Community

Update AV vendors with your latest signatures before releasing a build

MaxBlitzer, User (Posts: 37)

Oct 24, 2018 2:55:26 pm EDT

Support level: Starter
Contacted by user today after their viewer got removed by Windows Defender. Didn't know why it happened, and told her to download the 6.9 and of course, "a window popped up saying “viewer6.9.msi contained a virus and was deleted” so the download didn’t complete."

Since this is the second time this happened for this user in just a few months, with the loss of productivity after this happens, I'm anticipating the conversation about switching to something else. Telling people to temporarily disable their antivirus is not a solution that works more than once.

I cannot think of any software I use that has this level of problems with AV software, so it sticks out as an outlier. I understand the predicament you are in, it's especially harder as you're in an industry where AV vendors have to distinguish between malicious RATs and intentional RATs, but it is a problem that is mainly yours to make any improvement if there are false positives.

So what can be done about this situation?

First thought, was that the signatures should automatically be made available to the Virus Total AV vendors before officially releasing the final builds and have a high or 100% vendor update confirmation. At the very least, the main ones, like Defender, Kaspersky, McAfee, ESET, etc. I think people can look at a Virus Total and ignore false detections when the main ones don't flag it and only the super obscure ones do. I know you can submit false positives to each vendor, not sure if you can pre-submit to prevent false positives. I assume so.

But yeah, getting on Defender blocklist is bad. Anything and everything to prevent this proactively in the future should be done.

Conrad, Support (Posts: 2419)

Oct 24, 2018 3:30:33 pm EDT

Hello Max,

Just as I was writing this answer Microsoft informed us that they removed the detection and that one should update their definition files.

I perfectly understand what you say and agree completely. Unfortunately, there is little we can do because the antivirus software industry is in dismal state. How else can we characterize them if they cannot even distinguish a digitally signed file from an unsigned trojan-loaded one?

Just think about it - a file signed with an EV Code Signing Certificate coming from a legit developer gets detected as a trojan :) Well, of course not all a/v software is that bad though, but some are.

And there is this VirusTotal, which is another sad story. For almost three years we have been trying to convince them that not all antivirus software are created equal and that they should take a closer look at the quality of the a/v engines they use. Yet, they keep presenting their scan results alphabetically and in red type (even the relatively benign detections). So the never-responding-to-false-positive-requests Chinese antivirus by the name "AntiyAVL" (without VirusTotal you wouldn't even know that it exists) always gets at the top of the list with their bold red warning that Remote Utilities is unsafe :)

MaxBlitzer, User (Posts: 37)

Oct 24, 2018 3:56:04 pm EDT

Support level: Starter

Conrad wrote:

Hello Max,

Just as I was writing this answer Microsoft informed us that they removed the detection and that one should update their definition files.

I perfectly understand what you say and agree completely. Unfortunately, there is little we can do because the antivirus software industry is in dismal state. How else can we characterize them if they cannot even distinguish a digitally signed file from an unsigned trojan-loaded one?

Just think about it - a file signed with an EV Code Signing Certificate coming from a legit developer gets detected as a trojan :) Well, of course not all a/v software is that bad though, but some are.

And there is this VirusTotal, which is another sad story. For almost three years we have been trying to convince them that not all antivirus software are created equal and that they should take a closer look at the quality of the a/v engines they use. Yet, they keep presenting their scan results alphabetically and in red type (even the relatively benign detections). So the never-responding-to-false-positive-requests Chinese antivirus by the name "AntiyAVL" (without VirusTotal you wouldn't even know that it exists) always gets at the top of the list with their bold red warning that Remote Utilities is unsafe :)

Was the Microsoft response an automated one (I'm sure) or possibly a human? Could you ask them about what impact an EV signed certificate does on AV scans? Because I don't see that as an automatic whitelist for AV vendors, just an additional safety check that the .exe you have is from the people you expected it from before executing it (ie, from Microsoft, not Micros0ft). If it was an automatic whitelist, then the cost to mass malware infections would be very cheap. Legit developers signed certs get stolen all the time and we find out days, weeks or months later something malicious got slipped in without someone knowing. An AV vendor that trusted a file on EV alone would be swiss cheese and not something people would really want to install.

But yeah, the big 6-10 vendors that will be installed by your customer base is main priority. I know from reading bleepingcomputer forums over the years, people tend to ignore the really obscure VirusTotal AV engines, but if one or more of the main vendors detects something, there is probably something to it.

Conrad, Support (Posts: 2419)

Oct 24, 2018 4:18:40 pm EDT

Was the Microsoft response an automated one (I'm sure) or possibly a human?

This is the usual response that they send when they white list a file. But looks like a template, of course.

Because I don't see that as an automatic whitelist for AV vendors, just an additional safety check that the .exe you have is from the people you expected it from before executing it (ie, from Microsoft, not Micros0ft).

It's not only a digital signature. We are also a registered developer with Microsoft.

Legit developers signed certs get stolen all the time and we find out days, weeks or months later something malicious got slipped in without someone knowing.

A compromised signature can get black listed within minutes. And Microsoft's SmartScreen as well as antivirus software are not supposed to let the files signed with such a signature run. Sure, there are must be other detection factors as well, I agree with that. But we still think that digital signatures are a bit underestimated.

But yeah, the big 6-10 vendors that will be installed by your customer base is main priority. I know from reading bleepingcomputer forums over the years, people tend to ignore the really obscure VirusTotal AV engines, but if one or more of the main vendors detects something, there is probably something to it.



VirusTotal could add a "trust score" for the engines they use. For example, if an a/v company never cares to respond to false positive requests their trust score should be low and users must see it. Or VT could even ban an engine from the list if they generate a lot of false positves and never respond to software developers.  

By the very representation of scan results VirusTotal makes their users think that AntiyAVL, Rising and K7 are as important, precise and well-established a/v companies as Kaspersky, McAfee and Symantec. Perhaps, they just want to avoid being accused of discrimination practices but this does their visitors /users no good.

* Website time zone: America/New_York (UTC -5)

This website uses cookies to improve user experience. By using this website you agree to our Terms of Service and Privacy Policy.