View Full Version : Anti-virus vendors - what a waste of MY resources...
NewsArchive
03-18-2015, 11:04 AM
Kaspersky detected SetupBuilder as "Trojan-Dropper.Win32.Injector.llpg". Of
course, this is AGAIN a BUG in their virus definition update.
Okay, no problem you think? Well, here we go:
---
Kaspersky Lab: How to report false positives to the viruslab?
A. Put the suspected virus in a password-protected zip or rar file.
B. Compose an email message (only short description) and attach the zip
file.
C. Include the password in the body/subject of the email. If you suspect
a false positive, then include "Possible false positive" in the
subjectline.
D. Send the zip/rar file to newvirus@kaspersky.com
---
Okay, I did all this and asked them to FIX the bug. Then I received this:
---
This message has been generated by an automatic message response system. The
message contains details about verdicts that have been returned by
Anti-Virus in response to the files (if any are included in the message)
with the latest updates installed.
sb8_4714_dev.exe - Trojan-Dropper.Win32.Injector.llpg
New malicious software was found in this file. It's detection will be
included in the next update. Thank you for your help.
Best Regards, Kaspersky Lab
39A/3 Leningradskoe Shosse, Moscow, 125212, Russia
Tel./Fax: + 7 (495) 797 8700
http://www.kaspersky.com http://www.viruslist.com"
---
Anybody home?..... think McFly, think!!!
https://www.youtube.com/watch?v=Uz7238BM5UQ
This is killing me :-(
Friedrich
NewsArchive
03-18-2015, 11:04 AM
Friedrich,
> New malicious software was found in this file. It's detection will be
> included in the next update. Thank you for your help.
Sometimes you have to wonder if there is a functioning brainstem on
the other side of the equation... often, it seems, there isn't which
is truly sad.
Lee White (Lodestar Software)
NewsArchive
03-18-2015, 11:05 AM
And the best thing is, our customers received the following:
---
"Sorry, it was a false detection. It will be fixed in the next update. Thank
you for your help.
This file was detected, because this installer is injects code into process
and self delete. This is what malware do.
So all new files like this also will be detected. To fix this - change
installer.
---
They add a false-positive, fix their bug, then another specialist adds it
again and so on and so forth and and so on and so...
And did you read this!!! "To fix this - change installer". That is what
Kaspersky Lab says <g>
Friedrich
--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910
--Helping You Build Better Installations
--SetupBuilder "point. click. ship"
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner
NewsArchive
03-18-2015, 11:52 AM
Lee,
> Sometimes you have to wonder if there is a functioning brainstem on
> the other side of the equation... often, it seems, there isn't which
> is truly sad.
<G>
If it wasn't so sad it would be funny. SetupBuilder users and Lindersoft
contacted Kaspersky to report the false-positive. Kaspersky confirmed that
it was a bug in THEIR system and "to fix this - change installer"?! What?
Are you serious?
Kaspersky: "Sorry, it was a false detection. It will be fixed in the next
update. Thank you for your help.... To fix this - change installer."
A few minutes later, the same file:
Kaspersky: "New malicious software was found in this file. It's detection
will be included in the next update. Thank you for your help."
They are caught in a loop.
More medicine! I need more medicine! Please!
Friedrich
NewsArchive
03-18-2015, 11:53 AM
Friedrich,
> More medicine! I need more medicine! Please!
No, THEY need to up their dosage or refrain altogether!<g>
You just need a couple of Ibuprofen and vacation!!!!
Lee White
NewsArchive
03-18-2015, 11:53 AM
>> More medicine! I need more medicine! Please!
>
> No, THEY need to up their dosage or refrain altogether!<g>
>
> You just need a couple of Ibuprofen and vacation!!!!
<VBG> :-)
Friedrich
NewsArchive
03-18-2015, 11:53 AM
One minute ago:
Lindersoft: "No, this is NOT a new virus. This is a false-positive. Could
you please fix this and do NOT add it as a new virus???"
Kaspersky Lab: "Sorry, it was a false detection. It will be fixed in the
next update. Thank you for your help."
Yippee-ki-yay, I think we are safe now <g>. Where is John McClane when you
really need him?
Friedrich
NewsArchive
03-18-2015, 11:54 AM
http://media.tumblr.com/tumblr_le0zo9IfWm1qcig1w.gif
>
>Yippee-ki-yay, I think we are safe now <g>. Where is John McClane when you
>really need him?
Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.
NewsArchive
03-18-2015, 11:54 AM
> And did you read this!!! "To fix this - change installer". That is what
> Kaspersky Lab says <g>
>
>
how about "to fix this - change anti-virus vendor"
Tony Tetley
NewsArchive
03-18-2015, 11:55 AM
>
> how about "to fix this - change anti-virus vendor"
>
Good idea <g>
Friedrich
NewsArchive
03-18-2015, 11:56 AM
Can you recommend a good installer to replace this P.O.S.?<g>
Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.
NewsArchive
03-18-2015, 11:56 AM
>
> Can you recommend a good installer to replace this P.O.S.?<g>
>
<G> :-)
Friedrich
NewsArchive
03-18-2015, 11:57 AM
FWIW, I use kaspersky, and SB8 8.5.4714.0 is running with antivirus
database from March 18.
I left SB8 running overnight. Maybe I won't try closing it and
restarting<g>
Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.
NewsArchive
03-18-2015, 11:58 AM
Just tried on my XP VM, and SB fired right up. No probs.
Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.
NewsArchive
03-18-2015, 02:29 PM
And to think, I respected this group a few years ago (they cleaned out a
nasty piece of malware from my system).
--
Russ Eggen
RADFusion International, LLC
NewsArchive
03-18-2015, 02:30 PM
And on the same note, we just lost a possible sale because when a
potential client downloaded our demo.. then went to install it.. Norton
said it was a possible virus (I don't have a lot of details). So, we
went to request a whitelist on our install.
Do we have to create a bunch of VM's and install and purchase all of the
anti-viruses and test each one before we release a demo. Not worried
about purchases.
Perhaps we as software developers need to take a pro-active approach and
class action these anti-virus companies... which are costing us millions
(well not 'us' like me (I wish), but all software companies).
IS there not a central location where you can upload your software and
it will test it with all of the popular anti-viruses.
Better yet, I think I'll make my own anti-virus company.. I'll just
prevent or warn about anything that gets installed. What's that, about
15 lines of code <G>
Ray
VMT
NewsArchive
03-18-2015, 02:31 PM
https://www.virustotal.com/
>
> IS there not a central location where you can upload your software and
> it will test it with all of the popular anti-viruses.
>
--
Russ Eggen
RADFusion International, LLC
NewsArchive
03-18-2015, 02:32 PM
And in an installer I made just this morning, this site reports Jiangmin
false positive. Friedrich has documented how this company won't fix
their software, let alone acknowledge Friedrich's communication.
Every other AV program says its cool.
--
Russ Eggen
RADFusion International, LLC
NewsArchive
03-18-2015, 02:33 PM
Russ,
> Every other AV program says its cool.
But not as cool as Shawn, right?!<g>
Lee White
NewsArchive
03-18-2015, 02:33 PM
NOBODY is as cool as Shawn!
Jane Fleming
NewsArchive
03-18-2015, 02:34 PM
He's never complained about my code. That's why he's cool! :-)
--
Russ Eggen
RADFusion International, LLC
NewsArchive
03-18-2015, 02:35 PM
Thanks Russ for telling me about this VirusTotal.
I tested mine and I had 3 issues.. the first 2 were an issue with the
ammyy program which is what we use to get on our customers screens.
Eset reported it: a variant of Win32/RemoteAdmin.Ammyy.C potentially unsafe
And Agnitum said it was riskware
The 3rd was the Jiangmin issue as well.
I worry about the ammyy program but it works so well. I put a password
in it so nobody else can request access to our customers machines. So
far, not a single issue. But this may be causing our problem as we
install it with our software so we can just run it from our program.
Ray
VMT
NewsArchive
03-18-2015, 02:36 PM
Ray,
This nice thing about this testing site is you have ammunition to give
to your customer(s) and you can then tell them you have an open issue
ticket with the vendor in question (assuming you do open one <g>).
Also, you could issue advices or notices in your RSS feeds and or web
site stating there are known issues with those AV vendors (be sure to
date the notice!) and update when things change - including when the
vendor fixed their bug.
You are seen as on top of things and responsible. Gives you a nice and
unassailable reputation! Worked well for Friedrich, didn't it? <g>
--
Russ Eggen
RADFusion International, LLC
NewsArchive
03-18-2015, 02:37 PM
That's a neat site but it won't test large setups. Ours are typically
between 300-500mb.
Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.
NewsArchive
03-18-2015, 02:38 PM
Jeff - I think you could make a dummy installer, as it appears it checks
just the installer program. Reports it as a Lindersoft executable. But
I think no matter how many different ones you submit, the results will
be the same.
--
Russ Eggen
RADFusion International, LLC
NewsArchive
03-18-2015, 02:39 PM
Except for the times that they're not<g>
Thanks Russ.
> But
>I think no matter how many different ones you submit, the results will
>be the same.
Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.
NewsArchive
03-18-2015, 02:39 PM
Yeah, that's a crap shoot! :-)
--
Russ Eggen
RADFusion International, LLC
NewsArchive
03-18-2015, 02:40 PM
Hi Friedrich,
> Kaspersky detected SetupBuilder as "Trojan-Dropper.Win32.Injector.llpg". Of
> course, this is AGAIN a BUG in their virus definition update.
I wouldn't touch Kaspersky with a 10 foot pole after my experience with
them years ago.
Best regards,
--
Arnor Baldvinsson
Icetips Alta LLC
NewsArchive
03-19-2015, 07:46 AM
Russ,
> Jeff - I think you could make a dummy installer, as it appears it
> checks just the installer program. Reports it as a Lindersoft
> executable. But I think no matter how many different ones you
> submit, the results will be the same.
That is a great idea !!! I have added a new feature to the IDE. There is a
new "Compile Mode" menu item. When you toggle "Enable File 'Dummy' Mode"
then the compiler will link in 5 byte "dummy" files instead of the real
files.
The installer stub (loader), the uninstaller, the installer runtime and all
the required service files are the real ones. The compiler will only
replace the files in the archive (files to be installed) with "dummy" ones.
This can then be uploaded to VirusTotal.
Very good idea. Thank you !!!
Friedrich
NewsArchive
03-19-2015, 09:08 AM
You are welcome! Good option for the IDE too.
--
Russ Eggen
RADFusion International, LLC
Powered by vBulletin® Version 4.2.5 Copyright © 2024 vBulletin Solutions Inc. All rights reserved.