Archive for the ‘Antivirus Issues’ Category

As you may know, some of the powerful tools on NirSoft Web site, especially the tools that recover passwords, are constantly targeted by many Antivirus programs.
In order to find out which Antivirus programs cause more troubles with the tools of NirSoft, I decided to generate a report with the number of false positive alerts of every Antivirus program. I have created a small program that downloads the Antivirus scans result of all .exe files of NirSoft from VirusTotal Web site and then processes the collected information and generates the desired report. I have also decided to generate score for every Antivirus program according to their false positive issues.

Before I continue with more information about this report… let me say a few words about the term “False Positive”: There are people who say that I don’t use the term “False Positive” correctly, simply because the alerts about my tools are not a mistake and the Antivirus programs have to display an alert about a program that can be used by hackers for bad purposes (like my password-recovery tools).
So here’s my opinion…. It’s somewhat legitimate that Antivirus program will display a warning about my password-recovery tools, as long as it’s done with full explanation about the alert, which means that the Antivirus program must explain the user that the program is completely legitimate and it’s not bad by itself, but it can be also used by hackers to steal passwords and that’s why the warning is displayed.
Also… the alerts on password-recovery tools should not be detected in VirusTotal Web site, unless this Web site will start to make full separation between Viruses/Trojans/Malwares and non-malicious tools, so people who check the file in VirusTotal will not think that my tool is an horrible  Virus.

Unfortunately, Antivirus programs and VirusTotal Web site don’t provide clear explanation about the alerts they display and many people are confused, thinking that my tools are infected with Virus/Trojan, and As long as there are users who think that my programs are infected, I consider it as a “False Positive”. The right definition of “False Positive”, in my opinion, is a situation that a user thinks a file is infected with a Trojan/Virus/Malware according to an alert displayed by Antivirus software, while the file is not infected at all.
It doesn’t really matter that the Antivirus developers only wanted to warn the user about a software that can be used by hacker, if the Antivirus program doesn’t deliver the message to the end user correctly, then it’ still a false positive.

It’s important to say that some of the Antivirus programs imply that my tools are not a Virus by adding “not-a-virus” or “Hacktool” or “Riskware” strings to the alert name, but many
users don’t understand the meaning of these strings and still think that the file is infected. Nevertheless, in my score calculation , Antivirus programs that do it got an higher score.

Explanation about the report

The report contains 6 columns and one line for every Antivirus software/engine, here’s the description of every column:

  • AV Name – The name of the Antivirus
  • Total Alerts – The total number of NirSoft files that the specified Antivirus display alerts.
  • No Virus – Number of alerts that contain the following strings, implying that NirSoft software is not a Virus/Trojan/malware: not-a-virus, tool, pup (potentially unwanted program) , pua (potentially unwanted application) , riskware, unwanted, passwordrevealer, not  malicious, passwordviewer
  • NO PR – Number of alerts for programs that are not a password recovery tool.
  • Trojan Alerts – Number of alerts that contain the following strings, implying that NirSoft software is a Virus/Trojan (So these alerts are severe false positives): trojan, spyware, malware, adware.
  • Score – Total score calculated for this Antivirus. Read the ‘How the score is calculated’ for more information.

 

How the score is calculated

Here’s a full explanation about how the Antivirus score is calculated:

  1. Every Antivirus engine starts with 100 points.
  2. For every alert displayed for a password-recovery tool, 1.5 points are reduced from the Antivirus score.
  3. For every alert displayed for a tool that doesn’t recover passwords, 3 points are reduced from the Antivirus score.
  4. When one of the following strings appear inside the alert name, 0.5 points are added to the Antivirus score: not-a-virus, tool, pup (potentially unwanted program) , pua (potentially unwanted application) , riskware, unwanted, passwordrevealer, not malicious, passwordviewer
    That’s because the Antivirus does a good thing here, implying the my tool is not a Virus/Trojan/Malware.
  5. When one of the following strings appear inside the alert name, 5 points are reduced from the Antivirus score: Trojan, spyware, malware, adware
    That’s because the Antivirus does a bad thing here, implying the my tool is a Trojan/malware, which is completely a lie.  Comodo, for example, displays ‘UnclassifiedMalware’ alert for 11 NirSoft files, which is totally misleading, because the “Malware” term is mostly used for programs that are designed to be bad , and  that’s why they got very low score.
    ViRobot and Antiy-AVL also got low score from the same reason.

Example for score calculation

AVG display alerts for 13 files, 12 of them are password recovery tools, so 1.5 * 12 = 18 points are reduced, 1 tool is not password recovery, so additional 3 points are reduced.
All 13 alerts contain ‘hacktool’ and ‘passwordviewer’ strings, so 13 * 0.5 = 6.5 points are added.

100 – 1.5 * 12 – 3 * 1 + 13 * 0.5 = 85.5

 

Finally… Here’s the report.

The report is based on Virus scanners results downloaded from VirusTotal on October 4, 2015. The NirSoft files taken from NirLauncher package 1.19.53. Be aware that Antivirus signatures changes every day, so it’s possible that if you check the virus alerts from today you’ll get a little different result. You can download a csv file containing all alerts found on this day from here. This file contains the Antivirus Name, the alert name, the NirSoft file that triggered the alert and the SHA-256 hash of this file, and you can optionally view this file with CSVFileView

The good news in this report is that there are 12 Antivirus engines without any false positive and they got the best score possible (100)
The bad news – There are 2 Antivirus engines that show alerts for more than 100 files of NirSoft (!!) – Bkav and TheHacker, and they got very low negative score…

AV Name Total Alerts No Virus NO PR Trojan Alerts Score
AegisLab 0 0 0 0 100
Alibaba 0 0 0 0 100
ALYac 0 0 0 0 100
ByteHero 0 0 0 0 100
ClamAV 0 0 0 0 100
Emsisoft 0 0 0 0 100
Panda 0 0 0 0 100
Qihoo-360 0 0 0 0 100
Tencent 0 0 0 0 100
TotalDefense 0 0 0 0 100
VBA32 0 0 0 0 100
Zoner 0 0 0 0 100
nProtect 1 0 0 0 98.5
Microsoft 3 3 0 0 97
F-Prot 2 1 1 0 96
Avira 5 1 0 0 93
Cyren 5 0 1 0 91
Agnitum 9 9 0 0 91
AhnLab-V3 9 9 0 0 91
CMC 6 5 2 0 90.5
Ikarus 5 4 0 1 89.5
Baidu-International 6 6 2 1 86
Kingsoft 8 2 2 0 86
AVware 3 0 0 2 85.5
AVG 13 13 1 0 85.5
Ad-Aware 10 0 0 0 85
BitDefender 10 0 0 0 85
F-Secure 10 0 0 0 85
MicroWorld-eScan 10 0 0 0 85
Jiangmin 3 1 1 2 84.5
Zillya 10 9 0 1 84.5
Avast 14 14 1 0 84.5
Malwarebytes 11 11 4 0 83
Kaspersky 16 16 2 0 81
K7AntiVirus 17 16 2 0 79.5
K7GW 18 17 2 0 78.5
Rising 6 1 3 2 77
VIPRE 10 7 1 2 77
SUPERAntiSpyware 15 14 2 1 76.5
CAT-QuickHeal 21 21 3 0 74.5
GData 16 2 0 1 72
Fortinet 22 22 4 0 72
NANO-Antivirus 12 9 0 3 71.5
DrWeb 16 15 5 1 71
Symantec 20 14 4 0 71
McAfee-GW-Edition 24 21 4 0 68.5
McAfee 21 10 4 0 67.5
Arcabit 12 0 0 3 67
TrendMicro 24 0 3 0 59.5
ESET-NOD32 26 16 8 0 57
TrendMicro-HouseCall 25 0 5 0 55
ViRobot 12 5 2 7 46.5
Sophos 34 32 19 0 36.5
Comodo 13 2 0 11 26.5
Antiy-AVL 27 19 7 13 -6.5
TheHacker 113 0 104 1 -230.5
Bkav 175 0 162 175 -1280.5

 

It’s possible that I’ll generate another  false positives report within a few months in order to check whether the Antivirus companies improve their software or they are getting worse…

 

 

As you may already know, the password recovery tools provided by NirSoft are constantly detected by many Antivirus programs as malware/Trojan/Virus or as a security risk.
Usually, the detection is not done by mistake. The Antivirus companies deliberately add these utilities to their database, because in addition to their legitimate use of recovering passwords, these programs can also be used for malicious purposes, like stealing passwords from another person, and thus the Antivirus companies see them as a threat to the user.

In the past, the Virus alerts problem only affected users who have Antivirus program running in the background, but today… the problem is much more complicated.
It started 2 years ago, when Google acquired VirusTotal, a known Web site that scans files with all major Antivirus engines, and displays the result from all of them in one page.
It seems that now Google uses VirusTotal technology to decide whether a file is good or bad. If a file is detected by a lot of Antivirus engines, then it’s considered as Malware by the Malware detection system of Google.

Chrome and Firefox, the 2 most popular Web browsers today, already use the Malware detection system of Google for every downloaded file, so if Google system detects the downloaded file as malware, the Web browser blocks the download and displays a warning saying that the file is malicious. Recently, I constantly get messages from people like “My Web browser blocks your software, please sent it to me by email”, which is quite annoying. In additional to the password-recovery tools downloaded separately, NirLauncher package is also frequently blocked by Chrome and Firefox, simply because it contains the same password-recovery tools.

But this is not the only problem… In the last week, I had 3 days that my Web site was blocked for people who search my utilities  in Google, and “This site may harm your computer” message was displayed in the search result.  The automatic systems of Google falsely detected that I have multiple malwares on my Web site, and blocked the access to my Web site  from Google search results in order to protect the users from malwares that  didn’t  really exist…
All files that Google detected as malwares were simply my password recovery tools, and Google detected them as malware simply because many Antivirus programs target them.

The command-line options of my password recovery tools are the major feature that allows hackers and Trojans to use these tools for bad purposes, because it’s possible to export the passwords into a file and then optionally send them to a remote location (using another software) without displaying any user interface. Removing the command-line options from these tools will cause the Antivirus companies to see them as a lower security risk than before, and hopefully some of them will remove them from their virus detection database.  If a few Antivirus companies will remove the detection of my password-recovery tools from their system, the total number of VirusTotal detection will be lower,  and the chance of getting into troubles as described above will be lower too.

I know that some of you,  who are using the command-line options of my password-recovery tools for legal purposes, will be disappointed from this change, but in our ridiculous world where combination of Antivirus companies, VirusTotal service and Google may lead to blocking many users from accessing my Web site or from downloading software provided in it, I don’t have other choice.

I’m still looking for a way to provide command-line version of these tools for users who need this feature for legal purposes, but it must be done in a separated Web site ,so NirSoft web site won’t be affected from them.

A few years ago, I wrote a Blog post about false positive problems that I have in many of my tools, and I received many responses from users and developers that experience the same problem.
Today the false positive issues still exist, but it seems that people are more aware to the false positive problems, because I get less complaints about virus alerts in my software than what I have gotten in the past.

Some of my tools have 2 different builds – one for using on 32-bit systems and one for using on 64-bit systems.
WirelessKeyView is one of these tools that is available in 2 builds – 32-bit and 64-bit. Both 32-bit and 64-bit builds of WirelessKeyView are compiled with exactly the same code and the same compiler options, and naturally they also do exactly the same actions. The only reason for creating the 64-bit build is because WirelessKeyView injects code into a system process in order to get the wireless keys, and 32-bit process cannot execute code on 64-bit process.

When sending the latest 32-bit version of WirelessKeyView to VirusTotal Web site, it shows false positive alerts from 16 different Antivirus programs:

VirusTotal WirelessKeyView 32-bit

VirusTotal WirelessKeyView 32-bit

Many people think that VirusTotal Web site can be used to find out whether a software is good or bad. Google probably thinks that too, because just recently they purchased this VirusTotal Web site. But the above sample proves that it’s not correct. WirelessKeyView is a completely legitimate software to get the wireless keys stored on your own system and to move your wireless keys from one compueter to another. As opposed to many other “Freeware” distributers, my software doesn’t send any personal information, doesn’t install any unwanted toolbar/spyware/malware, and doesn’t make any change in the Registry, so there is no any good reason to warn and scare the user who downloads my software.

If the 32-bit version of WirelessKeyView triggers 16 Virus alerts, you may expect that the 64-bit of WirelessKeyView , which is compiled from exactly the same code will also trigger exactly the same 16 Virus alerts.
So here’s the surprise… The number of Virus alerts of WirelessKeyView 64-bit is zero !! Yes, there  is no even a single Virus alert !

VirusTotal WirelessKeyView 64-bit

VirusTotal WirelessKeyView 64-bit

So what is the explanation for the difference between the alerts of 32-bit and 64-bit  versions ?
Well… This question should be sent to the Antivirus companies… But I have a theory:
Looking in the downloads statistics from the last month (September 2012), the 32-bit version of WirelessKeyView (wirelesskeyview.zip) has been downloaded 313,458 times,
while the 64-bit version (wirelesskeyview-x64.zip) has been downloaded only 50,799 times.
So maybe the 32-bit version of WirelessKeyView get false alerts simply because it’s much more popular than the 64-bit version ?

When a download is more popular, there is an higher chance the somebody will use for bad purpose and the Antivirus company will get a report about that, for example: A person allows his good friend to access his computer, but his friend uses it to run WitelessKeyView 32-bit and get access to some wireless networks that it shouldn’t have access to. When this person discovers that his wireless keys have been stolen by his “friend”, he send a complaint to the Antivirus company with a sample of WitelessKeyView. In the next day, the people of the Antivirus company decide to set an alert for WitelessKeyView in order to prevent future wireless key stealing.  But now many people who want to download WirelessKeyView 32-bit for good purpose, like recovering their own wireless key or moving it to another computer, get a warning from their Antivirus software or from VirusTotal Web site, without understanding the reason of getting this alert.
On the other hand… if somebody tries to use WitelessKeyView 64-bit for bad purpose, the Antivirus won’t show any alert, simply because the 64-bit version is less popular and nobody complained that it has been used to steal wireless keys.

Just a guess…

Recently I purchased a digital signature and both 32-bit and 64-bit builds of WirelessKeyView are signed with it. Some people told me that signing the .exe files will decrease the false positive alerts. So is it really help ?   Maybe a little. I checked an older version of WirelessKeyView (32-bit), and VirusTotal shows 23 alerts:
https://www.virustotal.com/file/bb9bb534858fb79cb58b4a5411edd59c1b8b3390eb11635294f606f9950c595c/analysis/1349885723/

So 16 alerts is a little better than 23 alerts, but it’s still too much.

Finally, here’s 2 small articles related to false positive issues posted on other Web sites:

False Positives by some random antivirus vendor

The Funny World of Virus Scanners

As I already reported in the past, MessenPass, my password recovery tool for Messenger applications, is falsely detect as Virus/Trojan/Malware by many Antivirus programs.

Currently, according to this virustotal report, 18 out of 41 Antivirus programs shows a virus alert for MessenPass utility.

So I decided to make a nice test. I took the same code of MessenPass, and recompiled it with different compiler optimization options.
I also left it without UPX compression that I usually do with all my utilities.
I posted the new build of MessenPass for testing in VirusTotal Web site, and here’s the amazing result:

Only 2 out of 41 Antivirus programs trigger a virus alert for the new build of MessenPass.
Just to be clear – It’s still the same version of MessenPass (v1.26) like the original MessenPass with the 18 Antivirus alerts.
I simply compiled the same code of MessenPass with different compiler options.
avoiding from UPX compression also helped a little, because after compressing the same file with UPX, I got 5 virus alerts.

Currently, this build of MessenPass is only posted in this blog, while the I left the original build in the MessenPass Web page.
It’s interesting to see whether the Antivirus companies read or scan my blog.
If they do, the number of virus alerts in this MessenPass build will increase very soon…

As I predicted in my previous post about MessenPass false positives , the number of false positives alerts in the new version of MessenPass increased to 17, according to VirusTotal report.

The new false alerts are:

a-squared – Trojan.Generic!IK
AntiVir – SPR/PSW.Messen.DC
Antiy-AVL – PSWTool/Win32.Messen.gen
Comodo – UnclassifiedMalware
Fortinet – HackerTool/Messen
McAfee-GW-Edition – Riskware.PSW.Messen.DC
ViRobot – Not_a_virus:PSWTool.Messen.64512.B

A few days ago, I released a new version of MessenPass. According to VirusTotal Web site, so far there are only 10 Antivirus programs that detect a threat or infection inside mspass.zip:

If you wonder what is the reason that I say the word ‘Only’, that’s because the previous of MessenPass (v1.24) has false alerts in 25 Antivirus programs:

The reason of the False Positive decrease is probably because most Antivirus programs don’t find the bytes sequence that they used to detect the previous version of MessenPass.
Unfortunately, in the next days/weeks, these Antivirus companies will probably add the new MessenPass into their database, and the number of false alerts will increase back to around 25.
In the next few days, I’ll watch closely the changes in MessenPass false positives, and I’ll post an update when the number of false alerts significantly increase.

A few weeks ago, I wrote about the troubles I have from all these false virus alerts generated by Antivirus programs.
So here’s 2 more examples of serious troubles that McAfee false positives caused to other companies:

  1. McAfee false-positive glitch fells PCs worldwide When AV attacks:
    In this event, that occurred only 10 days ago, McAfee Antivirus “attacked” some system files that were falsely detected as Trojan, and caused
    these computers to crash with blue screen of death.
  2. Companies Struggle To Reverse McAfee’s False Positives On Yahoo Search:
    Around a year ago, Yahoo started a partnership with McAfee’s SiteAdvisor, causing some Web sites to be displayed with false red alerts on Yahoo search results.

…And finally, just a good word for McAfee SiteAdvisor: Although they have some false alerts problems like mentioned in the second article, at least they also show a good willingness to fix these kind of problems. 3 years ago, their SiteAdvisor was displayed a red alert on my Web site, but after I added my remark as the author of NirSoft, they checked my Web site and decided to turn it from red to green.
As opposed to SiteAdvisor, the Antivirus of McAfee is a troublemaker like all the others, and continue to detect my utilities as “potentially unwanted program” or “Generic PUP”.

Antivirus is essential tool that most people need to protect their Windows operating system from Viruses, Trojans, and other bad stuff.

Unfortunately, most Antivirus companies goes too far with their Virus/Trojan protection, and in many times they classify completely legit software as Virus/Trojan infection.
One good example for that is my own password recovery tools: Most people need these tools to recover their own lost password. These password tools, like many other utilities out there, can also be used by hackers for bad purposes.
The attitude of many Antivirus companies is very tough in this subject –
If it’s a tool that can be used by bad guys, it’s classified as Trojan or Virus, even when most users need it and use it for good purposes. Antivirus companies don’t care that they block their own customers that want to recover their own passwords, and they don’t care that they may cause their customer to think that I’m a Virus distributer.
I must say that some Antivirus companies are a little more gentle, and classify these tools as “Security Threat” or “Riskware” which is much better than classifying them as Virus or Trojan, but they still prevent the user from running them – by deleting them or by putting them in quarantine.
Also, many users don’t know what is difference between Virus and Riskware, and when they get these “Riskware” alerts, they still think that my tools are infected with a Virus named “Riskware”.

My password-recovery utilities are not the only victims of the “over protection” made by Antivirus software. Some other tools, like ProduKey, RegScanner, WebVideoCap, NirCmd, and others that don’t recover any password, are still constantly targeted by Antivirus companies, without any known reason.

Other developers also have “False Positive” problems

Other small developers also constantly experience false alerts made by Antivirus software, here some examples:

What about large companies like Microsoft ?

Large companies usually don’t have any false positives problems, and even if there is a single case of false alert, the antivirus company will probably fix it very soon. After all, antivirus companies know that Large companies have good lawyers and if they won’t fix the problem, they may find themselves in a large lawsuit for libel.
One good example is SysInternals. In the past, their psexec.exe tool that can be used to execute code on remote machine, was detected as Virus by some Antivirus programs, but today, when SysInternals is a part of Microsoft, All Antiviruses show it’s clean, as
you can see from this VirusTotal report.

Examples for emails I receive on daily basis

Here’s some examples of messages regarding the virus alerts, that I get to my inbox on daily basis:

  • “Your mspass.exe is infected with Virus”
    “You have Trojan horse in your Mail PassView utility”
    “your ProduKey is a Trojan, be ashamed !”

    These messages are sent by users that really think that my tools are infected. I cannot blame them for thinking that, because the Antivirus really tell them that there is an infection.
    Most Antivirus programs don’t explain the user that the alert is displayed only because it’s a legitimated tool that might be used by hackers.
    They simply tells the user that the tool is infected with Virus or trojan, even it’s not really the truth.

  • “I try to run your program and it says that I don’t have permission”
    “I try to run your program, and I get the following message: ‘Windows cannot access the specified device, path, or file. You may not have the appropriate permission to access the item'”
    “I try to run your program, and nothing happen”
    “Each time that I download your program and extract the files, the .exe file disappears”

    These messages are sent by users who think that there is a bug or problem with my utility, without knowing that this problem is actually caused by their Antivirus.
    In some circumstances, the Antivirus software runs in the background, and when it detect a threat, it simply block the .exe file, put the file in quarantine, or simply delete it, without telling the user anything.
    The frustrated user think that there is a problem in the software he tries to run, without knowing that the Antivirus software, that should protect his computer, is actually the troublemaker that causes this problem.

  • “When I try to get into utilities section of your site, I get ‘the page cannot be displayed’ error”
    “You have a broken link in your site – When I try to download your ProduKey tool, I get ‘the page cannot be displayed’ error”

    These messages are sent by users who think that there is a problem in my Web site, because they cannot browse into a Web page in my site or download a utility from my site. But once again, this problem is caused by Antivirus or Firewall that decided to block my Web site without explaining the user about the site blocking.

    Zonealarm products, as opposed to others, redirects the user into a Web page which says that “nirsoft.net has been known to distribute spyware“, which is completely untrue.

    This web page also offers to report about false detection to False_Positive@checkpoint.com. I really tried to do so, but I received the following error message from their email server:
    —– The following addresses had permanent fatal errors —–

    (reason: 550 5.1.1 … User unknown)

    As you can see, Zonealarm provides an email to report about false positives, but it’s a fake email address that nobody really reads.

Needless to say – all these virus-related email messages that I receive every day are a big headache and require me to waste my time on answering/handling them,
instead of adding new features to my utilities and updating my site.

Why don’t you contact the Antivirus companies ?

Some people ask me, “Why don’t you simply contact the Antivirus companies to resolve the false alerts issues ?”
So here’s some important points:

  1. There are dozens of Antivirus companies out there, and with combination of more than 100 utilities in my site, false alerts appears and disappears all the time. Handling all these false alerts may require an employee with full-time job, even more than that.

  2. If you look into the Web sites of some Antivirus companies, you’ll easily find a large “Buy Now” button, but you probably won’t find any “Report About False Positive” link. Antivirus companies always want to make more sells, but they don’t really care about false positives in their products. They usually hide the option to report about false alert very deep in their Web site, and some of them gives “False Positive” support only for users that purchased their product.

  3. Even when I find the method to report about a false alert, deeply in their Web site, most of the companies don’t answer the requests at all or simply send an automatic message, saying that the sample that I sent is infected. In some cases, The Antivirus company fix the false alert problem in their next update, but without admitting that they had a false positive, and without sending any apology to me, as a developer.
  4. False Positives usually come back: Even when Antivirus company finally fix a false positive, it’s just a matter of time, until the false positive returns again, with a new Virus/Trojan name.


Help me and other developers !

If you feel frustrated, like me, about all these false alerts, you can help me and other small developers to stop Antivirus programs from detecting innocent tools as Viruses/Trojans.

What can you do ?
Here’s some examples:

  1. Add your comments to this article about False Positives problems you experience (As user or as software developer)
  2. Send this post to your friends, so they’ll know more about false positive problems.
  3. If you constantly pay for licenses and updates for your Antivirus software,
    don’t hesitate to call your Antivirus company and require them to stop the false alerts.
    You pay for your Antivirus product, and you deserved to get a reliable product that detect only real viruses.
  4. If you have any contact with large magazine writer/journalist, you may try to offer him to make a research and/or write an article about all false alerts problems made by Antivirus.
    Unfortunately, some magazines will never write an article against the Antivirus companies, because these companies also pay for advertising in these magazines.

In the bottom line, if the false positives problem will make too much noise in the media, the Antivirus companies will understand that false positives may also hurt their reputation and decrease their product sells, and eventually they will give more priority to fix the false alerts in their products.

Messages like “You have a Virus in your software” are received into my Inbox on daily basis, and a lots of them comes from AVG Antivirus. So I decided to check the current status of AVG false positives, by scanning the utilities folder of my site.
First, I copied the utils folder of my site into a new place (I don’t really want that AVG will touch my original site folder…), and then I allowed AVG Antivirus to scan the folder.
After AVG finished the scan, it splited the scan result into 2 categories: Infections and Spyware.
Most of the alerts on my utilities folder appeared under the ‘Spyware’ section.
I really would want to understand what is going in the minds of AVG guys when they decided to detect my software as Spyware.

Anyway, I used my own SysExporter utility to grab the scan result from AVG and display it as HTML. Luckily, SysExporter is not detected as infection by AVG, otherwise, it wouldn’t allow me to run and use it.
So here’s the AVG “False Positive” list, the Spyware section:

C:\Utils\asterie.zip Potentially harmful program HackTool.DOI
C:\Utils\asterie.zip:\asterie.exe Potentially harmful program HackTool.DOI
C:\Utils\netpass.zip Potentially harmful program HackTool.FAJ
C:\Utils\netpass.zip:\netpass.exe Potentially harmful program HackTool.FAJ
C:\Utils\netpass_setup.exe Potentially harmful program HackTool.FAJ
C:\Utils\netpass_setup.exe:\netpass.exe Potentially harmful program HackTool.FAJ
C:\Utils\netpass_setup.exe:\ziz1384.tmp:\netpass.exe Potentially harmful program HackTool.FAJ
C:\Utils\pspv.zip Potentially harmful program HackTool.CBX
C:\Utils\pspv.zip:\pspv.exe Potentially harmful program HackTool.CBX
C:\Utils\sniffpass.zip Potentially harmful program HackTool.FMT
C:\Utils\sniffpass.zip:\SniffPass.exe Potentially harmful program HackTool.FMT
C:\Utils\sniffpass_setup.exe Potentially harmful program HackTool.FMT
C:\Utils\sniffpass_setup.exe:\SniffPass.exe Potentially harmful program HackTool.FMT
C:\Utils\sniffpass_setup.exe:\ziz1384.tmp:\SniffPass.exe Potentially harmful program HackTool.FMT
C:\Utils\vncpassview.zip Potentially harmful program HackTool.EEI
C:\Utils\vncpassview.zip:\VNCPassView.exe Potentially harmful program HackTool.EEI

And this one is the Infections section:

C:\Utils\lsasecretsdump.zip Trojan horse Generic10.SZR
C:\Utils\lsasecretsdump.zip:\LSASecretsDump.exe Trojan horse Generic10.SZR

And finally, here’s another issue with AVG and other Antivirus software:
When you exit from the Antivirus software, it won’t display any Virus/Trojan/Spyware warning, but the service of the Antivirus is still running in the background, and prohibits you from running any file that is detected as infected.
This mean that if you try to run one of my tools that are detected as Spyware/Virus while AVG application is not running, you’ll get the following error message:
“Windows cannot access the specified device, path, or file. You may not have the appropriate permission to access the item”.

Most people that get this kind of error, think that there is a bug in my software, and don’t know that the Antivirus is the one that cause the problem.