Antivirus companies cause a big headache to small developers.
Antivirus is essential tool that most people need to protect their Windows operating system from Viruses, Trojans, and other bad stuff.
Unfortunately, most Antivirus companies goes too far with their Virus/Trojan protection, and in many times they classify completely legit software as Virus/Trojan infection.
One good example for that is my own password recovery tools: Most people need these tools to recover their own lost password. These password tools, like many other utilities out there, can also be used by hackers for bad purposes.
The attitude of many Antivirus companies is very tough in this subject -
If it's a tool that can be used by bad guys, it's classified as Trojan or Virus, even when most users need it and use it for good purposes. Antivirus companies don't care that they block their own customers that want to recover their own passwords, and they don't care that they may cause their customer to think that I'm a Virus distributer.
I must say that some Antivirus companies are a little more gentle, and classify these tools as "Security Threat" or "Riskware" which is much better than classifying them as Virus or Trojan, but they still prevent the user from running them - by deleting them or by putting them in quarantine.
Also, many users don't know what is difference between Virus and Riskware, and when they get these "Riskware" alerts, they still think that my tools are infected with a Virus named "Riskware".
My password-recovery utilities are not the only victims of the "over protection" made by Antivirus software. Some other tools, like ProduKey, RegScanner, WebVideoCap, NirCmd, and others that don't recover any password, are still constantly targeted by Antivirus companies, without any known reason.
Other developers also have "False Positive" problems
Other small developers also constantly experience false alerts made by Antivirus software, here some examples:
- UBCD4Win - a great freeware Windows boot cd containing multiple tools that some of them are detected as malware: http://www.ubcd4win.com/faq.htm#false
- PortableApps is a great open source tool containing portable software package to run from USB flash drive, but also have some False Positive problems: http://portableapps.com/support
- AutoHotKey - Open source utility for creating mouse/keyboard macros.
Users of AutoHotKey constantly complains about false alerts from antivirus programs.
See the following links:
It's time to do something about these AutoHotkey antivirus false positives - RJL Software (Updated on 21/05) - Their programs are constantly detected as "Joke program". You can read about that here and also here. They also added a commend to this post, it's recommended to read it too.
- UPX False Positives - Kaspersky Lab Forum: User complains in Kaspersky forums about False Positives of tools compressed with UPX
What about large companies like Microsoft ?
Large companies usually don't have any false positives problems, and even if there is a single case of false alert, the antivirus company will probably fix it very soon. After all, antivirus companies know that Large companies have good lawyers and if they won't fix the problem, they may find themselves in a large lawsuit for libel.
One good example is SysInternals. In the past, their psexec.exe tool that can be used to execute code on remote machine, was detected as Virus by some Antivirus programs, but today, when SysInternals is a part of Microsoft, All Antiviruses show it's clean, as
you can see from this VirusTotal report.
Examples for emails I receive on daily basis
Here's some examples of messages regarding the virus alerts, that I get to my inbox on daily basis:
- "Your mspass.exe is infected with Virus"
"You have Trojan horse in your Mail PassView utility"
"your ProduKey is a Trojan, be ashamed !"These messages are sent by users that really think that my tools are infected. I cannot blame them for thinking that, because the Antivirus really tell them that there is an infection.
Most Antivirus programs don't explain the user that the alert is displayed only because it's a legitimated tool that might be used by hackers.
They simply tells the user that the tool is infected with Virus or trojan, even it's not really the truth. - "I try to run your program and it says that I don't have permission"
"I try to run your program, and I get the following message: 'Windows cannot access the specified device, path, or file. You may not have the appropriate permission to access the item'"
"I try to run your program, and nothing happen"
"Each time that I download your program and extract the files, the .exe file disappears"These messages are sent by users who think that there is a bug or problem with my utility, without knowing that this problem is actually caused by their Antivirus.
In some circumstances, the Antivirus software runs in the background, and when it detect a threat, it simply block the .exe file, put the file in quarantine, or simply delete it, without telling the user anything.
The frustrated user think that there is a problem in the software he tries to run, without knowing that the Antivirus software, that should protect his computer, is actually the troublemaker that causes this problem. - "When I try to get into utilities section of your site, I get 'the page cannot be displayed' error"
"You have a broken link in your site - When I try to download your ProduKey tool, I get 'the page cannot be displayed' error"These messages are sent by users who think that there is a problem in my Web site, because they cannot browse into a Web page in my site or download a utility from my site. But once again, this problem is caused by Antivirus or Firewall that decided to block my Web site without explaining the user about the site blocking.
Zonealarm products, as opposed to others, redirects the user into a Web page which says that "nirsoft.net has been known to distribute spyware", which is completely untrue.
This web page also offers to report about false detection to False_Positive@checkpoint.com. I really tried to do so, but I received the following error message from their email server:
----- The following addresses had permanent fatal errors -----(reason: 550 5.1.1 ... User unknown)
As you can see, Zonealarm provides an email to report about false positives, but it's a fake email address that nobody really reads.
instead of adding new features to my utilities and updating my site.
Why don't you contact the Antivirus companies ?
Some people ask me, "Why don't you simply contact the Antivirus companies to resolve the false alerts issues ?"
So here's some important points:
- There are dozens of Antivirus companies out there, and with combination of more than 100 utilities in my site, false alerts appears and disappears all the time. Handling all these false alerts may require an employee with full-time job, even more than that.
- If you look into the Web sites of some Antivirus companies, you'll easily find a large "Buy Now" button, but you probably won't find any "Report About False Positive" link. Antivirus companies always want to make more sells, but they don't really care about false positives in their products. They usually hide the option to report about false alert very deep in their Web site, and some of them gives "False Positive" support only for users that purchased their product.
- Even when I find the method to report about a false alert, deeply in their Web site, most of the companies don't answer the requests at all or simply send an automatic message, saying that the sample that I sent is infected. In some cases, The Antivirus company fix the false alert problem in their next update, but without admitting that they had a false positive, and without sending any apology to me, as a developer.
- False Positives usually come back: Even when Antivirus company finally fix a false positive, it's just a matter of time, until the false positive returns again, with a new Virus/Trojan name.
Help me and other developers !
If you feel frustrated, like me, about all these false alerts, you can help me and other small developers to stop Antivirus programs from detecting innocent tools as Viruses/Trojans.
What can you do ?
Here's some examples:
- Add your comments to this article about False Positives problems you experience (As user or as software developer)
- Send this post to your friends, so they'll know more about false positive problems.
- If you constantly pay for licenses and updates for your Antivirus software,
don't hesitate to call your Antivirus company and require them to stop the false alerts.
You pay for your Antivirus product, and you deserved to get a reliable product that detect only real viruses. - If you have any contact with large magazine writer/journalist, you may try to offer him to make a research and/or write an article about all false alerts problems made by Antivirus.
Unfortunately, some magazines will never write an article against the Antivirus companies, because these companies also pay for advertising in these magazines.
May 19th, 2009 at 6:48 am
I constantly experienced this problem of false positives. It's really crazy...
Even the "Kaspersky removal tool" is detected as a trojan by Mcafee. Lots of programs I need to monitor computer activity, or cleen malwarse are detected as trojan and it's really difficult to use them. And of course some of the Nirsoft programs that are my favorites.
But what can we do ? For me it's a further divide between two opposites conceptions of computering.
May 19th, 2009 at 8:48 am
My scripts in AutoIt (AutoHotkey is spinoff of it) get false positives all the time.
I understand that this is terrrible issue for developers with large portfolio of utilities.
Still as user - if specific malicious code is similar in legitimate app and malware I'd prefer it detected rather than not detected.
Overall it is one of those issues that don't have clear and easy solution. Antivirus developers are unlikely to cooperate on global scale and dealing with them case by case is impossible.
I hope you will (if not already) find convenient method of dealing with false positives feedback and it is not too much of discouragement.
May 19th, 2009 at 9:29 am
I agree this is a pain, whenever I plug in my thumb drive into another computer I find Norton happily deleting files from it for me. So now I tend to disable any AV before plugging it in (a lot easier).
May 19th, 2009 at 11:16 am
I also develop a little in VB6 on the rare occasion, once trying to write an update component into some custom software I wrote for a company I used to work for.
Unfortunately no matter how I tried, I couldn't find a way to code it without having it detected as trojan/downloader by at least Symantec. Even "excluding" the file in the software didn't work _for long_ and I was never able to find a way to report the issue to Symantec. Out of curiosity I checked and the file was also "infected" by McAfee or some other program they had at the time.
Was it the code itself, or that it was hard-coded for my domain, I dunno.
Surely the manpower for an anti-virus company doesn't allow to check all software. Maybe they come up with a few things to look for, like however my update code looks to their detection engine, then blanket this as a downloader trojan for all files scanned, and EXCLUDE the big software vendor's apps that could match this criteria.
Of course I also firmly believe most of them intentionally jack up the false positives (affecting primarily small developers) so they can boast higher detection rates.
And you are right, they justify this on the technicality that the software *could* be used maliciously.
But it doesn't mean they need to be so deceitful about the detection.
Also, the absolute worst part about a false positive, is that it trains the half-way competent user or even a computer tech to always disable the anti-virus when something like your password utility is being used...
...so what if that utility was infected by a real threat? Perhaps a computer tech who is retrieving a product key or password had something infect all the .exe's on the flash drive being used, what then?
May 19th, 2009 at 11:58 am
>Of course I also firmly believe most of them intentionally jack up the false positives (affecting primarily small developers) so they can boast higher detection rates.
Nope, high percentage of false positives is sign of low quality. All popular antivirus tests check that and count into their rankings (not that those are absolute and objective).
It's not intentional, just the way things work when it is hard to tell apart malicious code from legit.
May 19th, 2009 at 12:21 pm
THANK YOU for posting this. I hope something is done about this. The "little" guys always get the shaft. We write "entertainment" software that is flagged as viruses by all of the major players. We've added FAQ topics, Discussion Forum posts and readme's to explain that our software is NOT a virus. In the end its killing our business, as users dont understand the different between Annoyware or Fun/Joke program vs. Viruses. We have contacted McAfee and Norton - but no luck. Here are some topics we've added (will provide a link back to this blog)
http://www.rjlsoftware.com/support/faq/sa.cfm?q=209&n=61
http://www.rjlsoftware.com/support/faq/sa.cfm?q=21&n=68
May 20th, 2009 at 4:23 am
The anti-virus system I use provides an email address to its registered users for reporting false positives.
I'm happy to report that *every* time I've submitted a file or URL to a download, I've received a response within eight hours that stated, "Thank you--we have investigated and determined this is a false positive, and it will be corrected in the next set of virus definitions."
May 20th, 2009 at 6:56 am
This used to drive me mad when i used to ask a client on the phone to install a remote connection application like teamviewer or aamy admin and it would get thrown straight into quarantine, which then required me to talk them through authorising it which with some clients who were not at all IT literate was a pain. Also had a few problems with F/P's with some of your tools but it would appear that Sophos (which i work with most) doesnt pick them up.
May 22nd, 2009 at 12:59 am
Well it has to be said, that if the users are so stupid that they cannot tell the difference between a legitimate program and a virus, then perhaps they shouldn't be using them.
I myself have really appreciated the software that you have put together and use it a lot. It helps me to irons out problems in networks and on hard drives.
Another issue is the general issue of the proliferation of antiviral programs. Perhaps the crappy ones need to be boycotted a little more with a good amount of blogging.
In the end, nothing beats good old fashion common sense and a bit of education.
Keep up the good work and invets in a mail filtering programme with a generic reply.
Another developer with similar issues...
June 2nd, 2009 at 8:32 pm
Avira Antivir 2009:
'SPR/Tool.KeyView' [riskware].
June 15th, 2009 at 7:07 am
"My scripts in AutoIt (AutoHotkey is spinoff of it) get false positives all the time.
I understand that this is terrrible issue for developers with large portfolio of utilities."
The same thing happens to me... I think Jon (AutoIt Developer) said that the main autoit interpreter was classified as a virus, so almost any script made with AutoIt will also be classified as one, as it includes it.
He is trying to work with the security software providers to sort out how to detect autoit programs as viruses, so hopefully...
June 15th, 2009 at 2:16 pm
hi. i'm service engineer and founder of usetools.net project about free software.
experiments and test based on real practical usage show that antivirus software applications become more and more useless, consume the great amount of pc hardware resources (sometimes users cant use their workstation beacause of single program with service purpose - "antivirus"), often damage users or system software ("false positives") and even can destroy system completly without any reason.
so lets determine what are the main features of virus-like (trash, harmful, dangerous, etc.) software:
1. consuming more or less system resources like memory and cpu for running them self without any possible users control;
2. creating a lot of startup items represented by executables in system registry run-sections or creating one or much more services;
3. allways updating, downloading something and uploading some data about local system thus sometimes consuming a lot of internet traffic;
4. show various information like annying commercial advertisments;
5. providing remote access to users workstation.
so, mentioned above is about viruses and... the first of all and largly about commercial antiviruses that use these methodes for getting more and more profit without real thinking about end-users or software developers.
besides that computers and networking service job experience shows that in most cases when real viruses presents in system antivirus programs can do nothing. no detection or no real helpful action in case of detection. thus popular commercial antiviruses are absolutly useless in most cases and even dangerous in some cases.
the most evil commercial products according to service engineering experience are: avg, nod32, avp (kaspersky), threatfire.
the most trully useful and really powerful solution is clamav scanner cause it never lies (cause that is free and open source software) and nowadays has great virus detection level.
it has now "monitor" but that is advantage cause when antivirus monitor works that mean antivirus monitor works on your pc but not you. to control system in real time security task manager can be used like anvir (freeware). for networking security real network firewall can be used like ghostwall (freeware). all that tools must be preconfigured and used all together as one security solution that virus problem can be solved without bying other super-viruses that have the single aim to get your money and thats all.
thank you nir, for your the greatest free software tools.
the are often used in our free software project cause they are extremly useful!
have a nice day!
June 16th, 2009 at 2:07 am
I work as an IT Tech Support rep at a software company. Our software uses Microsoft SQL Server as its database. Over the past year Mcafee has been a horrible problem for us. It seems they block the SQL server right out of the box. You have to buy their higher corporate version in order to not have it happen. Our clients are constantly getting an invalid database connection, because the DB is blocked. What makes it unsafe. It requires the use of two ports to communicate. Firewalls and spyware companies seem to have taken over the computers. They slow them down, and often don't catch half of what is actually spyware and viruses. It's sad, but I find it easier and safer to run without all that junk running all the time. I have found other ways to be preventative.
July 24th, 2009 at 2:40 am
Which AV companies are best/worst in this respect?
I assume that McAfee and Norton/Symantec are terrible. But what about the rest: Grisoft AVG, Avast!, AntiVir, BitDefender, Kaspersky, etc.? Are any of them reasonably responsive to false-positive reports?
I have some AV recommendations on my web site, and I'd like to add this info to it:
http://www.geeksalive.com/links.html
Thanks,
Dave Burton
Geeks Alive! Computer Rescue
Burton Systems Software
Cary, NC USA
http://www.burtonsys.com/email/
-----
Hey, Nir, do you know that your blogger comment-posting system is broken?
I tried six web browsers. Only one of them works.
In Firefox 3.0.5, Safari 3.2.3, Chrome 2.0.172.37, and IE 8 under XP Pro, after I select my TypePad ID, your page brings up a Preview and Word verification box, but there's no place to enter the verification word, and, in fact, the picture of the word is clipped off at the bottom.
In IE 8, there's the added annoyance that the scroll bar doesn't work in the preview box.
The Off-By-One browser doesn't work, either.
(Also, in some of the browsers, the Preview button does not work; it produces an error message, "Your request could not be processed. Please try again.")
I posted this using Opera 9.52, under which the mouse wheel scrolls the box to expose the place to enter the verification word and the "Post Comment" button. Opera seems to be the ONLY browser that works to post a comment here!
Dave
August 28th, 2009 at 5:04 am
This is so annoying - I try to help out reinstalling some guy's PC.. getting the keys out of the old and more or less crapped windows installation - and almost before I start produKey I'm told that this MUST be a generic virus trojan or whatever - this time it was McAffe
Could we make a petition list or somethin ? - would that help ?
Peter
August 30th, 2009 at 5:23 pm
this is really pissing me off. I have to disable the antivirus prog to regain the lost e-mail password of a friend. Had this with f-secure and trendmicro.
September 1st, 2009 at 2:48 am
Great program. So little, so easy, so fast and still so effective.
You need such program once a year or less, so put your virus defender software on
off state (disable it) and read your key. next boot its on again. and everything is fine.
September 4th, 2009 at 10:14 am
I've been using a simple a time sync prog for about 15 years (AtomicClockSync). Just a couple months ago Trend Micro started calling it a trojan or virus or something (Can't remember exactly which right now). I've also been using Trend for many years without ever seeing this before.
I reported this to Trend and their ultimate response was 'Stop using this program. It is not compatible with Trend Internet Protection'
I ended up just adding it to the exceptions list.
I can see why this is unfair to the small SW developers. It seems they should band together for some class action lawsuit that gets them more attention from the AV companies.
September 4th, 2009 at 4:17 pm
How about lobbying the anti-virus/malware testing organisations to include false positives as a negative in their testing? Perhaps some already do this, but when I looked at the latest test from Malware Research Group they seemed to rate the tested programs only according to how many true malware programs were detected (i.e. true positives).
I'm sure if some of these anti-virus programs started dropping in the ratings, or their favourable reviews became less favourable because of high rates of false positives, they'd quickly begin to work harder on remedying the problem.
After all, if an anti-virus developer wants a perfect score in one of these review tests, it would be simple to achieve: just block EVERYTHING. Makes no sense, but would get a great test score.
September 15th, 2009 at 9:32 pm
Nir! Great programs but yes, the false positive problem is an issue. I only have AV problems with your software when you use UPX for executable compression. Any chance of releasing executables that haven't been compressed?
September 18th, 2009 at 8:31 am
Our product iNet Protector is constantly detected as malware. We communicate with anti-virus vendors every month, but false alarms come back. Today this is harming our business to a very significant extent.
October 5th, 2009 at 3:00 pm
I faced the exact problem, my legit program has been classified as trojan/virus... those antivirus companies really goes too far.
October 5th, 2009 at 5:26 pm
I think I'd select two major players in the market: Symantec and McAffee, and call their P/R department instead of sending your exe and asking them to remove the false positive.
We've had a similar problem in the past and all of a sudden one of our utility executables detected as Malware by Symantec, after week of communication, the problem was fixed permanently. When you use their web site, you'll always find people that they cannot make decisions, but once you involve their legal, security or PR departments, you'll get to the right people to deal with the situation on hand.
October 5th, 2009 at 5:37 pm
Yes, I've had the same problem with Avast. They reported a part of my software, Puchisoft Dispacher, as a virus. To report the virus, you have to actually install their software (You can't just email them). So I did, and I used the software to report the virus, and they just ignored me.
I ended up having to change the code to do the exact same thing, but differently, which Avast didn't think was questionable, even though I was doing the exact same thing! Sigh... This is why I don't use Avast anymore.
October 8th, 2009 at 12:27 pm
I'm a sysadmin, I deal with users forgetting their passwords and me needing to get access "somehow" to a remote machine... Your tools, sysinternals and a few dozen other are MUST HAVE TOOLS ! (they should be packaged with windows!, it's THAT essensial!)
I did face the false alarms, I did face the deleted executables .. (we switched to Symantec's endpoint protection)
I'm faced with our proxy protection (websense)...
When are people going to understand, we are there to help... and yet we are seen as the bad guys from people who don't know, or don't have the needs we have ...
I will pray for AV companies to bann the "hacking tools" section of their products!
(if you install metasploit, I mean, you know what your're doing ... it's not like you don't know what you get into...)
AV should consider that fact...
or well.. . ... if your're unhappy use linux... but by doing so , you wont help other users in need of "respect" with their own online behavior !
Thanks for reading and thats for that bell ringer of an article!
October 9th, 2009 at 3:25 am
I use USB stick with integrated read-only switch, that prevents Nirsoft utilities from being deleted by any antivirus, when I plug it into foreign PC.
October 9th, 2009 at 5:58 am
I've been using your utilities for some 8 years, I guess (not absolutely sure), and I'd like to say THANK YOU.
I have several times sent messages to some companies that produced anti-virus and security software (like Zone Alarm) in order to explain that NirSoft products should not be blocked. The problem is that I get no response and I cannot know if they care a straw for such letters.
I think these companies are too big to be scrupulous about small developers and small clients. The smaller companies or those that are based on a different approach would be more careful. For example, I remember some time ago Spybot-S&D included Nirsoft in its black list but then the list was corrected. Unfortunately, it is difficult to imagine companies that produce effective anti-virus software (which means a global task) to "waste their time" for the benefit of a relatively small group of individuals.
I must just note with regret that even Nod32, which used to be much more fair to NirSoft, now has it blacklisted, too. If you use the highest level of protection with Nod32, then you cannot download Nirsoft programs. In some cases, they get deleted automatically.
So what should I do to correct this problem? Organize the petition or what?..
October 12th, 2009 at 11:56 am
I found an interessting Test on Antivirus and "False-Positives (FP)".
At
http://www.av-comparatives.org/comparativesreviews/main-tests
you can view the test as a PDF. The last one is from August 2009.
At page 10 you ´ll find out that McAfee, Norman and Kingsoft detected over 40 FP while Bitdefender, Avast and MS detected 4 and 5 FP only.
October 14th, 2009 at 7:40 am
Just today I tried to download NirLauncher and the zip file is intercepted by Trend Micro during download and I cannot download it. Being a technical at testing lab this quite annoying that I cannot use some tools necessary for work. Thankfully corporate security allows expections to uninstall or reconfigure Trend Micro when it's interfering with work.Overall Trend Micro is not bad but it's really slow and resource hungry. Symantec was better.
Good thing is that all AutoIt apps I create, to date, work with Trend Micro.
F-Secure also gets lot of FP's.
October 14th, 2009 at 9:47 am
I have switched Internet security software from BitDefender to G Data and though I really do prefer G Data it still has the same problem with issuing false positives. I am trying to find a contact I can get in touch with to report the problem to. NirSoft has so many great utilities it's sad to see this situation crop up again.
October 14th, 2009 at 8:12 pm
Antivirus softwares just exist to leave your system slower. the detection technique they use is "dumb" because they compare codes with a database that is constantly being updated. if you code a decent private cryptor, all "viruses" will be undetected to these boring softwares. Also notice that due to this behaviour, if your program has some piece of code in which another application known to really be a malware then it will end up being detected as well.
I dont use these softwares except for testing and vulnerabilities research. My advice is NEVER trust them. If people used a restricted user account on Windows, let the system and applications always up to date and specially, didnt open any kind of files they receive like pictures.exe (very well known social engeneering used by malware) which surely is something malicious then they wouldnt need an Antivirus since 99.9999% of the infections are the user´s fault and not a critical remote vulnerability that was exploited by a recently coded worm/virus .
October 21st, 2009 at 4:01 am
all my antivirus software and registry cleaner have been flagged by norton and main anrtivirus as virus! this is ridicolous! thanks for this article, it's 100% true!
October 22nd, 2009 at 5:39 pm
I got false alert by McAfee about iepv.exe saying Detected As "Artemis!28C110B8D0AD", Detection Type "potentially Unwanted Program". It did not clean or block the utility from running. This blog helped clarify
the AV alert could be ignored.
October 27th, 2009 at 5:17 pm
Well, i use Antivir (Avira)... and it suddenly started "spotting" SysInternals psexec.exe as a virus ... There´s a note on this from an user inside their OWN forum!
When i get a "virus warning" i usually google it first, to see if its a FP. But it´s BORING having to do this 1,2,3,100 times...
BTW, a fine way to "appear" on google and alert users like me is to post in the AV software forums.
Of course your Password recovery tool was branded as a "trojan" ... one more for the exception list.
October 28th, 2009 at 7:29 pm
Make your applications Open Source, so even if the antivirus panics, the user can still see the source code and confirm that there's nothing harmful in it.
Not providing the source code of a free (gratis) software is suspicious.
October 29th, 2009 at 9:46 am
First...thank you for all these great little programs. I really learn a lot by using them. Since they are free, I get the chance to see things and learn from them that I couldn't do if I had to purchase some of the larger and very expensive programs out there that do the same things.
I ran DNS Data View this morning and Norton Internet Security 2010 flagged it as a dangerous program, but gave me the option to allow it (which I did of course). They also provide a way to pass along through the program to all other users whether something seemed safe after using it. Of course, that is all based on opinion, but I am happy to pass mine along about NirSoft products to try and help.
Oh, and Juan....if you need to see inside the code, there are a couple of neat programs to do that too. I can only think of one right now (the others are on my other machine). I will post back later with other names. The one I am using rightnow is Resource Tuner (restuner.com). Trial version available.
Cheers!
October 31st, 2009 at 10:50 am
@Juan
AV companies doesn't need to have source code..
They use reversers & debuggers to analyse machine code & behaviors of the programs :p
Since Nirsoft "password recovery tools" doesnt connect to the internet to send something, its a bit pointless to tag them as "trojan" because ALL TROJANS (i mean trojan, not virii) are using internet , right? Yet, i also saw real UNDETECTED malware embedding your pwd tools WHICH WERE DETECTED, using them with command line to record passwords, and send files to a remote server (which then i get fucked by the ISP :p)
Crazy AV, no?
I have same problem with my Nod32 when developping my own crypter for my own programs...
Since its based on a open source crypter used sometimes by viruses, Nod constantly show FP when i compress dummy test programs (witch just does a messagebox).. So, this is obviously not the program content that warn NOD, but really the encryption itself..
Well, I have an idea... To stop Virus detection, maybe you can use a tool that mangle / destroy / add junk/ add a sort of VM to the code? This may also stop scammers and rippers like the MSNinfo ones
November 7th, 2009 at 9:16 am
Antivirus software as lost its relevance. Just run your Windows System using LUA+SRP ideology.
November 14th, 2009 at 1:10 am
The only way for this to change is for small software publishers to collectively sue 2-3 antivirus software companies (e.g., Symantec, McAfee) for libel. When my McAfee comes up and says that your software is a Trojan (like it just did) - it is a false statement and it is damaging your business. The only problem, of course, is that since you don’t charge for your software, damages may be hard to prove.
November 18th, 2009 at 9:15 pm
I agree that this is a problem. I hate it when a software program that I purchased, deletes or quarantines programs that i have installed without asking my permission. This is especially irritating if the action takes place because of a false positive.
November 19th, 2009 at 12:09 am
Nir,
I couldn't agree more. It is not getting ridiculous - it has been ridiculous for a long time now. The only way I was able to even download your utilities in the recent past was to disable NOD32 completely. Then I downloaded them and stored them all on a flash drive. Whenever I needed to use them I would first disable any AV and AS programs. Lately I am able to download the Nirsoft utilities without any interference from NOD32, however I still disable it when I run the password utilities.
Thank you for writing this article. Hopefully more people will contact their AV developers and let them know that this won't be tolerated.
Jim M