Page 1 of 1

Anti-Viruses False positives - hall-of-shame

Posted: Thu Aug 28, 2008 2:37 pm
by Sethioz
Also take a look at Luigi's forum's "Anti-Viruses hall of shame"


*F-Secure 7.03 build 110 - detects uTorrent 1.6.1 as a ''Trojan-Downloader.Win32.Banload.ujv''
it is not a virus. i think it is a conspiracy. person who downloads uTorrent gets an alert and thinks it is virus so he/she deletes it.

*ZoneAlarm Security Suite:

Detects as spyware:
-Cain & Abel 2.5b64 - ''Hacker Tool''
-WPE Pro - Win32.Sniffer.WpePro.a
-Nmap - Win32.Application.Tool.Nmap.M
-ArtMoney - Win32.ArtMoney


Detects as Virus:
-WPE Pro - Sniffer.Win32.WpePro.a
-NetCat - not-a-virus.RemoteAdmin.Win32.NetCat
-SAMInside - not-a-virus.PSWTool.Win32.SAMInside.j
-PWinspector - not-a-virus.PSWTool.Win32.PWinspector.b
-Cain (&abel) - not-a-virus.PSWTool.Win32.Cain.284
-AirCrack - not-a-virus.PSWTool.Win32.AirCrack.a
-NetTools - not-a-virus.NetTool.MSIL.Sniffer.a
-Ardamax - not-a-virus.Monitor.Win32.Ardamax.24
-Hormac - HackTool.Win32.Hormac
-BruteForce - HackTool.Win32.BruteForce.n
-Luigi's tools (aluigi.org) are also blacklisted - Exploit.Win32.Aluigi.gu (fw, dh, at...etc)


ok so what if it is hack tool or an exploit. in what way it actually damages your own computer or system ? yes if you are an total idiot and run exploit on yourself (using loopback ip) then you can maybe crash yourself or lagggg your adapter, but thats all. it is not a virus and i think they have NO right to blacklist TOOLS that are not dangerous to your own computer.
Anti-Virus should only prevent programs from harming your system.
as far as i know, ALL Luigi's tools are CLEAN and are NOT a virus or spyware. Fake players bug is NOT a virus in any way and it is not even harmful in any way. it is meant to flood a specific game(or application) with fake players, but it is NOT harmful, it can be annoying, but does not cause system errors or shutdowns..etc and it does not hack or crack anything.
I bet soon they even blacklist .ut extension (used by uTorrent for unfinished files). and also word ''torrent''.


IF you download something and you get a virus notification, then DO NOT delete it immidiatly. first look what does it say and if you're still not sure, then use GOOGLE and see if there is any topics about it and if it is really a virus or just a dumb ass blacklisting.

also look -this topic- from Luigi's forum.

Re: False positives - hall-of-shame

Posted: Tue Sep 02, 2008 5:01 pm
by RaT
strange i just installed ZA suite it dosent detect Artmoney as ''spyware''

Re: Anti-Viruses False positives - hall-of-shame

Posted: Wed Oct 15, 2008 12:20 am
by Sethioz
Here's something interesting. I used Luigi's tools. sendtest and recvtest. those two tools are used to see how much time does it take to send or recieve certain amount of data from 1 computer to another. those can be called as benchmark tools. so i got this:

Zonealarm anti-virus detects:
recvtest.exe as Exploit.Win32.Aluigi.hl
and
sendtest.exe as Exploit.Win32.Aluigi.fi

Risk level - HIGH

everybody who reads this, should understand that this is total bullshit ! those tools are not even close to malware.
I contacted zonealarm. i posted the problem on their forum and provided details. There I got answer that zonelarm actually uses Kaspersky databases to recognize malware.
then i contacted KASPERSKY Labs about this problem and provided them with details. surprisingly i got an reply ! and even more stunning was that they didn't ignore it. here's the reply i got:

Hello, recvtest.c, sendtest.c, winerr.h No malicious code were found in these files. recvtest.exe_, sendtest.exe_ - Exploit.Win32.Aluigi.fi We are sorry, it is false alarm. It will be fixed as soon as possible. Thank you for your help. Please quote all when answering.


It seems that there's still a lil bit of hope that they will remove such ridiculous false postives. I also mentioned WPE pro, Cain ..and also some other of Luigi's tools in it, but i specifically wanted an answer about sendtest and recvtest, well i got it. I will update my zonealarm's AV database and scan those tools again after few days to see if they actually fixed the problem.

Re: Anti-Viruses False positives - hall-of-shame

Posted: Sun Oct 26, 2008 7:13 pm
by Sethioz
ZoneAlarm security suite detects NetCat:
nc.exe as not-a-virus.RemoteAdmin.Win32.NetCat

Re: Anti-Viruses False positives - hall-of-shame

Posted: Mon Nov 03, 2008 3:34 pm
by RaT
ZoneAlarm Security Suite
Detects
Http File Server - not-a-virus:Server-FTP.Win32.SFH.d

Re: Anti-Viruses False positives - hall-of-shame

Posted: Tue Jul 07, 2009 1:54 pm
by V
My utorrent tried to transmit a mail to somewhere, I put perma deny on it and now things should be safe.

Re: Anti-Viruses False positives - hall-of-shame

Posted: Thu Sep 03, 2009 7:19 am
by Sethioz
more shame on them, specially Kaspersky. ironically i am using Kaspersky AV too.

so what's this about ? It started about year ago with Luigi's tools recvtest.exe and sendtest.exe.
quote from Luigi's site:
these two toolz are useful to know how much time is passed during the sending and receiving of a specific amount of megabytes of data between two computers.
My zonealarm security suite detected them as Exploit.Win32.Aluig.fi, so i started from the beginning, here's e-mails i sent and recieved regarding this 'issue', those are the replys from kaspersky, so start reading from bottom of the mail, cuz new replys goes on top in email.


//////////////////////////////////////////////////////////////////////////////////////////////////////////////////


RE: confirmed false positive [KLAB-7024498]‏
From: [email protected]
Sent: Tuesday, October 14, 2008 11:02:42 PM
To: [email protected]

Hello,

recvtest.c, sendtest.c, winerr.h

No malicious code were found in these files.

recvtest.exe_, sendtest.exe_ - Exploit.Win32.Aluigi.fi

We are sorry, it is false alarm. It will be fixed as soon as possible. Thank you for your help.

Please quote all when answering.

--
Best regards, Kirill Erakhtin
Virus analyst, Kaspersky Lab.
e-mail: [email protected]
http://www.kaspersky.com/

http://www.kaspersky.com/virusscanner - free online virus scanner.
http://www.kaspersky.com/helpdesk.html - technical support.


> Hi. first i wanted to post this on forum, but then i saw this topic where it said to send those on this e-mail. I DONT use kaspersky, but i do use ZoneAlarm. They said that Zonealarm security suite uses kaspersky anti-virus database actually. so i will turn to KASPERSKY labs now. I will include the original message too (message i sent to ZoneAlarm).
>
> I made this to inform zonealarm team and customers that ZoneAlarm is giving rediculously lot of FALSE positives. It even detects benchmark tools as exploits. so lets start from something really ridiculous.
>
> Tool names and info:
>
> *Sendtest and Recvtest 0.1 (sendrecvtest)
> these 2 toolz are useful to know how much time is consumed to send and receive a specific amount of megabytes of data between 2 computers (sendtest = client, recvtest = server)
>
> download link - http://aluigi.org/mytoolz/sendrecvtest.zip
>
> so how exactly this is harmful in any way ?
>
> Nearly all Luigi Auriemma's tools are detected as malware. WHY ? I haven't found a single tool from Luigi that is harmful to my computer in any way. All his tools are for testing and are NOT harmful in any way. can somebody here please explain in details (by pointing on Luigi's tool) how the tool is exactly harmful.
>
> Ok lets go on with something else.
>
>
> *WPE Pro (winsock packet editor)
> It's been detected as Sniffer.Win32.WpePro.a
> how can this tool be harmful for your computer ? why is Etherpeek or Commview not detected as malware ? because commview and etherpeek are also packet editors (also sniffers) and can do even more than WPE pro. so obviously it is FALSE positive, because WPE pro is not harmful to your computer in any way.
>
> *Cain & Abel
> Its been detected as "Hacker Tool" I've been using this tool for a bout 4 years and i assure that it is NOT harmful to your computer. Explaination in ZoneAlarm is as follows:
> "Cain and Abel are a pair of programs that retrieve password from your computer. They use a variety of methods to get your passwords, and if necessary decrypt them, including sniffing your network, and employing dictionary, cryptanalysis, and brute force attacks."
> Whoever wrote this has NO idea what he was talking about. Cain does not retrieve anything remotly. it is not harmful in any way to your computer. IT CAN NOT brute force your computer passwords. Cain is used to decrypt (bruteforce, cryptanalyze..etc) the HASHES not passwords. How can somebody even come up with something so dumb ?
> Would somebody please EXPLAIN in details how this tool is harmful to your computer ?!
> Sniff network ? so it means that ALL packet editors, such as commview, etherpeek, etherreal..etc are malware too ? How can you possibly monitor your network if everything is malware that does this ?
>
>
> Those are simply few examples, but there's a LOT more. Here is a discussion which explains in many ways that ZoneAlarm and many, many other anti-virus and anti-spyware programs are simply ridiculous !
> http://aluigi.freeforums.org/antiviruse ... -t273.html
>
> Now if somebody is really too dumb that he/she actually uses one of those tools to decrypt his/her own password and then se nd it over internet or floods his/her own computer, then why not add a big hammer into that blacklist too (as malware), because when you hit your computer with a big hammer then it will obviously is dangerous to your computer.
>
> AntiVirus and Anti-spyware should eliminate only software that is really DANGEROUS to YOUR computer, not ridiculous things like those few examples. Also why .exe (executable) files are dangerous ? If i will rar or zip the .exe and then send it to another person, then this other person will STILL unpack and run it. so why does it even matter if it's been sent as .exe or .rar/.zip ?
>
> Operating System: Windows XP Pro
> Software Version: 7.0
> Product Name: ZoneAlarm Internet Security Suite
>
>
> ----------------------------------------------------------------------------------
>
> Hi!
> I have moved it to off topic since the OP is more questioning the classification of riskware by software companies rather than having a specific issue with the ZA software.
>
> I think you should ask to the developers of antivirus software your questions.
> In this specific case to KASPERSKY Labs. used in ZA antivirus.
> See: www.viruslist.com from a classification of malware and related description (if available)
>
> As you noted also other security tools mark those utilities as riskware or exploit or no-a-virus.
> Aluigi exploit is detected my all major antivirus companies (Mcafee, symantec, Eset, Kaspersky, etc)
>
> Those tools are not malware per se but their improper use can make them as potentially dangerous (Cain&Abel, etc..)
> You can exclude those program in the advanced options of the ZA antivirus/antispyware tab (antivirus exclusions).
>
> Cheers,
> Fax
>
> ---------------------------------------------------------------------------------
>
> What i would specifically like to know is:
> HOW exactly is THIS tool harmful in any way ? As Luigi have added explaination, this is a benchmark tool and test the SPEED between 2 computers. So why it is detected as malware ? As mentioned in the post above, there's lots of tools and programs that are for benchamarking, but is detected as malware.
>
> *Sendtest and Recvtest 0.1 (sendrecvtest)
> these 2 toolz are useful to know how much time is consumed to send and receive a specific amount of megabytes of data between 2 computers (sendtest = client, recvtest = server)
>
> download link - http://aluigi.org/mytoolz/sendrecvtest.zip
>
>
> Also back to WPE pro. Why is WPE pro detected as malware, but not commview, etherpeek, etherreal, wifi hopper ...etc. they all can monitor your network (sniff as you would define it). I do not simply say this. I've done research on WPE pro and it is NOT harmful in any way.
>

//////////////////////////////////////////////////////////////////////////////////////////////////////////////////


Most shameful thing is that they have still not fixed it. i wonder if their 'as soon as possible' always means year or more ?
or maybe they just sent this reply to 'satisfy' me and get me off of their back and it was totally ignored. i would go for the ignoring part.
however i sent them another e-mail, i will see if i even get reply this time.

Re: Anti-Viruses False positives - hall-of-shame

Posted: Sun Sep 20, 2009 1:14 am
by Sambo
I've seen this behavior in AVG, Avira & ESET products as well, in fact, I think it's in everything now because they all use virus info from the same central source. It really pisses me off because A) it tries to delete all my cracks etc and B) now I don't know if any cracks etc I download are actually clean or not because of all these false positives!!

ATM I'm putting up with Avira (I turned off the heuristics) because it's better than AVG, and I can't find any other decent AV products around which don't give the false positives.

Re: Anti-Viruses False positives - hall-of-shame

Posted: Sun Sep 20, 2009 5:49 am
by Sethioz
yes exactly. you don't even know if its really virus or not. extremeley dumb. however about sendtest.exe and recvtest.exe, kaspersky actually fixed it !
after 10 months they finally got their finger out of their ass and they fixed it, well i had to rub it under their nose again ofcourse (in my previous post about mail).

so only way is to waste some time and just rub it under their nose until they fix it. as about cracks, kaspersky haven't detected any of my cracks as malware. however they have retarded category called "riskware", they put all kinds of shit there, like tools meant to recover hashes. they say it can be used to crack passwords blabla. technically cracking a hash is not same as cracking a password. hash can be anything. hash can be calculated from a image file too. for example md5 checksum is used to check if file is corrupt or not. lot of sites have md5 checksums included on site, so you can calculate md5 checksum after download and compare it to the one on site in order to know if your file is corrupt or not.

I will poke kaspersky again once i get bored. ill pick another Luigi's tool and send it to them.

Re: Anti-Viruses False positives - hall-of-shame

Posted: Sun Sep 20, 2009 6:40 am
by Sambo
Yeah, it is good that they actually did something about it! It's just bloody annoying that the false positives are in there to start with and you have to fight so hard to get a single one removed!

Re: Anti-Viruses False positives - hall-of-shame

Posted: Sun Sep 20, 2009 11:20 am
by Sethioz
well those idiots have added "aluigi.org" as malicious signature. most likely all of the bigger AV companys have done so, but truth is that Luigi does not have a single malware on his site. those retards just do not make difference between real virus and tool.
if you are such a retard that you flood yourself by using 127.0.0.1 ... well then you can basically destroy your pc with hammer too, so they should add big hammer into their blacklist too and when you install AV, then it should show a big warning "WARNING, hammer detected in your room. plz remove it before using computer"

Re: Anti-Viruses False positives - hall-of-shame

Posted: Wed Aug 29, 2012 9:30 am
by Legu
Allright a strange thing to mention here. I downloaded some tools like gray wolf / gray fox and so on, for .net application modification. When downloadin chrome immidiately said that these tools are containing virus. But when checked them online (google: online virus checker) i got 0/43. Also to mention is that these files were in .rar. I uploaded the .exe to the site to see whether it is a virus or not. So wtf is that?