Advice Request I am very disappointed by some antivirus solutions [copycats]

Please provide comments and solutions that are helpful to the author of this topic.

Nightwalker

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
One of the reasons I respect Kaspersky so much. It's not just that they have excellent products across the board, well in my opinion Kaspersky is and has been top dog for a very long time it just use to slow your system down but they've even sorted that out now. But I respect the amount of research they do, they don't just copy people they innovate. And Windows defender is going to be a force to be reckoned with in a year or 2, just imagine all that cloud data Microsoft are getting on malicious files because WD is built into every system even if the user uses a third party solution MS are still getting a LOT of cloud data.I think it's nothing short of fantastic what MS have done with Windows defender and integrated exploit and folder protection.

Great thread. Thanks.

Thanks @ZeroDay , I am very grateful for your post.

I was a little worried that I lacked english skills to explain my logic properly, but you seem to understand the ideia behind this thread perfectly.
 

Nightwalker

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
I did actually take a look at the test sample regardless of it being a test one and it does show a deceiving GUI. It also lacks PE details, isn't digitally signed, has no icon, etc... It checks many boxes for being at-least "suspicious", so I'd hope it'd get flagged by an AV product, even if it truly isn't "ransomware".

The interface for the sample will claim that your file's are/will be encrypted and request payment, which of course is non-functional feature as it's a test sample. While nothing is actually going to be encrypted (there is not even support for enumeration of files - it's not even a fake simulation, it's literally just a UI with a timer), you could in theory claim that it should be marked as "malicious software" due to it's deceiving form. Obviously, the malicious was not intent because the intent was for it to be a test sample which would do absolutely no harm, but if someone were to share it around regardless, how would an average user feel coming confronted by it?

To be precise, it's a MSIL executable which has a UI which meets a criteria to appear like in-the-wild ransomware would. It has a timer, dark background, a payment button, etc. There's no functionality over than the timer, but that's not the point. It could still scare an average user and put them into distress if they really believed it.

Advanced users will know that it's a test sample and where it came from, but if someone starts trying to prank people and shares it around, an average unknowing user might not feel so good about the joke. It's Anti-Virus vendors jobs to protect people from malicious software as much as they can, therefore it only makes sense for them to flag it, even if no encryption capabilities are present - you could argue that there's no genuine use for the sample in a real-world environment because of it's interface and that is a reason to justify blocking it. It's also worth a mention that generic detection's are used to detect new malware which has not yet been seen (the actual sample - the variant may be known but the sample may be different) and there's many different forms of static heuristic analysis.

On that note, the same detection names does not equal stealing detection's. Stealing detection's is when a vendor blatantly flags a sample because another vendor did, but there's actually no evidence what-so-ever here that any vendor which flags the sample did this, even if the detection name is similar/the same. As I've already noted, the interface of the sample looks like what you could expect from ransomware in the home user market despite the lack of actual malicious code, and this could justify a detection.

Thanks for your toughts on this question, It is very much appreciated. Even though I dont agree with some points of your post it is respectful and very insightful.

It doesnt have any Trojan activity or functionality, but I could accept some kind of detections because it is a misleading file that could scare average users (not a virus/Bad Joke/Fake Ransomware), but a Trojan detection? NEVER.
 
Last edited:
  • Like
Reactions: CloudyDefense

ZeroDay

Level 30
Verified
Top Poster
Well-known
Aug 17, 2013
1,905
I do think Avast are getting a lot more serious about their products since acquiring AVG.I just have privacy concerns with Avast and ad's even when you pay for their paid products, but, still I think they are heading in the right direction. I may give GDATA a try soon it's been years since I tried it.
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,714
If the detection here is actually a false positive, then I'm interested in how long it takes big vendors to actually fix it.

I would imagine less AVs should be detecting it by now.
 
D

Deleted member 178

On that note, the same detection names does not equal stealing detection's. Stealing detection's is when a vendor blatantly flags a sample because another vendor did, but there's actually no evidence what-so-ever here that any vendor which flags the sample did this, even if the detection name is similar/the same.
Exactly my point. You can't throw such accusations out of nowhere without solid proof.

As I've already noted, the interface of the sample looks like what you could expect from ransomware in the home user market despite the lack of actual malicious code, and this could justify a detection.
Exact again. A test file should always be marked as suspicious, because it is a test. Now some may do it, others don't; it depends of the vendors own policy; like PUPs or keygens, some are more restrictive than others.
 
D

Deleted member 178

It doesnt have any Trojan activity or functionality, but I could accept some kind of detections because it is a misleading file that could scare average users (not a virus/Bad Joke/Fake Ransomware), but a Trojan detection? NEVER.
skeeyah (name used by MS) is a backdoor discovered in 2015; maybe this test file has some similar coding even if it doesn't behave like the original malware. as i said before, unless we ask the vendors we won't know why they flag it or not.
 

Arrabida Rock

Level 3
Verified
Apr 2, 2016
109
Guys, today I was just doing some tests with Windows Defender Testground website and I realized how mediocre some antivirus solutions actually are; let me explain below.

In this website there are some files to test if Windows Defender protection is working correctly. So I tried the CloudBlock file and noticed after execution that it shows a GUI similar of a Ransomware, but ofcourse without any functionality. (it just tests if cloud protection of WD is working)

I uploaded the sample at VirusTotal just for the lolz and noticed that many antivirus solutions detected it as if it was a real malware.

See here:
Cloud-delivered protection - Windows Defender Testground
Antivirus scan for cb49bb09669c7a55fe1963c73aefa940f7775ec4eb17f0044e0bdd68889c69ac at 2018-02-26 21:05:36 UTC - VirusTotal 28/66

So whats the problem with this?

The problem is that many antivirus players just copy Microsoft or Kaspersky signatures (Microsoft in this case) and it is done, no real research or advanced heuristics at play. I remember that some years ago Eugene Kaspersky complained about this and it seems that this situation still remains.

Serious guys, dont waste your money with those copycats, just use Comodo with @cruelsister settings or buy a real antimalware solution like Kaspersky or Emsisoft.

Ps: I am especially disappointed with ESET.
Ps 2: Pardon me for my english, I was at a hurry and it isnt my native language.

Estás chateado pelo facto de vários antivirus detectarem um arquivo inofensivo e ainda por cima com o mesmo nome de detecção? É isso?
Olha, existe mais vida lá fora para além de um computador!!!
 

Arrabida Rock

Level 3
Verified
Apr 2, 2016
109
English! please! :)

Your Excellency, Mr. Moderator, do you prefer Spanish or English?

Powered by Google Translator: (Google Translate)
English:
Are you upset that several antivirus programs detect a harmless file and also have the same detection name?

Spanish:
Estás molesto por el hecho de que varios antivirus detecten un archivo inofensivo y por encima con el mismo nombre de detección?
 
Last edited:
D

Deleted member 178

If the detection here is actually a false positive, then I'm interested in how long it takes big vendors to actually fix it.
I would imagine less AVs should be detecting it by now.
Nope, 39/67 now.
It is a test file, not a FP, so it is supposed to be detected as malicious, if it wasn't detected means the engine doesn't do its job.
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,714
It is a test file, not a FP, so it is supposed to be detected as malicious, if it wasn't detected means the engine doesn't do its job.
From what I understand it is a test file but only for Windows Defender. Though if the vendors made an agreement to detect it like they did for EICAR, then yeah it would make sense for it to be detected.

@Nightwalker
You were going to contact them, right? Do you know if they all agreed to detect in similar fashion to EICAR?
 
  • Like
Reactions: ZeroDay and upnorth

darko999

Level 17
Verified
Well-known
Oct 2, 2014
825
Lets just imagine. Lets just draw an scenario.

Jonny downloads a file, the file in matter is: "this is a safe file.exe". Jonny was told it is a safe file, he had already downloaded it before, never went wrong, the file is safe. He happy doble clicks on it and something he never thought just happens on the screen. A red alert pop up from an antivirus solution he has no idea that was running in the background, it was installed by a friend; jonny does not like how it looks like. The warning says "File this is a safe file.exe was blocked and quarantined. For further information click here (0). So he never expected this behavior, but Jonny got a bit scared, he has not much computer or software knowledge, he was just about to install hes so lovely minecraft addon. He's nervous, he clicks the further information button and it displays a threat detection with name "MSIL:Agent-DRN [Trj]". He does not understand but freaks out, he jumps into google and search for "MSIL:Agent-DRN [Trj]", he was running Avast software but the only info he gets with that search comes from FortiGuard, wich says:
"MSIL/Agent.DRN!tr.dldr is classified as a downloader trojan.
A downloader trojan is a type of malware that has the capability to download other malicious files or an updated version of itself.
The Fortinet Antivirus Analyst Team is constantly updating our descriptions. Please check the FortiGuard Encyclopedia regularly for updates."
Jonny is laughing because he believes he just infected the computer. Even when the antivirus didn't say quite that, but just that a threat was blocked and quarantined. He also does not think about the description he has just read, and that it may differ from the one that comes from the Antivirus solution installed in hes computer. In fact, Jonny goes to Avast support portal to look for "MSIL/Agent.DRN!tr.dldr" but no search results found.
Advanced users will know that it was FP case when they really knew the file itself, where it came from, and made all pre checks before executing it. But Jonny, being an average unknowing user might not feel so good about the antivirus alert.
Jonny was lucky hes friend came to play minecraft days later and explained nothing wrong happened, but that the antivirus had detected hes addon due to it being new into the wild. It was then removed after Avast team ensured the file was clean, after being submitted as a FP sample by hes friend itself.
I may agree that sometimes AV's handles detection of new files poorly, take for example Avast puting MSIL/Agent.DRN!tr.dldr in someone computer screen, yet they don't offer a direct online description for that. Instead, you will find that Fortiguard Labs openly hold that description online. It's wrong behavior if you ask me, to put names to detection and don't make sure such detection's names are well documented online. That's one thing, but has nothing to do with copycats. Antivirus could just set their signatures and detection differently so they could make FP ratio very low, at the cost of course; of security. In the case of the test file is different to this story, since Jonny's friend may have submitted a file to Avast tagged as False Positive, Avast will find it was an addon for a game, and after analyzing it in labs found to be clean; it is then excluded from detection. You can't submit this test file and tag it as a False Positive. Why would you want this file to be excluded from detection, it is not going to be used by you, the user who is submitting the file, it is not a game addon; so no more people need it either. It does nothing, but has some shady parts inside, nothing big but does not look like a virgin through Avast or any other AV lab eyes. You may submit it as a FP case, but they will reserve that decision, if to exclude it or not from detection. In the case of the Addon they won't reserve that decision after it was proved to be clean, since is a file that has a purpose, its clean, and is being used by many users, they will exclude it form detection.
 
Last edited:

Nightwalker

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
Avast! was the fastest to answer:

AiaE8dc.jpg

I will try to explain more of this "copycat" thing later.
 

ZeroDay

Level 30
Verified
Top Poster
Well-known
Aug 17, 2013
1,905
Avast! was the fastest to answer:

AiaE8dc.jpg

I will try to explain more of this "copycat" thing later.
I reported it to Avast as soon as I saw this thread yesterday. I use Avast on a laptop so I used the 'Submit File' Checked the box to say it was a false positive and typed a short message explaining that the file was a Microsoft test file for WD and that it was completely safe.
 

JHomes

Level 7
Verified
Well-known
Jul 7, 2016
339
I've heard mentions of people using Rollback in lieu of an Anti-Virus. Problem there is Rollback will not tell you IF you have a virus. You still need a detection tool, even if you use Rollback to restore the machine and wipe the infection off.
 
  • Like
Reactions: ZeroDay

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top