2.41.0.0 08.21.2005 W32/Agent.GC-tr
    F-Prot 3.16c 08.20.2005 security risk named W32/Agent.BZ@dl
    Ikarus 0.2.59.0 08.19.2005 Trojan-Downloader.Win32.Agent.DE
    Kaspersky 4.0.2.24 08.22.2005 no virus found
    McAfee 4563 08.19.2005 potentially unwanted program Generic Downloader
    NOD32v2 1.1198 08.19.2005 no virus found
    Norman 5.70.10 08.18.2005 W32/Agent.OA
    Panda 8.02.00 08.21.2005 Trj/Downloader.ADU
    Sophos 3.96.0 08.22.2005 Troj/Agent-GC
    Sybari 7.5.1314 08.22.2005 Trojan.DL.Agent.EV
    Symantec 8.0 08.21.2005 no virus found
    TheHacker 5.8.2.092 08.22.2005 Trojan/Downloader.Agent.de
    VBA32 3.10.4 08.22.2005 TrojanDownloader.Win32.Agent.DE
     
  16. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    Other thing that I want to say is that often AV companies says that e.g. KAV is adding a lot of trash and that they are not like e.g. KAV, but that they analyze and add only real malware. Seems like maybe e.g. KAV (or some other scanner) had a false positive on this file, and the other AV simply added automatically a signature to this file just because another scanner found something in it and they do not wanted to take the time to look on what the file is.

    @marcos: yeah, there are lots of such examples :(
     
  17. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York

    Maybe. The thing is why would you pack something with Armadillo? Wouldn't you at least be curios? Or...Would you install an application which was packed by Armadillo on your computer?



    tECHNODROME
     
  18. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Just because something is difficult to unpack does not make it malware. Criteria for instalation of an app is based mostly on the source of the package, not how the author chose to pack it.
     
  19. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    My comment has nothing to do with unpacking methods. Lots of malicious installers that I came across were packed by Armadillo. Maybe this is how AV companies think. Or maybe they just follow KAV or any AV to add detection for a suspicious file without further analyzing as IBK pointed.
    Many VXs are in fact using Armadillo to avoid detection by the virus scanners. For i.e. UPX is another one common used packer by VXs (at least it used to be). But many legit programs are using UPX as well nowadays. Plus many Avs are able to support unpacking of UPX.

    Another fact is that many less known programmers (mostly never heard of) are using Armadillo to pack whatever. Can you trust them? Maybe if you analyze the code yourself. But how many people will do the same? I am sure as hell I’d like to know if something is packed by Armadillo or any other exotic packer before I even download it.


    tD
     
    Last edited: Aug 22, 2005
  20. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    Sorry, but this way of thinking just leads to the asinine. Whether it's realistic or not... yes, I do, in fact, expect the vast majority of for-profit, commercial companies advertising AV expertise to review each and every submission and to properly categorize each. Call me old fashioned, but that's precisely what I believe most people are paying them for... not for flashy graphics and a nice UI. If they are getting thousands of samples, then they better have adequate staffing and a good set of automated screening and analysis utilities as a first step. If they aren't analyzing files, and they are just adding them because a few others like KAV have them listed, then in my mind they aren't following ethical business practices and are little better than snake-oil salesmen.
     
  21. SDS909

    SDS909 Registered Member

    Joined:
    Apr 8, 2005
    Posts:
    333
    You just described much of the AV industry my friend (at least in my experiance). Anyone relying on an AV as a mainline of defense is relying on a false sense of security. I rely on my firewall and Safe'N'Sec far more than I would an AV alone. But I feel a good, light, and reasonably effective AV is a nice compliment to an already extremely effective security process.

    *LIGHT* being the key here, thus Dr.Web and VBA32 are my only real viable choices for extremely light protections. My point however is AV should only be a small part of a reasonable protection portfolio (i'm not talking this insanity with 400 applications installed). But insinuating an AV is better than another because of *TWO* examples of a false positive is just plain dumb.. No AV is perfect, I constantly see false positives for *ALL* AV's, including KAV and NOD32. Nothing to see here, move along. :p
     
  22. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,442
    Location:
    Sky over the Wilders Forest
  23. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    And to me. To have them on a network of 200-300 PC's is a real headache, not to mention the panic of the user base. :rolleyes:
     
  24. Tweakie

    Tweakie Registered Member

    Joined:
    Feb 28, 2004
    Posts:
    90
    Location:
    E.U.
    Armadillo is an application sold by Silicon Realms and is mainly used for protecting software against piracy/counterfeiting. Recent versions are very hard to unpack, and I'm not sure that softwares packed using Armadillo would run in VMWare or VirtualPC. But there are not that much viruses or installers that use Armadillo. You'll find much more that use UPX, ASPack, Petite, FSG...

    There is no point rejecting a-priori programs that are packed with Armadillo. By the way, one of the security specialists that lead Armadillo development is also an expert in the area of malware analysis.

    What is this : "less known programmers" ? Do you know "famous programmers" ? Most of the applications you are using (including your browser, most of your operating system, etc.) have been programmed by obscure programmers you'll probably never hear anything about.

    Would you be able to reliably analyze the code if the executable were not packed at all, anyway ?
     
  25. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Hm,but look from a programmers standpoint. You worked hard on some program and you protect it with Armadillo just because you don't want someone else rev-engineeres your program and steals your hard work? Sounds perfectly logical to me.

    And there should be some strict standard regarding packers and so called "heuristic" detections by famous McAfee and QuickHeal+few others.
    Few days ago iONiX team released eMule iONiX mod,a modified version of eMule P2P client. They packed it with UPack (LZMA algorithm) to decrese size by compressing main executable (packed was a bit over 3MB while unpacked was over 5 MB). And guess what,McAfee flagged it as New Malware.[something],Fortinet also alarmed etc. and it's a perfectly clean open-source program. It's kinda dumb if you ask me.

    I think there shoould be some rules regarding detection of suspicious packers.
    Using "Heuristic: Suspicious packer" instead of "Heuristic: New Malware.n" would be a much better choice. But in the end i prefer true heuristic although McAfee once detected something that few others missed and it was really malware.
    But anyway,naming should be more clear.
     
Loading...
Thread Status:
Not open for further replies.