"Tested Virus Free" seals mean nothing as AVG, Avast ring alarms
Author says "just make my app not scanned"
WEB BASED SEALS of assurance about downloadable software being "tested virus-free" are worth very little, it seems, or anti-virus programs are getting too paranoid thanks to heuristics.
As an example, a nice AMD CPU information and tweaking utility comes up as being infected by a Trojan by two anti virus programs despite the "100% Virus Free" claims by Softpedia.
The program in question is "AMD64 CPU Assistant" in its version 0.9.1.335. The program is a nice utility that shows you everything you might possibly want to know about the AMD CPU in your system, including monitoring the CPU temperature from your Windows Systray. It is authored by Alexey Voronin from the former USSR member republic of Belarus.
Just last week, a quick Google web search for the software name got us landing into the author's web page, where we downloaded the installer which is about 600K big with MD5SUM "d36a5c40b5116090c765bfd7e673cbe5".
We had the software running at the INQ's LatAm HQ until this morning AVG kicked in and downloaded the daily anti virus signatures and surprised us by quarantining the whole application and showing us the scary Trojan infection warning.
Thinking that perhaps we got a copy from an unofficial site, or a site posing as the author's web site, we decided to try other mirrors also hosting the program, for instance, Softpedia. So we downloaded the 598K file from the site which displays a nice "virus free" seal of approval saying " Softpedia guarantees that AMD64 CPU Assistant 0.9.1.335 is 100% CLEAN, which means it does not contain any form of malware, including but not limited to: spyware, viruses, Trojans and backdoors.This software product was tested thoroughly and was found absolutely clean, therefore it can be installed with no concern by any computer user."
Quite reassuring terms, but we once again got the infected file warning from AVG after installing it.
The program's author is aware that Avast! anti virus wrongly identifies his program as infected with "Win32:Trojan-gen" and only offers adding the program name to the list of "exclusions" as a solution, as can be seen here.
This is not a wise fix, as it would leave systems open to future infections, basically giving any program titled AMDCpuAssistant.exe program carte blanche to carry any Trojans in the future, undetected. In our case, the v7.5 Free edition of AVG Anti virus started showing the program as trojan-infected today, after receiving the virus signature files 270.6.3/1610 dated yesterday, and it identifies the file apparently through heuristics, labelling it a "SHeur.BWMO" Trojan, a different name than Avast.
This CPU utility from Belarus for Windows is freeware, not open source, and the author discourages very strongly any attempts to find how the software works: "No Reverse Engineering. Customer may not reverse engineer, decompile, or disassemble the SOFTWARE, nor attempt in any other manner to obtain the source code."
Which is a pity, because the software works quite well for what it does, that is, if we believe his words that it contains no Trojan. However, the "allegedly false" identification as a Trojan coupled with the author's strong words against reverse engineering could make some people very very suspicious, including us for that matter.
There are two solutions for this kind of imbroglio, both for Mr. Voronin and also for any other freeware authors in a similar dilemma, and telling users to set their software on the anti virus exclusion list is not one of them.
The first solution: the author(s) should contact the anti virus firms Avast and AVG and report a false positive, proving them the software doesn't contain any trojan.
The second solution is to release the program's source code under a Free Software license like the GPL, reassuring everyone that wants to look that the code is safe, and at the same time still being able to make money off it for commercial purposes following the Red Hat business model, allowing the author to license it with support to any commercial entity that demands support, fixes, or custom features.
Finally, this is an example that those "virus free" seals of assurance at download sites like Softpedia should be taken with a very large bag of salt as they carry the same weight as those semi-official, " almost-presidential" seals used by some presidential candidates. Here we have a program which gives an infection warning in not one but two major anti-virus programs like Avast and AVG, and it's still shown at the time of this writing as perfectly safe and virus-free software. Perhaps Softpedia trusts all anti-virus programs but AVG and Avast?.
Let us be clear: we have very little doubt that this could be yet another case of a false positive rather than a trojan-infected application, the AVG Forum is full of such "false positive" results, and we're sure the program author can contact the anti-virus firms and they'll be able to remove the program if indeed it was a false positive. Yet, in the meantime, caveat emptor.
Ironically, to find the earlier version that doesn't trigger any anti virus positives you have to get it from a web site in Poland.
Just when we thought it was a good day to recover from our despair.µ
L'INQs
Comments
then..
upload it to http://cwsandbox.org and watch what happens when the file is ran there. It's a really nice site, can't recommend it enough.Ehh?
You dont actually know if its a virus or not, so you through mud at both partiesMaybe you'd have a meaningful article if you could prove it does contain a virus, cause a false positive on a little known app isnt news worthy you even say as much in the article
No disassembly
I write code. I don't want users to steal that code.That doesn't mean I want to distribute malware, it just means i'm not a sandal wearing GNU hippy.
Those antivirus suck
Avira antivirus is the best heuristics scanner of ALL antivirus. It does not miss, it does not produce false positives.http://www.av-comparatives.org/
Third option
Third option is to let a trusted, independent and competent outsider read and check the source. Of course that excludes any journalists.Well ditch AVG then?
Did the site claim it had tested with AVG?Probably not.
There are at least a dozen AV suites out there and Softpedia would have to test all their offered software with _all_ of these at least once weekly to ensure the software on offer is still truly virus, etc free.
But they don't do this.
So if anyone is dumb enough to believe these types of sites offering 'labels of verification', then more fool them. :-)
Gives us IT bods more money to repair the damage ordinary users cause themselves. :-)
AV: we're dooomed!
> Web-based seals of assurance about downloadable software being "tested virus-free" are worth very little, it seems, or anti-virus programs are getting too paranoid thanks to heuristics.Or, indeed, both.
The sheer mass of constantly-updated malware out there has killed signature-based virus scanning and made heuristic-based scanning much more difficult. AV vendors have responded by making the heuristics woolier and more sensitive, with the result that legit software (and pretty much anything using an EXE packer) is triggering false positives left, right and centre.
As users start to get more false positives than actual viruses, and new malware used in web exploits continues to go undetected, today's AV becomes effectively useless, and far more trouble than it's worth. The only hope for the future is behaviour-based detection and blocking, and that's something that's not easy to bolt onto Windows, as the currently available examples demonstrate.
Meanwhile, 'virus tested' downloads - if the sites concerned even bother to retest them continuously against new definitions - are only tested against the same AV engines as are already failing on the desktop, so they offer little to no reassurance.
Its Clean
http://www.virustotal.com/analisis/4a0e0a945b8cd7fd3b5175512d0d6a93According to this, which also uses the latest updates from 30+ different AV companies, its completely clean.
So Virus Free does still mean something, what a waste of time.
AVG sucks
AVG is one of the worst AVs you can get. Avira AntiVir has a free version and is MUCH better as the poster above said, and linked to av-comparatives which proves it. Fewer false positives, higher detection rates and faster scanning.All Delphi binaries are viri !
Twice now I've been through the less-than-pleasant experience of having my corporate virus scanner identify all software written with Delphi as malware.Clearly some twit has extracted a common section of code (eg, from system.pas) from the Delphi libraries and used that as a signature.
Very irritating for a Delphi developer !
....
"Avira antivirus is the best heuristics scanner of ALL antivirus. It does not miss, it does not produce false positives. " -agent 14believe what you want....but don't bs & spam at the same time.
http://en.wikipedia.org/wiki/Avira#Reviews :
"In the end of January 2008 Avira AntiVir was rated 6.5 out of 8 in tests for detection and removal of rootkits and 71% for proactive virus detection by Anti-Malware Test Lab; both scores qualified for "gold" status, the highest award.[2] However, it also received "poor results", the lowest grade, for infection treatment[3] and it failed the self-protection test.[4] Avira received an "Advanced+" for both the February 2008 on-demand test and May 2008 retrospective test from AV-Comparatives."
What the...
Wait, you were".. running at the INQ's LatAm HQ until this morning AVG kicked in..."
And
"In our case, the v7.5 Free edition of AVG Anti virus"
You are using the "free for non-commercial use" AVG at a business? And you admit it?
Talk Is Cheap
Considering the length of this article and its lack of a conclusion (the author still has no idea if the software example is illegitimate or legitimate) I can only conclude that the author spent way too much time on way too many words.Why didn't you just stick with the title and be done with it? Obviously it is because there are so many dumb asses out there who take words (verbal or written) to be truth. Unfortunately for them, they will continue to see labels like "this is safe - download it now!" and continue to be fooled. Fortunately for me, I am there to be paid $40 per hour when their pc acts up.
Here's a thought: the software was tested ONCE by Softpedia (prove otherwise). Here's another: the software was tested NEVER by Softpedia (prove otherwise). How about: the software is verified to contain a trojan. And finally: the software is verified to be legitimate. Obviously you'll never know by your own admission, thus this article has no more value than the typical common sense to which people USED to be born with.
Go ahead and tell all of us again how we shouldn't take for granted that written words tell the truth. You might want to remind your readers to not talk to strangers or look both ways before crossing the street while you're at it.
Like I said, it would have been easier for you to have just stuck with the title and move on to the next blockbuster story you no doubt will enlighten us with.
Broken
The antivirus model that we have right now is completely broken. Its no real obstacle to malware, but sucks up masive amounts of CPU resources to falsely identify legitimate programs.... yes and no
code can come together and look like a virus doesn't mean its a virus it looks at the binary code if any of the code looks like is similar to a virus it will flag it.False Positives
Many anti-virus and anti-spyware programs often give you false-postive readings on utilities and programs that let you hack things or dig into system information. The Anti-programs are being overly strong in this area so the user is rather safe than sorry.Be aware of this and know what and where you download from.
I use AVG Free 8 and it lists potential threats, which include totally safe things in the realm of what I've mentioned above.
Usually someone who is going to use hacks and special utilities to dig into info, etc, is going to know if the utility is safe or not.
So, this is all a non-issue. If you don't know better, don't use it.
He's right
Ultimately, Fernando is right. The closed-source software model is terminally broken: licence agreements that don't make sense, and increasing questions about trustworthiness--both illustrated in the example in this article--mean that you can no longer have confidence that the software will do what you expect it to do, and not do something you don't want.Free/Open Source is the only solution left. Deal with it.