- May 26, 2014
- 1,339
Thanks @ZeroDay , I am very grateful for your post.
I was a little worried that I lacked english skills to explain my logic properly, but you seem to understand the ideia behind this thread perfectly.
I am very disappointed by some antivirus solutions [copycats]
- Thread starter Nightwalker
- Start date
Please provide comments and solutions that are helpful to the author of this topic.
Thanks @ZeroDay , I am very grateful for your post.
I was a little worried that I lacked english skills to explain my logic properly, but you seem to understand the ideia behind this thread perfectly.
- May 26, 2014
- 1,339
Thanks for your toughts on this question, It is very much appreciated. Even though I dont agree with some points of your post it is respectful and very insightful.
It doesnt have any Trojan activity or functionality, but I could accept some kind of detections because it is a misleading file that could scare average users (not a virus/Bad Joke/Fake Ransomware), but a Trojan detection? NEVER.
Last edited:
- Aug 17, 2013
- 1,905
I do think Avast are getting a lot more serious about their products since acquiring AVG.I just have privacy concerns with Avast and ad's even when you pay for their paid products, but, still I think they are heading in the right direction. I may give GDATA a try soon it's been years since I tried it.
If the detection here is actually a false positive, then I'm interested in how long it takes big vendors to actually fix it.
I would imagine less AVs should be detecting it by now.
I would imagine less AVs should be detecting it by now.
Exactly my point. You can't throw such accusations out of nowhere without solid proof.
Exact again. A test file should always be marked as suspicious, because it is a test. Now some may do it, others don't; it depends of the vendors own policy; like PUPs or keygens, some are more restrictive than others.
skeeyah (name used by MS) is a backdoor discovered in 2015; maybe this test file has some similar coding even if it doesn't behave like the original malware. as i said before, unless we ask the vendors we won't know why they flag it or not.
- Apr 2, 2016
- 109
Estás chateado pelo facto de vários antivirus detectarem um arquivo inofensivo e ainda por cima com o mesmo nome de detecção? É isso?
Olha, existe mais vida lá fora para além de um computador!!!
- Apr 28, 2015
- 8,910
- Apr 2, 2016
- 109
English! please!
Your Excellency, Mr. Moderator, do you prefer Spanish or English?
Powered by Google Translator: (Google Translate)
English:
Are you upset that several antivirus programs detect a harmless file and also have the same detection name?
Spanish:
Estás molesto por el hecho de que varios antivirus detecten un archivo inofensivo y por encima con el mismo nombre de detección?
Last edited:
- Apr 28, 2015
- 8,910
It's not a matter of excellency, official language of the forum is English, please kindly follow the rules
- Apr 2, 2016
- 109
It's not a matter of excellency, official language of the forum is English, please kindly follow the rules
Yes, Sir.
- May 26, 2014
- 1,339
- Oct 2, 2014
- 825
I agree with some points that @Nightwalker noted, but the term "copycats" does not fit, it should be removed IMO.
It is a test file, not a FP, so it is supposed to be detected as malicious, if it wasn't detected means the engine doesn't do its job.
From what I understand it is a test file but only for Windows Defender. Though if the vendors made an agreement to detect it like they did for EICAR, then yeah it would make sense for it to be detected.
@Nightwalker
You were going to contact them, right? Do you know if they all agreed to detect in similar fashion to EICAR?
- Oct 2, 2014
- 825
Lets just imagine. Lets just draw an scenario.
Jonny downloads a file, the file in matter is: "this is a safe file.exe". Jonny was told it is a safe file, he had already downloaded it before, never went wrong, the file is safe. He happy doble clicks on it and something he never thought just happens on the screen. A red alert pop up from an antivirus solution he has no idea that was running in the background, it was installed by a friend; jonny does not like how it looks like. The warning says "File this is a safe file.exe was blocked and quarantined. For further information click here (0). So he never expected this behavior, but Jonny got a bit scared, he has not much computer or software knowledge, he was just about to install hes so lovely minecraft addon. He's nervous, he clicks the further information button and it displays a threat detection with name "MSIL:Agent-DRN [Trj]". He does not understand but freaks out, he jumps into google and search for "MSIL:Agent-DRN [Trj]", he was running Avast software but the only info he gets with that search comes from FortiGuard, wich says:
"MSIL/Agent.DRN!tr.dldr is classified as a downloader trojan.
A downloader trojan is a type of malware that has the capability to download other malicious files or an updated version of itself.
The Fortinet Antivirus Analyst Team is constantly updating our descriptions. Please check the FortiGuard Encyclopedia regularly for updates."
Jonny is laughing because he believes he just infected the computer. Even when the antivirus didn't say quite that, but just that a threat was blocked and quarantined. He also does not think about the description he has just read, and that it may differ from the one that comes from the Antivirus solution installed in hes computer. In fact, Jonny goes to Avast support portal to look for "MSIL/Agent.DRN!tr.dldr" but no search results found.
Advanced users will know that it was FP case when they really knew the file itself, where it came from, and made all pre checks before executing it. But Jonny, being an average unknowing user might not feel so good about the antivirus alert.
Jonny was lucky hes friend came to play minecraft days later and explained nothing wrong happened, but that the antivirus had detected hes addon due to it being new into the wild. It was then removed after Avast team ensured the file was clean, after being submitted as a FP sample by hes friend itself.
I may agree that sometimes AV's handles detection of new files poorly, take for example Avast puting MSIL/Agent.DRN!tr.dldr in someone computer screen, yet they don't offer a direct online description for that. Instead, you will find that Fortiguard Labs openly hold that description online. It's wrong behavior if you ask me, to put names to detection and don't make sure such detection's names are well documented online. That's one thing, but has nothing to do with copycats. Antivirus could just set their signatures and detection differently so they could make FP ratio very low, at the cost of course; of security. In the case of the test file is different to this story, since Jonny's friend may have submitted a file to Avast tagged as False Positive, Avast will find it was an addon for a game, and after analyzing it in labs found to be clean; it is then excluded from detection. You can't submit this test file and tag it as a False Positive. Why would you want this file to be excluded from detection, it is not going to be used by you, the user who is submitting the file, it is not a game addon; so no more people need it either. It does nothing, but has some shady parts inside, nothing big but does not look like a virgin through Avast or any other AV lab eyes. You may submit it as a FP case, but they will reserve that decision, if to exclude it or not from detection. In the case of the Addon they won't reserve that decision after it was proved to be clean, since is a file that has a purpose, its clean, and is being used by many users, they will exclude it form detection.
Jonny downloads a file, the file in matter is: "this is a safe file.exe". Jonny was told it is a safe file, he had already downloaded it before, never went wrong, the file is safe. He happy doble clicks on it and something he never thought just happens on the screen. A red alert pop up from an antivirus solution he has no idea that was running in the background, it was installed by a friend; jonny does not like how it looks like. The warning says "File this is a safe file.exe was blocked and quarantined. For further information click here (0). So he never expected this behavior, but Jonny got a bit scared, he has not much computer or software knowledge, he was just about to install hes so lovely minecraft addon. He's nervous, he clicks the further information button and it displays a threat detection with name "MSIL:Agent-DRN [Trj]". He does not understand but freaks out, he jumps into google and search for "MSIL:Agent-DRN [Trj]", he was running Avast software but the only info he gets with that search comes from FortiGuard, wich says:
"MSIL/Agent.DRN!tr.dldr is classified as a downloader trojan.
A downloader trojan is a type of malware that has the capability to download other malicious files or an updated version of itself.
The Fortinet Antivirus Analyst Team is constantly updating our descriptions. Please check the FortiGuard Encyclopedia regularly for updates."
Jonny is laughing because he believes he just infected the computer. Even when the antivirus didn't say quite that, but just that a threat was blocked and quarantined. He also does not think about the description he has just read, and that it may differ from the one that comes from the Antivirus solution installed in hes computer. In fact, Jonny goes to Avast support portal to look for "MSIL/Agent.DRN!tr.dldr" but no search results found.
Advanced users will know that it was FP case when they really knew the file itself, where it came from, and made all pre checks before executing it. But Jonny, being an average unknowing user might not feel so good about the antivirus alert.
Jonny was lucky hes friend came to play minecraft days later and explained nothing wrong happened, but that the antivirus had detected hes addon due to it being new into the wild. It was then removed after Avast team ensured the file was clean, after being submitted as a FP sample by hes friend itself.
I may agree that sometimes AV's handles detection of new files poorly, take for example Avast puting MSIL/Agent.DRN!tr.dldr in someone computer screen, yet they don't offer a direct online description for that. Instead, you will find that Fortiguard Labs openly hold that description online. It's wrong behavior if you ask me, to put names to detection and don't make sure such detection's names are well documented online. That's one thing, but has nothing to do with copycats. Antivirus could just set their signatures and detection differently so they could make FP ratio very low, at the cost of course; of security. In the case of the test file is different to this story, since Jonny's friend may have submitted a file to Avast tagged as False Positive, Avast will find it was an addon for a game, and after analyzing it in labs found to be clean; it is then excluded from detection. You can't submit this test file and tag it as a False Positive. Why would you want this file to be excluded from detection, it is not going to be used by you, the user who is submitting the file, it is not a game addon; so no more people need it either. It does nothing, but has some shady parts inside, nothing big but does not look like a virgin through Avast or any other AV lab eyes. You may submit it as a FP case, but they will reserve that decision, if to exclude it or not from detection. In the case of the Addon they won't reserve that decision after it was proved to be clean, since is a file that has a purpose, its clean, and is being used by many users, they will exclude it form detection.
Last edited:
the only difference if they agree, will be the renaming of the signature to indicate it is a test file; the flag will remain.
- May 26, 2014
- 1,339
Avast! was the fastest to answer:
I will try to explain more of this "copycat" thing later.
I will try to explain more of this "copycat" thing later.
- Aug 17, 2013
- 1,905
I reported it to Avast as soon as I saw this thread yesterday. I use Avast on a laptop so I used the 'Submit File' Checked the box to say it was a false positive and typed a short message explaining that the file was a Microsoft test file for WD and that it was completely safe.Avast! was the fastest to answer:
I will try to explain more of this "copycat" thing later.
- Jul 7, 2016
- 339
Similar threads
