Current AVG False Positives

Messages like "You have a Virus in your software" are received into my Inbox on daily basis, and a lots of them comes from AVG Antivirus. So I decided to check the current status of AVG false positives, by scanning the utilities folder of my site.
First, I copied the utils folder of my site into a new place (I don't really want that AVG will touch my original site folder...), and then I allowed AVG Antivirus to scan the folder.
After AVG finished the scan, it splited the scan result into 2 categories: Infections and Spyware.
Most of the alerts on my utilities folder appeared under the 'Spyware' section.
I really would want to understand what is going in the minds of AVG guys when they decided to detect my software as Spyware.

Anyway, I used my own SysExporter utility to grab the scan result from AVG and display it as HTML. Luckily, SysExporter is not detected as infection by AVG, otherwise, it wouldn't allow me to run and use it.
So here's the AVG "False Positive" list, the Spyware section:

C:\Utils\asterie.zip Potentially harmful program HackTool.DOI
C:\Utils\asterie.zip:\asterie.exe Potentially harmful program HackTool.DOI
C:\Utils\netpass.zip Potentially harmful program HackTool.FAJ
C:\Utils\netpass.zip:\netpass.exe Potentially harmful program HackTool.FAJ
C:\Utils\netpass_setup.exe Potentially harmful program HackTool.FAJ
C:\Utils\netpass_setup.exe:\netpass.exe Potentially harmful program HackTool.FAJ
C:\Utils\netpass_setup.exe:\ziz1384.tmp:\netpass.exe Potentially harmful program HackTool.FAJ
C:\Utils\pspv.zip Potentially harmful program HackTool.CBX
C:\Utils\pspv.zip:\pspv.exe Potentially harmful program HackTool.CBX
C:\Utils\sniffpass.zip Potentially harmful program HackTool.FMT
C:\Utils\sniffpass.zip:\SniffPass.exe Potentially harmful program HackTool.FMT
C:\Utils\sniffpass_setup.exe Potentially harmful program HackTool.FMT
C:\Utils\sniffpass_setup.exe:\SniffPass.exe Potentially harmful program HackTool.FMT
C:\Utils\sniffpass_setup.exe:\ziz1384.tmp:\SniffPass.exe Potentially harmful program HackTool.FMT
C:\Utils\vncpassview.zip Potentially harmful program HackTool.EEI
C:\Utils\vncpassview.zip:\VNCPassView.exe Potentially harmful program HackTool.EEI

And this one is the Infections section:

C:\Utils\lsasecretsdump.zip Trojan horse Generic10.SZR
C:\Utils\lsasecretsdump.zip:\LSASecretsDump.exe Trojan horse Generic10.SZR

And finally, here's another issue with AVG and other Antivirus software:
When you exit from the Antivirus software, it won't display any Virus/Trojan/Spyware warning, but the service of the Antivirus is still running in the background, and prohibits you from running any file that is detected as infected.
This mean that if you try to run one of my tools that are detected as Spyware/Virus while AVG application is not running, you'll get the following error message:
"Windows cannot access the specified device, path, or file. You may not have the appropriate permission to access the item".

Most people that get this kind of error, think that there is a bug in my software, and don't know that the Antivirus is the one that cause the problem.

9 Responses to “Current AVG False Positives”

  1. domestic empire Says:

    Avast anti virus (the Home version is free), makes far fewer false positives in my view. Never troubles me over legitimate software such as yours.

    But I really came to say a big THANK YOU Nir for OperaCacheView. I wrote asking if such a untility was possible but never expected to see it so soon. Perhaps it was already in the planning?

    I've blogged about it on my Opera blog here, and I shall do like wise at the Opera community forums, if I've not already been beaten me to it.

    Many thanks (";)

  2. Irreligious Says:

    I can tell you what is going on in the minds of the AVG guys when they add your software as "spyware". They're thinking some of the utilities can be used to reveal passwords or cache items, and so on... Hence they are forensic tools and should be detected.

    Other utilities such as NirCmd are detected because it can be used to kill processes. Maybe it would help to imagine the case where a parent wanted to help prevent their child from using a utility to kill security or parental-control processes.

    Most AV software I've used detects some of your software in this general manner, including the one I'm using now, Avira AntiVir Premium.

  3. r2mahara Says:

    I just tried to use NirCmd at work and got a Sophos alert that it was adware 🙁

  4. xylog Says:

    Symantec Enpoint Protection 11 detects some of your utils as threats:

    Date and Time,Risk,Action,Filename,Risk Type,Original Location,Computer,User,Status,Current Location,Primary Action,Secondary Action,Logged By,Action Description
    11/19/2008 7:07:07 AM,Trojan Horse,Quarantined,LSASecretsDump.exe,File,C:\Program Files\NirSoft\,Infected,Quarantine,Clean security risk,Quarantine,Auto-Protect scan,The file was quarantined successfully.
    11/19/2008 6:54:50 AM,ProduKey,Access Denied,ProduKey.exe,Other,C:\Program Files\NirSoft\,Infected,C:\Program Files\NirSoft\,Quarantine,Leave alone (log only),Auto-Protect scan,
    11/19/2008 6:54:48 AM,DialupPwd,Access Denied,dialupass2.exe,Other,C:\Program Files\NirSoft\,Infected,C:\Program Files\NirSoft\,Quarantine,Leave alone (log only),Auto-Protect scan,
    11/19/2008 6:54:47 AM,Hacktool,Cleaned by deletion,rdpv.exe,File,C:\Program Files\NirSoft\,Deleted,Deleted,Clean security risk,Quarantine,Auto-Protect scan,The file was deleted successfully.
    11/19/2008 6:54:46 AM,Trojan Horse,Quarantined,LSASecretsDump.exe,File,C:\Program Files\NirSoft\,Infected,Quarantine,Clean security risk,Quarantine,Auto-Protect scan,The file was quarantined successfully.
    11/19/2008 6:54:46 AM,Hacktool,Cleaned by deletion,HeapMemView.exe,File,C:\Program Files\NirSoft\,Deleted,Deleted,Clean security risk,Quarantine,Auto-Protect scan,The file was deleted successfully.
    11/19/2008 6:54:45 AM,Hacktool,Cleaned by deletion,asterwin.exe,File,C:\Program Files\NirSoft\,Deleted,Deleted,Clean security risk,Quarantine,Auto-Protect scan,The file was deleted successfully.
    11/19/2008 6:54:45 AM,W32.IRCBot.Gen,Cleaned by deletion,pspv.exe,File,C:\Program Files\NirSoft\,Deleted,Deleted,Clean security risk,Quarantine,Auto-Protect scan,The file was deleted successfully.
    11/19/2008 6:54:43 AM,Hacktool.PassReminder,Access Denied,mspass.exe,Hack Tools,C:\Program Files\NirSoft\,Infected,C:\Program Files\NirSoft\,Quarantine,Leave alone (log only),Auto-Protect scan,
    11/8/2008 8:00:40 PM,Backdoor.Trojan,Log only,nwcwks.dll,File,Y:\xylog\,Log only,Y:\xylog\,Clean security risk,Quarantine,Auto-Protect scan,The file was left unchanged.
    11/7/2008 11:12:18 PM,Backdoor.Trojan,Log only,nwcwks.dll,File,Y:\xylog\,Log only,Y:\xylog\,Clean security risk,Quarantine,Auto-Protect scan,The file was left unchanged.

  5. Lassar Says:

    I know what you mean.

    Avira AntiVir says my program that downloads a webpage is malware. At least I can tell it to add a exception
    for it.

    Frustrating.

  6. red slider Says:

    I am in complete sympathy. Call it corporate malware aimed at maintaining their control of our machines. My false positives came from ZA (which is a product I happen to like in terms of its otherwise usefulness). But if I hadn't known/read about the reliability of your tools and reasons for being kicked I would have backed off from using them. So I appreciate your frustration and wish I had a solution. Something I might suggest is a council of independent providers maintaining a website with a list and autoscan provision of tools/sites which they regularly scan and certify for their members. Two things might be accomplished. First, users would have a reliable/independent place to go to check on ethical sites that are getting caught in this trap; 2) You could simply invite all AV/security tool makers to check this source for your site's safety and download certification and except your tools from their suspect lists. If they don't do so, you can then post them as 'unethical providers' and fight fire with fire. Wish I could come up with something better - but each of you complaining alone will likely do nothing. Like you say, you'll never have enough lawyers to tell their lawyers to take a hike. - Anyway, my appreciation for the work you do to make all our lives a little easier - Hang in, Red.

  7. Mark Says:

    Would it help if you digitally signed your executable with a signing certificate that can be verified by a trusted root authority, and if you submitted your executables to the antivirus organizations so that they can have a look at decided if they can register your executables as safe?

    I recall that we were able to do something like that for one of the companies. I think Zone Alarm. It would flag us because we did a low-level keyboard hook, which is a common way to snoop and log keypresses. But we could submit the signatures of our executable to them and they'd be cool with it.

  8. Mks Says:

    Is their any method to stop the antivirus' false alerts for our application ?

    If anybody knows mail me the solution on :
    mks.mukesh11nov@gmail.com

    Thanks.

  9. Paul J. Richardson Says:

    I've tried searching all over the Nirsoft website, but I cannot find any RECOMMENDED anti-virus programs. My goal is to start with the premise that I need Nirsoft, and then build a computer around that starting point.

    AVG is out. I'll NEVER go back to Symantec or McHell. I don't trust M$, so I guess I'm going to just give Avast a shot? I've resorted to it before, but never on my main dev box.

    I wonder what you use on your main box?

Leave a Reply