As you may already know, the password recovery tools provided by NirSoft are constantly detected by many Antivirus programs as malware/Trojan/Virus or as a security risk.
Usually, the detection is not done by mistake. The Antivirus companies deliberately add these utilities to their database, because in addition to their legitimate use of recovering passwords, these programs can also be used for malicious purposes, like stealing passwords from another person, and thus the Antivirus companies see them as a threat to the user.

In the past, the Virus alerts problem only affected users who have Antivirus program running in the background, but today… the problem is much more complicated.
It started 2 years ago, when Google acquired VirusTotal, a known Web site that scans files with all major Antivirus engines, and displays the result from all of them in one page.
It seems that now Google uses VirusTotal technology to decide whether a file is good or bad. If a file is detected by a lot of Antivirus engines, then it’s considered as Malware by the Malware detection system of Google.

Chrome and Firefox, the 2 most popular Web browsers today, already use the Malware detection system of Google for every downloaded file, so if Google system detects the downloaded file as malware, the Web browser blocks the download and displays a warning saying that the file is malicious. Recently, I constantly get messages from people like “My Web browser blocks your software, please sent it to me by email”, which is quite annoying. In additional to the password-recovery tools downloaded separately, NirLauncher package is also frequently blocked by Chrome and Firefox, simply because it contains the same password-recovery tools.

But this is not the only problem… In the last week, I had 3 days that my Web site was blocked for people who search my utilities  in Google, and “This site may harm your computer” message was displayed in the search result.  The automatic systems of Google falsely detected that I have multiple malwares on my Web site, and blocked the access to my Web site  from Google search results in order to protect the users from malwares that  didn’t  really exist…
All files that Google detected as malwares were simply my password recovery tools, and Google detected them as malware simply because many Antivirus programs target them.

The command-line options of my password recovery tools are the major feature that allows hackers and Trojans to use these tools for bad purposes, because it’s possible to export the passwords into a file and then optionally send them to a remote location (using another software) without displaying any user interface. Removing the command-line options from these tools will cause the Antivirus companies to see them as a lower security risk than before, and hopefully some of them will remove them from their virus detection database.  If a few Antivirus companies will remove the detection of my password-recovery tools from their system, the total number of VirusTotal detection will be lower,  and the chance of getting into troubles as described above will be lower too.

I know that some of you,  who are using the command-line options of my password-recovery tools for legal purposes, will be disappointed from this change, but in our ridiculous world where combination of Antivirus companies, VirusTotal service and Google may lead to blocking many users from accessing my Web site or from downloading software provided in it, I don’t have other choice.

I’m still looking for a way to provide command-line version of these tools for users who need this feature for legal purposes, but it must be done in a separated Web site ,so NirSoft web site won’t be affected from them.

32 Comments

  1. The MAZZTer says:

    Not a perfect solution, but I can’t really think of anything better.

    It would still be trivial for malware to launch your application on a hidden desktop and manipulate the UI to do whatever they need. So it may not solve your problem, but maybe it will be too much trouble for many to bother.

    I was thinking a UI could show up on first run, but it would be extremely difficult to get it to not be suppressible by malware, and malware could easily fake the user interacting with it to dismiss it anyway.

    Perhaps you could play an audio clip of someone saying that a password cracking tool has been launched on their system, and if they did not do it intentionally they should scan for malware. Of course this, too, would be possible to block, either by modifying your app to remove the file (you could play a cat-and-mouse game with this to make it more difficult) or by simply killing the Windows Audio service (or taking the less conspicuous though more difficult steps of muting your app) while running your app.

    If the PC is connected to the internet, you could ping your own server for various reasons to track use. I won’t go into details because malware itself does this for command and control stuff so it’s likely this would get your software marked faster… probably not a good idea. Plus malware authors would just block your server on the user’s firewall before launching your tool.

    You could potentially add in special code to try and detect tampering. It might not help when a malware author has already packaged your tool up with their malware, but you could catch someone developing malware experimenting with working around any restrictions you do put in. I dunno.

    Possibly you can try to enforce some things like ensuring your window isn’t redirected to a non-standard desktop (though this may conflict with the new alternate-desktop stuff leaked for Windows 9, plus legitimate alternate-desktop tools) and ensuring the window isn’t hidden or moved off of the screen and that the window is in the front when it is being interacted with… also enforcing delays on UI actions to attempt to block computer-controlled interactions that are “too fast”. You can’t stop malware from using it, but maybe you can make it more difficult for malware to hide its use (though that’s a bit of a cat-and-mouse game; and if the malware has admin rights you’ve already lost that battle).

    My conclusion: Ultimately, as long as people insist on running NOT_MALWARE.JPG.EXE with full admin rights, there really is no way to differentiate between your apps being run by users or malware impersonating users, unfortunately.

    Side note: Even malware authors use your tools, so at least we know they’re good! 🙂

  2. phocean says:

    Why not simply releasing tools inside a crypted ZIP archive ? With a long enough password, antivirus should not see anything’

  3. Dan says:

    I concur with phocean but you don’t need a long password. Any encrypted file will defeat Virustotal since none of the AV engines would be able to find the EXE’s signature. They won’t brute-force the password. You can even put the password in the archive’s filename.

  4. Laurent says:

    Damn, it suck.

    Another solution could be to provide you tool as DLL exposing some function to get the information on development dedicated website (GitHub, Codeplex, whatever). So people which need to use your marvelous tool from command line (like me), usually for automation purpose (saving my password to Keepass when I close my computer), will be able to use your tool just with a script language which can call a DLL (vbscript, Powershell, etc.).

  5. Somone says:

    Why not dumpy publish the source?

  6. Simon Zerafa says:

    Hi Nir,

    I’m not certain that removing the command line options from your amazing tools will actually solve the issue.

    Client based AV and PUP scanners will still identify the GUI tools as malware or as a PUP. This will feed back to their definitions and to VirusTotal.

    Unless you have a written undertaking from Google et al to stop detecting your tools as malware this will not fix the situation.

    Offloading the downloads to a different site (perhaps via https:// ?) separate from your main site might have benefits anyway. You could always set the robots.txt for the download site to block spiders from cataloguing them for web searches.

    The password protected .ZIP idea seems to be promising. Would prevent causal unpacking and usage of your tools with CLI options but might not prevent malware using it.

    It would prevent client based malware scanners from scanning the .ZIP file though and hopefully prevent it ending up in the VT database.

    Kind Regards

    Simon Zerafa

  7. Mobo says:

    I have several browsers on my PC for various reasons.
    I used the ‘Maxthon’ browser as both Chrome & Firefox prevented my download of the software I wanted.
    The download and installation worked fine! 🙂

  8. Frank says:

    JFTR (@Mobo), less than two weeks ago it was actually still possible to download PasswordFox e.a.with Chrome. If I recall it correctly I had to right-click on “discard” and then pick “keep” on the downloads page, resulting in another “yes, hurt me plenty” confirmation for this business.

    Instead of hurting me plenty PasswordFox refused to work for my ancient (2013) portable Firefox 10.0.12 ESR profiles, but I’d know how to extract those passwords with other tools when needed. Blocking this site is just a stupid hypocritical “security by obscurity” approach, although I’d admit that a PUP (possibly unwanted program) is a PUP no matter how it disguises itself. But the same PUP-scanners have no trouble with the far more dangerous SysInternals psexec.exe 🙁

  9. BigBrother says:

    It’s certainly not the first time that AV-snakeoil-sellers are making it difficult for private tool-coders because their scanners are so bad. And Google helping them driving private people out of the net is just adding insult to injury. “Don’t be evil”, yeah, right.

  10. meh says:

    “Removing the command-line options from these tools will cause the Antivirus companies to see them as a lower security risk than before, and hopefully some of them will remove them from their virus detection database.”

    hahaha thinking rationally while talking about av companies.

    Only a couple on the VT list matter. Not being widely used they have few resources. The big ones… well I’ll stop before I go off on a tangent.

    “If a few Antivirus companies will remove the detection of my password-recovery tools from their system, the total number of VirusTotal detection will be lower, and the chance of getting into troubles as described above will be lower too.”

    No, won’t make a difference.

    We get it though, it’s caused you problems and you’re at the end of your rope so you’ve taken this action.

    This is why we all need to use alternative SE’s like Duck Duck Go and StartPage. Google simple has too much power. Today it’s this and in a year or two, what other changes will they essentially force you to make? Or today it’s you and this, tomorrow someone else and another thing. Far too dominate.

  11. war59312 says:

    Like others have said, simply encrypt the zip files. Better yet, use 7zip instead.

    Then no more problem with downloads. 🙂

  12. Sergey says:

    Just make a torrent with current versions of every tool and publish a magnet link.

  13. Vistor says:

    2 great solutions

    ZIP with password

    Torrents with magnet link

  14. PhilT says:

    How to distribute files ? Why not FTP.

  15. Tiziano Riolfo says:

    Hello Nir, I’m a massive fan of your tools and have been for years. However, they’re usually incredibly useful because you always present a simple, intuitive no-frills interface. The Google cyclops is too big to fight now; the only option is to wrong-foot it. So I agree with the others advocating the disabling of certain CLI functionality limited to the “high-risk” tools, thus reducing their frequency of incidence in common malware scenarios

    Also, an installer that acts as a decrypter / decompressor for every download should serve to gradually dissociate your site from the malware idiots and in turn from the omniscient behemoth

    I agree with the 7-zip recommendation. Using the publicly available self-extractor stub could be enough to deploy x86/x64 versions in a single package. One way or the other you should frequently repackage your downloads to mitigate undesirable associations

    It is a giant pain in the derriere, but your tools belong back in the comfortable anonymity of the IT combatants toolkit, not at the top of the overlord’s hit list

  16. Ross Smith says:

    Nir,

    Yeah, I stopped hosting my “Nirsoft Installer” (http://smithii.com/nirsoft_installer) for the same reason. Google kept flagging it as malicious content, and my pleas to them were ignored.

    Thanks for your tireless efforts in providing the best freeware out there! I use your apps DAILY!

  17. Alberto says:

    Don’t worry babe, you are the best programmer I know. If google blocks your programs it’s because you are doing right so they are unos hijos de la gran puta and they are trying to control everybody like microshit tryed time ago. Thanks for all

  18. Michail says:

    Google imagines himself a police chief and a judge of the Internet and wants to indicate how I live. We must fight this!
    Original:
    Гугл возомнил себя главным полицаем и судьей интернета и решил указывать как мне жить. Пошел он нахер!

  19. a says:

    download software doesn’t use the malware blocklists, AFAIK.
    but most web users download with their browser, and many visitors have never used more than one browser, so are unfamiliar with download software.

    the best workaround should accommodate visitor who is completely new to the password software page.

    an idea that I didn’t see (maybe I missed reading it):
    host only the download file on sub-domain? but give download instructions (and link to cause of the workaround) at the download link on the description page.

    suggestions in these comments to use upload sites causes me to wonder why block services don’t block all pages on those upload sites. wouldn’t blocking services find the small number of hosted files that are “suspicious” or true malware?

  20. MSasanMH says:

    Thank you for protected download link!

  21. Mike says:

    I am fine with the removal of the command line tools given that, in effect, you and the popularity of your tools are UNFAIRLY SLANDERED WITHOUT DUE PROCESS. It is the only alternative available to you, other than BUYING GOOGLE, or taking them to court (Ha!) in order to, potentially, mend their way.

    Better alternative? Just throw them up on a third party site quietly, with a single link to them, or on your own if you dont think your site will be likewise branded a “fountain of filthy software”

  22. Valek271183 says:

    It is not possible to download under the link, permanently asks login and the password, what I do not so?

  23. Alex says:

    Hi,

    first of all, thanks for the offline package for the command-line tools.

    Is there any chance you could update the package that can be found here: http://www.nirsoft.net/password_recovery_tools.html

    Thanks a lot and best regards,
    Alex

  24. Frank says:

    Late update, VirusTotal and MS cooperate to limit their false positives (my last unclear adventure was a previously nice rsvg-convert.exe suddelnly blocked as evil password stealing malware by MSE). Link to the VT blog entry (add http): blog.virustotal.com/2015/02/a-first-shot-at-false-positives.html

  25. Tony4219 says:

    I just noticed the Press Release, and recalled that some apps here have an F9 option, but do not take commandline parameters.

    I don’t know about the password angle, but the command line and “load other machine’s hive” options are needed if one needs one of your apps to do work on an offline host system, like Winbuilder and WinPE, for repair and malware removal.

    Thanks again for your highly useful programs.

  26. RnDdude says:

    Admire your wonderful tools, and need the pwd recovery items because I am something of a disorganized klutz of a laid-off avionics integration engineer at present.
    But, an idea I don’t think has surfaced yet – could you (maybe it would be too much trouble) but if you provide a separate, smaller standardized program package, with XML perhaps to catch the data, then the user could download and install the basic, “sanitized” tool that you have already made available; the tool that we hope the AV guys would not find objectionable and would keep your site out of trouble with Google and Virustotal.com. After installing and checking that out, then, download the separate, harmless-looking program that when we run it, would insert the password-grabbing command-line stuff and merge into the main program again. Or, it might stay separate and just run concurrently, and collect the data maybe in real time as it flows through the registers. This might be too naive for words, am not an expert coder. Am trying to learn something while waiting to be picked up with my MSEE and P.E. and several years of 60-400 Hz power utilization experience (applying industrial lighting, UPS, motors & generators) plus 3 decades in avionics-airframe integration, all putting me in the wrong age group. Hope this is not too ridiculous a suggestion from this newbie. .

  27. Linyos Torovoltos says:

    Hello,

    I like a lot your very good command tools and I like you as a super programmer.

    I often detect many government spy agents like NSA and KGB always hacking into my computer (they try to examine my pictures of my family and friends and spy on what sites I visit). I see them in my logs reports when they connect from their secret IP address. I know it is them because 127.0.0.1 shows up always in my reports. 127.0.0.1 is the official NSA/KGB/SPIES IP Address they use. My special friend confirmed it was them as he works for Microsoft as “undercover” double-agent.

    They use programs like “telnet” and “ipconfig” which are used by spies to break into other people’s computer systems to steal credit card numbers.

    Anyways, I like your tools to help me maintain my privacy and clean my pc from spies and stuff.

    Thank You!

  28. Dave Reiser says:

    Thank you for the password tools. I am a retired EE, living in a retirement community. I’m the neighborhood PC guru and find many of our senior ladies don’t write anything down. They tell me that their late husbands took care of all that. Now with your tools I can help recover their passwords.

  29. Winston Smith says:

    We already live in a totalitarian world with a Big Brother (Google). If you’re someone trying to do something different from what’s expected from you (Winston in 1984, Neo in Matrix), the thought police will go after you. Big companies (Google, Microsoft, Apple) own the Net, the have created a infrastructure to protect their interests.
    I realized that antivirus are unreliable when they started to detect keygens as a virus. Every piece of software that patches a Big company program will be flagged as virus. The useless antivirus industry started to use broad detection rules as “the code is obfuscated”, “queries the registry”. But with that, they started to detect big companies software, so they solved the problem creating a whitelist. Now the rule is “if it comes from Microsoft, its ok”.
    chrome.exe is detected as ransomware (not kidding: https://www.hybrid-analysis.com/sample/f43e39326de39f5b176f3c3874a77d44f2eeee63f311c959e5f0d4fe028138ad?environmentId=100)
    For me a malware is a small exe that drops a bigger package that installs automatically, reads your PC config, then runs in the background, connects to its server every start looking for updates (that will also autoinstall) and sends all your PC data with your browsing history and passwords. WAIT! That program is GoogleUpdate.exe!
    The future of antivirus industry will run under a clear premise: “Every program that doesn’t come from a big company is malware”.

  30. Tzeno says:

    Hello
    I don’t know why but when I open ChromePass (command-line version) dosen’t have the passwords, only emails. But with original version it’s good
    probalbe needs a update or something like that
    -My chrome version: 80.0.3987.122 (32-bit)
    Thanks, Tzeno

  31. John says:

    This is a fine solution.

    I remember the days when we were told to use usernames on the ‘net and never publish our real information. Now every “popular” site wants all of your real information just so you can use it.

    I remember when I could use the fastest browser that had every modern browser feature before any others—built into the browser itself—and included many more features that today require “extensions”. The only option is Chrome or a Chrome skin today. My browser is set up to have all of Google’s junk disabled but as the days go on, so do the forced restrictions and attempts to datamine every single thing you do online. You can’t even download a damned file anymore thanks to Google.

    Even Google Search is unusable due to censorship and propaganda. Search for anything without extra terms like “forum” and you just get a handful of crappy copy/paste spam sites when searches used to return useful information. I set up my own Searx instance and use a variety of search sources.

  32. tarit says:

    can you make some linux copy of your softwares?like one for routerpassview??????????

Leave a Reply