Archive for September, 2014

Command-line options removed from the official release of my password-recovery tools

Monday, September 22nd, 2014

As you may already know, the password recovery tools provided by NirSoft are constantly detected by many Antivirus programs as malware/Trojan/Virus or as a security risk.
Usually, the detection is not done by mistake. The Antivirus companies deliberately add these utilities to their database, because in addition to their legitimate use of recovering passwords, these programs can also be used for malicious purposes, like stealing passwords from another person, and thus the Antivirus companies see them as a threat to the user.

In the past, the Virus alerts problem only affected users who have Antivirus program running in the background, but today... the problem is much more complicated.
It started 2 years ago, when Google acquired VirusTotal, a known Web site that scans files with all major Antivirus engines, and displays the result from all of them in one page.
It seems that now Google uses VirusTotal technology to decide whether a file is good or bad. If a file is detected by a lot of Antivirus engines, then it's considered as Malware by the Malware detection system of Google.

Chrome and Firefox, the 2 most popular Web browsers today, already use the Malware detection system of Google for every downloaded file, so if Google system detects the downloaded file as malware, the Web browser blocks the download and displays a warning saying that the file is malicious. Recently, I constantly get messages from people like "My Web browser blocks your software, please sent it to me by email", which is quite annoying. In additional to the password-recovery tools downloaded separately, NirLauncher package is also frequently blocked by Chrome and Firefox, simply because it contains the same password-recovery tools.

But this is not the only problem... In the last week, I had 3 days that my Web site was blocked for people who search my utilities  in Google, and "This site may harm your computer" message was displayed in the search result.  The automatic systems of Google falsely detected that I have multiple malwares on my Web site, and blocked the access to my Web site  from Google search results in order to protect the users from malwares that  didn't  really exist...
All files that Google detected as malwares were simply my password recovery tools, and Google detected them as malware simply because many Antivirus programs target them.

The command-line options of my password recovery tools are the major feature that allows hackers and Trojans to use these tools for bad purposes, because it's possible to export the passwords into a file and then optionally send them to a remote location (using another software) without displaying any user interface. Removing the command-line options from these tools will cause the Antivirus companies to see them as a lower security risk than before, and hopefully some of them will remove them from their virus detection database.  If a few Antivirus companies will remove the detection of my password-recovery tools from their system, the total number of VirusTotal detection will be lower,  and the chance of getting into troubles as described above will be lower too.

I know that some of you,  who are using the command-line options of my password-recovery tools for legal purposes, will be disappointed from this change, but in our ridiculous world where combination of Antivirus companies, VirusTotal service and Google may lead to blocking many users from accessing my Web site or from downloading software provided in it, I don't have other choice.

I'm still looking for a way to provide command-line version of these tools for users who need this feature for legal purposes, but it must be done in a separated Web site ,so NirSoft web site won't be affected from them.