I’m certainly not downplaying the importance of low false positives, and accurate signature detections especially for things like PUPs and software piracy tools, which a lot of AVs struggle with accurately identifying (even Windows Defender and BitDefender frequently label such tools under generic trojan or generic machine learning signatures)... But whether it’s signature detection or heuristics, it’s hard to achieve this.
For example, a lot of Windows activation bypass tools will automate disabling SFR so they can replace a DLL with a doctored one to fool Windows into activating against the wrong server. Rufus (the USB stick tool) modifies group policy settings and has code for installing bootloaders. All of these behaviors can easily be rootkit like behaviors used by malware, and it’s really easy to accidentally write signatures that flag these binaries. I did a test by just hexediting a few inconsequential strings in a Rufus release and it was picked up as malware by at least a dozen engines. We just had a recent thread about Kaspersky mis-identifying a Firefox password backup tool as a password stealer.
In reality, most AVs maintain some sort of cloud or offline whitelist of popular applications and those get to simply skip signature detections and sometimes even behavior blocking. That’s where I worry a bit about the accuracy of these formal false positive tests. How sure are we that they are truly low false positive engines, instead of knowing (either via experience or partnerships with the testing firms) what binaries to whitelist or what set of default settings to use to minimize FPs in the tests?
EDIT:
Rufus 3.8 | Infected with malware?
VirusTotal
www.virustotal.com
Look at that. F-Secure (via Avira), Avira, BitDefender, and a few others all think this is malware. All I did was UPX unpack the stock Rufus binary and repack it at a different compression level. They don’t detect the stock UPX-packed binary. There is clearly some sort of whitelisting going on, and if you run a dynamic test against behavior blockers, you’ll find that many behavior blockers will flag that repacked binary too as soon as it requests UAC elevation to write to group policies.
