Comments on: Current AVG False Positives http://blog.nirsoft.net/2008/10/04/current-avg-false-positives/ The official blog of nirsoft.net Sat, 04 Feb 2012 16:27:07 -0500 http://wordpress.org/?v=2.8.4 hourly 1 By: Mks http://blog.nirsoft.net/2008/10/04/current-avg-false-positives/comment-page-1/#comment-158500 Mks Mon, 10 Oct 2011 07:19:22 +0000 http://blog.nirsoft.net/2008/10/04/current-avg-false-positives/#comment-158500 Is their any method to stop the antivirus' false alerts for our application ? If anybody knows mail me the solution on : mks.mukesh11nov@gmail.com Thanks. Is their any method to stop the antivirus' false alerts for our application ?

If anybody knows mail me the solution on :
mks.mukesh11nov@gmail.com

Thanks.

]]> By: Mark http://blog.nirsoft.net/2008/10/04/current-avg-false-positives/comment-page-1/#comment-96004 Mark Mon, 09 May 2011 01:03:46 +0000 http://blog.nirsoft.net/2008/10/04/current-avg-false-positives/#comment-96004 Would it help if you digitally signed your executable with a signing certificate that can be verified by a trusted root authority, and if you submitted your executables to the antivirus organizations so that they can have a look at decided if they can register your executables as safe? I recall that we were able to do something like that for one of the companies. I think Zone Alarm. It would flag us because we did a low-level keyboard hook, which is a common way to snoop and log keypresses. But we could submit the signatures of our executable to them and they'd be cool with it. Would it help if you digitally signed your executable with a signing certificate that can be verified by a trusted root authority, and if you submitted your executables to the antivirus organizations so that they can have a look at decided if they can register your executables as safe?

I recall that we were able to do something like that for one of the companies. I think Zone Alarm. It would flag us because we did a low-level keyboard hook, which is a common way to snoop and log keypresses. But we could submit the signatures of our executable to them and they'd be cool with it.

]]> By: red slider http://blog.nirsoft.net/2008/10/04/current-avg-false-positives/comment-page-1/#comment-65040 red slider Thu, 17 Feb 2011 05:09:49 +0000 http://blog.nirsoft.net/2008/10/04/current-avg-false-positives/#comment-65040 I am in complete sympathy. Call it corporate malware aimed at maintaining their control of our machines. My false positives came from ZA (which is a product I happen to like in terms of its otherwise usefulness). But if I hadn't known/read about the reliability of your tools and reasons for being kicked I would have backed off from using them. So I appreciate your frustration and wish I had a solution. Something I might suggest is a council of independent providers maintaining a website with a list and autoscan provision of tools/sites which they regularly scan and certify for their members. Two things might be accomplished. First, users would have a reliable/independent place to go to check on ethical sites that are getting caught in this trap; 2) You could simply invite all AV/security tool makers to check this source for your site's safety and download certification and except your tools from their suspect lists. If they don't do so, you can then post them as 'unethical providers' and fight fire with fire. Wish I could come up with something better - but each of you complaining alone will likely do nothing. Like you say, you'll never have enough lawyers to tell their lawyers to take a hike. - Anyway, my appreciation for the work you do to make all our lives a little easier - Hang in, Red. I am in complete sympathy. Call it corporate malware aimed at maintaining their control of our machines. My false positives came from ZA (which is a product I happen to like in terms of its otherwise usefulness). But if I hadn't known/read about the reliability of your tools and reasons for being kicked I would have backed off from using them. So I appreciate your frustration and wish I had a solution. Something I might suggest is a council of independent providers maintaining a website with a list and autoscan provision of tools/sites which they regularly scan and certify for their members. Two things might be accomplished. First, users would have a reliable/independent place to go to check on ethical sites that are getting caught in this trap; 2) You could simply invite all AV/security tool makers to check this source for your site's safety and download certification and except your tools from their suspect lists. If they don't do so, you can then post them as 'unethical providers' and fight fire with fire. Wish I could come up with something better - but each of you complaining alone will likely do nothing. Like you say, you'll never have enough lawyers to tell their lawyers to take a hike. - Anyway, my appreciation for the work you do to make all our lives a little easier - Hang in, Red.

]]> By: Lassar http://blog.nirsoft.net/2008/10/04/current-avg-false-positives/comment-page-1/#comment-6529 Lassar Sun, 07 Feb 2010 17:00:07 +0000 http://blog.nirsoft.net/2008/10/04/current-avg-false-positives/#comment-6529 I know what you mean. Avira AntiVir says my program that downloads a webpage is malware. At least I can tell it to add a exception for it. Frustrating. I know what you mean.

Avira AntiVir says my program that downloads a webpage is malware. At least I can tell it to add a exception
for it.

Frustrating.

]]> By: xylog http://blog.nirsoft.net/2008/10/04/current-avg-false-positives/comment-page-1/#comment-15 xylog Wed, 19 Nov 2008 12:12:00 +0000 http://blog.nirsoft.net/2008/10/04/current-avg-false-positives/#comment-15 Symantec Enpoint Protection 11 detects some of your utils as threats:<br/><br/>Date and Time,Risk,Action,Filename,Risk Type,Original Location,Computer,User,Status,Current Location,Primary Action,Secondary Action,Logged By,Action Description<br/>11/19/2008 7:07:07 AM,Trojan Horse,Quarantined,LSASecretsDump.exe,File,C:\Program Files\NirSoft\,Infected,Quarantine,Clean security risk,Quarantine,Auto-Protect scan,The file was quarantined successfully.<br/>11/19/2008 6:54:50 AM,ProduKey,Access Denied,ProduKey.exe,Other,C:\Program Files\NirSoft\,Infected,C:\Program Files\NirSoft\,Quarantine,Leave alone (log only),Auto-Protect scan, <br/>11/19/2008 6:54:48 AM,DialupPwd,Access Denied,dialupass2.exe,Other,C:\Program Files\NirSoft\,Infected,C:\Program Files\NirSoft\,Quarantine,Leave alone (log only),Auto-Protect scan, <br/>11/19/2008 6:54:47 AM,Hacktool,Cleaned by deletion,rdpv.exe,File,C:\Program Files\NirSoft\,Deleted,Deleted,Clean security risk,Quarantine,Auto-Protect scan,The file was deleted successfully.<br/>11/19/2008 6:54:46 AM,Trojan Horse,Quarantined,LSASecretsDump.exe,File,C:\Program Files\NirSoft\,Infected,Quarantine,Clean security risk,Quarantine,Auto-Protect scan,The file was quarantined successfully.<br/>11/19/2008 6:54:46 AM,Hacktool,Cleaned by deletion,HeapMemView.exe,File,C:\Program Files\NirSoft\,Deleted,Deleted,Clean security risk,Quarantine,Auto-Protect scan,The file was deleted successfully.<br/>11/19/2008 6:54:45 AM,Hacktool,Cleaned by deletion,asterwin.exe,File,C:\Program Files\NirSoft\,Deleted,Deleted,Clean security risk,Quarantine,Auto-Protect scan,The file was deleted successfully.<br/>11/19/2008 6:54:45 AM,W32.IRCBot.Gen,Cleaned by deletion,pspv.exe,File,C:\Program Files\NirSoft\,Deleted,Deleted,Clean security risk,Quarantine,Auto-Protect scan,The file was deleted successfully.<br/>11/19/2008 6:54:43 AM,Hacktool.PassReminder,Access Denied,mspass.exe,Hack Tools,C:\Program Files\NirSoft\,Infected,C:\Program Files\NirSoft\,Quarantine,Leave alone (log only),Auto-Protect scan, <br/>11/8/2008 8:00:40 PM,Backdoor.Trojan,Log only,nwcwks.dll,File,Y:\xylog\,Log only,Y:\xylog\,Clean security risk,Quarantine,Auto-Protect scan,The file was left unchanged.<br/>11/7/2008 11:12:18 PM,Backdoor.Trojan,Log only,nwcwks.dll,File,Y:\xylog\,Log only,Y:\xylog\,Clean security risk,Quarantine,Auto-Protect scan,The file was left unchanged. Symantec Enpoint Protection 11 detects some of your utils as threats:

Date and Time,Risk,Action,Filename,Risk Type,Original Location,Computer,User,Status,Current Location,Primary Action,Secondary Action,Logged By,Action Description
11/19/2008 7:07:07 AM,Trojan Horse,Quarantined,LSASecretsDump.exe,File,C:\Program Files\NirSoft\,Infected,Quarantine,Clean security risk,Quarantine,Auto-Protect scan,The file was quarantined successfully.
11/19/2008 6:54:50 AM,ProduKey,Access Denied,ProduKey.exe,Other,C:\Program Files\NirSoft\,Infected,C:\Program Files\NirSoft\,Quarantine,Leave alone (log only),Auto-Protect scan,
11/19/2008 6:54:48 AM,DialupPwd,Access Denied,dialupass2.exe,Other,C:\Program Files\NirSoft\,Infected,C:\Program Files\NirSoft\,Quarantine,Leave alone (log only),Auto-Protect scan,
11/19/2008 6:54:47 AM,Hacktool,Cleaned by deletion,rdpv.exe,File,C:\Program Files\NirSoft\,Deleted,Deleted,Clean security risk,Quarantine,Auto-Protect scan,The file was deleted successfully.
11/19/2008 6:54:46 AM,Trojan Horse,Quarantined,LSASecretsDump.exe,File,C:\Program Files\NirSoft\,Infected,Quarantine,Clean security risk,Quarantine,Auto-Protect scan,The file was quarantined successfully.
11/19/2008 6:54:46 AM,Hacktool,Cleaned by deletion,HeapMemView.exe,File,C:\Program Files\NirSoft\,Deleted,Deleted,Clean security risk,Quarantine,Auto-Protect scan,The file was deleted successfully.
11/19/2008 6:54:45 AM,Hacktool,Cleaned by deletion,asterwin.exe,File,C:\Program Files\NirSoft\,Deleted,Deleted,Clean security risk,Quarantine,Auto-Protect scan,The file was deleted successfully.
11/19/2008 6:54:45 AM,W32.IRCBot.Gen,Cleaned by deletion,pspv.exe,File,C:\Program Files\NirSoft\,Deleted,Deleted,Clean security risk,Quarantine,Auto-Protect scan,The file was deleted successfully.
11/19/2008 6:54:43 AM,Hacktool.PassReminder,Access Denied,mspass.exe,Hack Tools,C:\Program Files\NirSoft\,Infected,C:\Program Files\NirSoft\,Quarantine,Leave alone (log only),Auto-Protect scan,
11/8/2008 8:00:40 PM,Backdoor.Trojan,Log only,nwcwks.dll,File,Y:\xylog\,Log only,Y:\xylog\,Clean security risk,Quarantine,Auto-Protect scan,The file was left unchanged.
11/7/2008 11:12:18 PM,Backdoor.Trojan,Log only,nwcwks.dll,File,Y:\xylog\,Log only,Y:\xylog\,Clean security risk,Quarantine,Auto-Protect scan,The file was left unchanged.

]]> By: r2mahara http://blog.nirsoft.net/2008/10/04/current-avg-false-positives/comment-page-1/#comment-7 r2mahara Tue, 21 Oct 2008 12:00:00 +0000 http://blog.nirsoft.net/2008/10/04/current-avg-false-positives/#comment-7 I just tried to use NirCmd at work and got a Sophos alert that it was adware :-( I just tried to use NirCmd at work and got a Sophos alert that it was adware :-(

]]> By: Irreligious http://blog.nirsoft.net/2008/10/04/current-avg-false-positives/comment-page-1/#comment-3 Irreligious Mon, 06 Oct 2008 12:03:00 +0000 http://blog.nirsoft.net/2008/10/04/current-avg-false-positives/#comment-3 I can tell you what is going on in the minds of the AVG guys when they add your software as "spyware". They're thinking some of the utilities can be used to reveal passwords or cache items, and so on... Hence they are forensic tools and should be detected.<br/><br/>Other utilities such as NirCmd are detected because it can be used to kill processes. Maybe it would help to imagine the case where a parent wanted to help prevent their child from using a utility to kill security or parental-control processes.<br/><br/>Most AV software I've used detects some of your software in this general manner, including the one I'm using now, Avira AntiVir Premium. I can tell you what is going on in the minds of the AVG guys when they add your software as "spyware". They're thinking some of the utilities can be used to reveal passwords or cache items, and so on... Hence they are forensic tools and should be detected.

Other utilities such as NirCmd are detected because it can be used to kill processes. Maybe it would help to imagine the case where a parent wanted to help prevent their child from using a utility to kill security or parental-control processes.

Most AV software I've used detects some of your software in this general manner, including the one I'm using now, Avira AntiVir Premium.

]]> By: domestic empire http://blog.nirsoft.net/2008/10/04/current-avg-false-positives/comment-page-1/#comment-2 domestic empire Sat, 04 Oct 2008 20:57:00 +0000 http://blog.nirsoft.net/2008/10/04/current-avg-false-positives/#comment-2 Avast anti virus (the Home version is free), makes far fewer false positives in my view. Never troubles me over legitimate software such as yours.<br/><br/>But I really came to say a big <b>THANK YOU Nir</b> for <b>OperaCacheView</b>. I wrote asking if such a untility was possible but never expected to see it so soon. Perhaps it was already in the planning?<br/><br/>I've blogged about it on my Opera blog <a HREF="http://my.opera.com/garywalsh/blog/2008/10/04/operacacheview-v1-05-from-nir-sofer" REL="nofollow">here</a>, and I shall do like wise at the Opera community forums, if I've not already been beaten me to it.<br/><br/>Many thanks (";) Avast anti virus (the Home version is free), makes far fewer false positives in my view. Never troubles me over legitimate software such as yours.

But I really came to say a big THANK YOU Nir for OperaCacheView. I wrote asking if such a untility was possible but never expected to see it so soon. Perhaps it was already in the planning?

I've blogged about it on my Opera blog here, and I shall do like wise at the Opera community forums, if I've not already been beaten me to it.

Many thanks (";)

]]>