Tests Show Problems With AV Detections

February 7, 2010 by admin
Filed under Security News

Dateline: Moscow.

Here at a security press conference held by Kaspersky Lab, the company demonstrated how some malware detections are easily triggered by innocuous programs.

The problem arises when one vendor detects a threat. Samples are often passed on to other vendors, through multi-scanning services like VirusTotal. The fact that another vendor, particularly a respected one like Kaspersky, detects a threat is enough of a reason to take a serious look at the sample.

After suspecting such problems, Kaspersky created a test which demonstrated the phenomenon. They wrote a series of simple and innocuous programs, compiled them, created false detections for them in their engine, and then submitted the files to Virustotal. Only Kaspersky detected the files at this point.

But standard procedure with VirusTotal is that if at least one of the products detects a submitted sample, it is submitted to the others who didn’t detect it. The idea is that they can then analyze the file and create their own detection.

Instead, what they found was that other companies were creating detections for the false submissions from Kaspersky. The programs create some variables and perform simple mathematical operations on them. They don’t even touch the file system. Kaspersky provided me with the programs and the source code.

Click on these to see some of the detections:

But it turns out that the fact that Kaspersky was detecting the threats was not the only reason the others were. The real problems were the aggressive heuristics in the products and that fact that only a static scan was performed.

And there is something suspicious about a program that appears to do nothing and then exits. Other vendors I communicated with on the matter said that the behavior was not surprising and that a live on-access detection on a system with their product installed would not be the same. For instance, F-Secure said that “[o]n the end users Windows box, these alerts would show up as a prompt, asking the user whether he really trusts the program. In addition, we have massive whitelist databases in our back-ends, so such prompts would only appear from new, unknown applications.”

I suspected that the compiler used to generate the samples might itself be an issue, so I asked Kaspersky about it. They used the mingw crosscompiler, a gcc version for Linux that generates Win32 binaries. It’s possible that the same source code compiled with Microsoft Visual Studio would have generated a different reaction in the anti-malware products, not that it should make a difference. But Kaspersky then creates a “hello world” program with the same compiler and settings and uploaded it to VirusTotal; hours later, even though there were no Kaspersky detections, 2 other products called the sample “suspicious”.

This problem is not entirely new; Hispasec Sistemas Lab of Spain, the company that operates VirusTotal, wrote about it a few months ago (original Spanish, Google translation to English). As they point out, the volume of samples coming into company labs is so enormous that the vast majority has to be handled by automated analysis processes, and perhaps they are designed to be a little more paranoid than humans.

Kaspersky Lab has written an Analyst’s Diary entry on the issue as well.

By Larry Seltzer from PCMag.com

Tags: a-squared, AhnLab-V3, antivir, Antiy-AVL, Authentium, Avast, AVG, BitDefender, CAT-QuickHeal, ClamAV, Comodo, DrWeb, eSafe, eTrust-Vet, F-Prot, F-Secure, false positive, Fortinet, GData, heuristic, Ikarus, Jiangmin, K7AntiVirus, kaspersky, Malware, Mcafee, McAfee+Artemis, McAfee-GW-Edition, microsoft, NOD32, Norman, nProtect, panda, PCTools, Prevx, Rising, Sophos, Sunbelt, symantec, TheHacker, TrendMicro, VBA32, ViRobot, VirusBuster

Boost PC Performance with Comodo System Cleaner‏

January 15, 2010 by admin
Filed under Protection Tools

Leave a Comment

Comodo System-Cleaner utilizes the patent-pending technology of SafeDelete to safely recover any files deleted in error, eliminating the risk from the process of PC cleaning.

Picture a messy room. This room may be littered with trash but also contains your valued possessions. The goal is obvious: get rid of the trash without throwing away any valuables. Now imagine an ultra-powerful vacuum that will destroy anything in its path, never to be seen again. You might think twice about where to point this vacuum! Other system cleaners have the same problem as this vacuum: good stuff gets obliterated,the same as bad stuff. In an attempt to perform some much-needed system maintenance, you could wipe out files necessary to your PC’s performance! Comodo System Cleaner has made this problem obsolete. If CSC sucks in a valued possession, you can easily reach in and take it back out again. No harm done, and your computer keeps performing solidly.

Important Features of System Cleaner

Deep cleaning of your PC’s registry
After a deep registry cleaning, Windows will be able to access the information it needs from the registry more quickly, boosting both performance and stability.

Deep cleaning of your PC’s disk drive
Eliminate the clutter inevitably built up over time in your disk drive to free up space and improve performance.

Clean-up scheduling
Enter when you’d like System Cleaner to perform a deep clean so it’s convenient for you.

SafeDelete™ and Registry Protection
Use these features to backup all your files before cleaning. When cleaning is complete, you’ll be able to make sure your PC is in perfect condition before deleting for good.

Privacy cleaning
Clear out your digital trail (cookies, cache, browsing history, and more) with the privacy cleaner to keep your private information out of the hands of others.

Extensive Windows customization tool
Alter dozens of obscure and hard-to-find Windows settings easily within Comodo System Cleaner’s interface.

Download the Portable Version: