NirBlog

There are 2 new columns in SmartSniff utility: ‘Last Packet Time’ and ‘Data Speed’
The ‘Last Packet Time’ column displays the date/time of the last packet captured for the specified connection.
The ‘Data Speed’ column displays the calculated speed in KB/Sec. This speed is calculated by using the ‘Data Size’ value and the number of milliseconds elapsed since the first packet of this connection arrived.

Antivirus is essential tool that most people need to protect their Windows operating system from Viruses, Trojans, and other bad stuff.

Unfortunately, most Antivirus companies goes too far with their Virus/Trojan protection, and in many times they classify completely legit software as Virus/Trojan infection.
One good example for that is my own password recovery tools: Most people need these tools to recover their own lost password. These password tools, like many other utilities out there, can also be used by hackers for bad purposes.
The attitude of many Antivirus companies is very tough in this subject –
If it’s a tool that can be used by bad guys, it’s classified as Trojan or Virus, even when most users need it and use it for good purposes. Antivirus companies don’t care that they block their own customers that want to recover their own passwords, and they don’t care that they may cause their customer to think that I’m a Virus distributer.
I must say that some Antivirus companies are a little more gentle, and classify these tools as “Security Threat” or “Riskware” which is much better than classifying them as Virus or Trojan, but they still prevent the user from running them – by deleting them or by putting them in quarantine.
Also, many users don’t know what is difference between Virus and Riskware, and when they get these “Riskware” alerts, they still think that my tools are infected with a Virus named “Riskware”.

My password-recovery utilities are not the only victims of the “over protection” made by Antivirus software. Some other tools, like ProduKey, RegScanner, WebVideoCap, NirCmd, and others that don’t recover any password, are still constantly targeted by Antivirus companies, without any known reason.

Other developers also have “False Positive” problems

Other small developers also constantly experience false alerts made by Antivirus software, here some examples:

• UBCD4Win – a great freeware Windows boot cd containing multiple tools that some of them are detected as malware: http://www.ubcd4win.com/faq.htm#false
• PortableApps is a great open source tool containing portable software package to run from USB flash drive, but also have some False Positive problems: http://portableapps.com/support

• AutoHotKey – Open source utility for creating mouse/keyboard macros.
  Users of AutoHotKey constantly complains about false alerts from antivirus programs.
  See the following links:
  It’s time to do something about these AutoHotkey antivirus false positives

  An open letter for Antiviral software companies

• RJL Software (Updated on 21/05) – Their programs are constantly detected as “Joke program”. You can read about that here and also here. They also added a commend to this post, it’s recommended to read it too.

• UPX False Positives – Kaspersky Lab Forum: User complains in Kaspersky forums about False Positives of tools compressed with UPX

What about large companies like Microsoft ?

Large companies usually don’t have any false positives problems, and even if there is a single case of false alert, the antivirus company will probably fix it very soon. After all, antivirus companies know that Large companies have good lawyers and if they won’t fix the problem, they may find themselves in a large lawsuit for libel.
One good example is SysInternals. In the past, their psexec.exe tool that can be used to execute code on remote machine, was detected as Virus by some Antivirus programs, but today, when SysInternals is a part of Microsoft, All Antiviruses show it’s clean, as
you can see from this VirusTotal report.

Examples for emails I receive on daily basis

Here’s some examples of messages regarding the virus alerts, that I get to my inbox on daily basis:

• “Your mspass.exe is infected with Virus”
  “You have Trojan horse in your Mail PassView utility”
  “your ProduKey is a Trojan, be ashamed !”

  These messages are sent by users that really think that my tools are infected. I cannot blame them for thinking that, because the Antivirus really tell them that there is an infection.
  Most Antivirus programs don’t explain the user that the alert is displayed only because it’s a legitimated tool that might be used by hackers.
  They simply tells the user that the tool is infected with Virus or trojan, even it’s not really the truth.

• “I try to run your program and it says that I don’t have permission”
  “I try to run your program, and I get the following message: ‘Windows cannot access the specified device, path, or file. You may not have the appropriate permission to access the item'”
  “I try to run your program, and nothing happen”
  “Each time that I download your program and extract the files, the .exe file disappears”

  These messages are sent by users who think that there is a bug or problem with my utility, without knowing that this problem is actually caused by their Antivirus.
  In some circumstances, the Antivirus software runs in the background, and when it detect a threat, it simply block the .exe file, put the file in quarantine, or simply delete it, without telling the user anything.
  The frustrated user think that there is a problem in the software he tries to run, without knowing that the Antivirus software, that should protect his computer, is actually the troublemaker that causes this problem.

• “When I try to get into utilities section of your site, I get ‘the page cannot be displayed’ error”
  “You have a broken link in your site – When I try to download your ProduKey tool, I get ‘the page cannot be displayed’ error”

  These messages are sent by users who think that there is a problem in my Web site, because they cannot browse into a Web page in my site or download a utility from my site. But once again, this problem is caused by Antivirus or Firewall that decided to block my Web site without explaining the user about the site blocking.

  Zonealarm products, as opposed to others, redirects the user into a Web page which says that “nirsoft.net has been known to distribute spyware“, which is completely untrue.

  This web page also offers to report about false detection to False_Positive@checkpoint.com. I really tried to do so, but I received the following error message from their email server:
  —– The following addresses had permanent fatal errors —–

  (reason: 550 5.1.1 … User unknown)

  As you can see, Zonealarm provides an email to report about false positives, but it’s a fake email address that nobody really reads.

Needless to say – all these virus-related email messages that I receive every day are a big headache and require me to waste my time on answering/handling them,
instead of adding new features to my utilities and updating my site.

Why don’t you contact the Antivirus companies ?

Some people ask me, “Why don’t you simply contact the Antivirus companies to resolve the false alerts issues ?”
So here’s some important points:

1. There are dozens of Antivirus companies out there, and with combination of more than 100 utilities in my site, false alerts appears and disappears all the time. Handling all these false alerts may require an employee with full-time job, even more than that.

2. If you look into the Web sites of some Antivirus companies, you’ll easily find a large “Buy Now” button, but you probably won’t find any “Report About False Positive” link. Antivirus companies always want to make more sells, but they don’t really care about false positives in their products. They usually hide the option to report about false alert very deep in their Web site, and some of them gives “False Positive” support only for users that purchased their product.

3. Even when I find the method to report about a false alert, deeply in their Web site, most of the companies don’t answer the requests at all or simply send an automatic message, saying that the sample that I sent is infected. In some cases, The Antivirus company fix the false alert problem in their next update, but without admitting that they had a false positive, and without sending any apology to me, as a developer.
4. False Positives usually come back: Even when Antivirus company finally fix a false positive, it’s just a matter of time, until the false positive returns again, with a new Virus/Trojan name.

Help me and other developers !

If you feel frustrated, like me, about all these false alerts, you can help me and other small developers to stop Antivirus programs from detecting innocent tools as Viruses/Trojans.

What can you do ?
Here’s some examples:

1. Add your comments to this article about False Positives problems you experience (As user or as software developer)
2. Send this post to your friends, so they’ll know more about false positive problems.
3. If you constantly pay for licenses and updates for your Antivirus software,
   don’t hesitate to call your Antivirus company and require them to stop the false alerts.
   You pay for your Antivirus product, and you deserved to get a reliable product that detect only real viruses.
4. If you have any contact with large magazine writer/journalist, you may try to offer him to make a research and/or write an article about all false alerts problems made by Antivirus.
   Unfortunately, some magazines will never write an article against the Antivirus companies, because these companies also pay for advertising in these magazines.

In the bottom line, if the false positives problem will make too much noise in the media, the Antivirus companies will understand that false positives may also hurt their reputation and decrease their product sells, and eventually they will give more priority to fix the false alerts in their products.

IPInfoOffline utility has a new feature that allows you to easily insert country information for
each IP address inside the output generated by tracert (traceroute) or other network related tools.

For example, if the tracert output looks like this:

Tracing route to nirsoft.net [69.73.166.124]

over a maximum of 30 hops:


1    11 ms    13 ms    14 ms  62.189.147.43
2    25 ms    29 ms    27 ms  158.43.151.205
3    36 ms    37 ms    36 ms  146.188.14.125
4    55 ms    56 ms    55 ms  146.188.2.251
5   265 ms   131 ms    97 ms  213.248.105.45
6    79 ms    82 ms    92 ms  80.91.250.18
7   160 ms   158 ms   159 ms  80.91.250.209
8   175 ms   182 ms   186 ms  80.91.253.218
9   175 ms   173 ms   176 ms  213.248.90.54
10   180 ms   190 ms   181 ms  63.247.69.178
11   186 ms   184 ms   184 ms  209.51.131.90
12   170 ms   171 ms   172 ms  69.73.166.124


Trace complete.

After injecting country names with IPInfoOffline, it’ll look like this:

Tracing route to nirsoft.net [69.73.166.124 {United States} ]

over a maximum of 30 hops:


1    11 ms    13 ms    14 ms  62.189.147.43 {United Kingdom}
2    25 ms    29 ms    27 ms  158.43.151.205 {United Kingdom}
3    36 ms    37 ms    36 ms  146.188.14.125 {European Union}
4    55 ms    56 ms    55 ms  146.188.2.251 {European Union}
5   265 ms   131 ms    97 ms  213.248.105.45 {European Union}
6    79 ms    82 ms    92 ms  80.91.250.18 {European Union}
7   160 ms   158 ms   159 ms  80.91.250.209 {European Union}
8   175 ms   182 ms   186 ms  80.91.253.218 {European Union}
9   175 ms   173 ms   176 ms  213.248.90.54 {European Union}
10   180 ms   190 ms   181 ms  63.247.69.178 {United States}
11   186 ms   184 ms   184 ms  209.51.131.90 {United States}
12   170 ms   171 ms   172 ms  69.73.166.124 {United States}


Trace complete.

In order to get a result like this one, simply run tracert.exe of Windows with the host name you wish, and send the output into a file. After that, run IPInfoOffline.exe with /AddCountry, and specify the filename that you saved the trace.

For example:

tracert -d www.nirsoft.net > c:\temp\trace1.txt
IPInfoOffline.exe /AddCountry “c:\temp\trace1.txt”

IPInfoOffline is available to download here.

OutlookStatView is a new utility that allows you to scan your Outlook mailbox, and get a general statistics about the users that you communicate via emails.

After scanning your mailbox, OutlookStatView displays the following information for each user:

• Display Name: The display name of the user.
• Email: The email address.
• Total Incoming: Total number of emails that sent by this user to your mailbox.
• Total Outgoing (To): Total number of emails that you sent to this user as ‘To’.
• Total Outgoing (CC): Total number of emails that you sent to this user as ‘CC’.
• Total Outgoing (BCC): Total number of emails that you sent to this user as ‘BCC’.
• Total Outgoing (All): Total number of emails that you sent to this user.
• Total Messages Size: Total size of messages sent by this user.
• First Message On: The date/time of the first time that you sent or received a message to this user.
• Last Message On: The date/time of the last time that you sent or received a message to this user.
• First Software Name: The software name (Outlook, Thunderbird, and so on) that this user used in his first message sent to you. Be aware that for some kind of emails (For example: GMail accounts), this field will remain empty.
• Last Software Name: The software name (Outlook, Thunderbird, and so on) that this user used in his last message sent to you. Be aware that for some kind of emails (For example: GMail accounts), this field will remain empty.

For more information about this utility, click here

• WirelessNetView: Fixed issue – When WirelessNetView detect more than one network with the same SSID, it’ll be dispalyed as a separated item.
• MyEventViewer: Added /remote command-line option to connect a remote computer.
• SiteShoter: SiteShoter now saves the image in a new method, so all Java applets and other 3-party components are now saved properly.
• IPInfoOffline: Added ‘Index’ column that displays the order of the IP addresses in your list.
• MyLastSearch: Added support for search queries of Wikipedia, Friendster, hi5, Twitter, Facebook, and MySpace.
• SearchMyFiles: Added command-line support.

Most of the utilities in NirSoft Web site allows you to create a simple HTML report containing
the data that you need.

But what can you do if you want to get the report as image file ?

SiteShoter utility can help you do that. SiteShoter is a utility that allows you to save any Web page or HTML file into image file(png/jpg/gif).
Simply type the html file path in the URL field, choose all other parameters according to your needs, and then click the start button. It also recommened to set a low timeout value, because HTML files (As opposed to Web sites) are loaded pretty fast. If everything works fine, the image of your HTML file should be created in the location you specified in the ‘Filename’ field.

SiteShoter can also create images from command-line, for example:
SiteShoter.exe /URL “c:\temp\myreport.html” /Filename “c:\temp\myreport.png”

For more information about SiteShoter, click here.

• WebVideoCap: Fixed bug – WebVideoCap crashed on some mms/RTSP streams.
• VideoCacheView: Added /copyalltemp and /copymms to command line, and fixed Windows 7/Vista bugs.
• NirCmd: Added loop command, currtime and currdate variables.
• Mail PassView: The accounts of Windows Live Mail are now also displayed if you changed the store folder location.
• WhatInStartup: Added ‘Execute Command’ and ‘File Properties’ options.
• SpecialFoldersView: Added ‘Folder Properties’ option, and ‘My Documents’ folder that I missed in the previous versions.
• DLL Export Viewer: Added support for Drag & Drop and for ‘Open With’ menu/dialog-box of Windows.
• WhoisThisDomain and WhoisCL: Updated the whois server of .ms domains.

The new version of VideoCacheView now allows you to easily save all flash videos currently opened in your Web browser, even without displaying any user interface. You can use this feature with most popular video sharing Web sites, like YouTube, iFilm, Metacafe, and so on.

Simply run VideoCacheView with /copyalltemp as command-line parameter and specify the destination folder to save the .flv files, for example:

VideoCacheView.exe /copyalltemp “c:\my video files”

You can also use /copyalltemp parameter without specifying the destination folder:

VideoCacheView.exe /copyalltemp

In this case, VideoCacheView will ask you to select the desired folder to save the flash video files:

If you download and install VideoCacheView with full installation support (VideoCacheView_setup.exe), the “Save All Opened Flash Videos” shortcut is automatically created in programs group of VideoCacheView.
Clicking this shortcut allows you to select the desired destination folder, and then all currently
opened flash videos are saved into the folder that you selected.

• CurrPorts: Added drag And drop icon in the toolbar that allows to to easily filter by the desired application. Simply drag the target icon into the window of the application, and CurrPorts will display only the opened ports of this application.
• OpenedFilesView: Added drag And drop icon in the toolbar that allows to to easily view only the opened files of the desired application simply by dragging the target icon from the OpenedFilesView toolbar into the application.
  Also Added processfilter command-line option.
• WhoisThisDomain and WhoisCL: Updated the whois servers for .is, .lt, .ma, .md, .pl, .si, and .sk domains.
• SiteShoter: Fixed bug – SiteShoter failed to create screenshots of very large Web pages when there was not enough memory in the video card. SiteShoter now uses the computer memory instead of the video card memory.
• IconsExtract: Fixed bug – The size of PNG based icons is now displayed properly. (In prevoius versions, the size was displayed as 0x0).
• SysExporter: Added ‘Remove Question Mark Characters’ – Useful for date/time and some other columns of Explorer in Windows Vista.

Windows operating system have around 40 unique locations in the file system known as the “Special Folders”.
Many people are confused about that location of the special folders, because the location of these folders is modified from one version of Windows to another.
For example: In Windows 98, the history folder was located under c:\Windows\History, In Windows 2000/XP Microsoft changed it to C:\Documents and Settings\[User Name]\Local Settings\History and now in Windows Vista, it’s located under C:\Users\[User Name]\AppData\Local\Microsoft\Windows\History.

That’s why I created the SpecialFoldersView utility. This utility shows the list of all special folders in your current Windows operating system, and allows you to easily jump to the desired folder.

For more information about this utility, click here.