Nirsoft Usbview

0 views
Skip to first unread message

Robinette Ith

unread,
Aug 5, 2024, 9:07:24 AM8/5/24
to achthreadtahcberk
Thesemessages are sent by users who think that there is a bug or problem with my utility, without knowing that this problem is actually caused by their Antivirus.

In some circumstances, the Antivirus software runs in the background, and when it detect a threat, it simply block the .exe file, put the file in quarantine, or simply delete it, without telling the user anything.

The frustrated user think that there is a problem in the software he tries to run, without knowing that the Antivirus software, that should protect his computer, is actually the troublemaker that causes this problem.


These messages are sent by users who think that there is a problem in my Web site, because they cannot browse into a Web page in my site or download a utility from my site. But once again, this problem is caused by Antivirus or Firewall that decided to block my Web site without explaining the user about the site blocking.


In the bottom line, if the false positives problem will make too much noise in the media, the Antivirus companies will understand that false positives may also hurt their reputation and decrease their product sells, and eventually they will give more priority to fix the false alerts in their products.




I agree this is a pain, whenever I plug in my thumb drive into another computer I find Norton happily deleting files from it for me. So now I tend to disable any AV before plugging it in (a lot easier).


Of course I also firmly believe most of them intentionally jack up the false positives (affecting primarily small developers) so they can boast higher detection rates.

And you are right, they justify this on the technicality that the software *could* be used maliciously.


I work as an IT Tech Support rep at a software company. Our software uses Microsoft SQL Server as its database. Over the past year Mcafee has been a horrible problem for us. It seems they block the SQL server right out of the box. You have to buy their higher corporate version in order to not have it happen. Our clients are constantly getting an invalid database connection, because the DB is blocked. What makes it unsafe. It requires the use of two ports to communicate. Firewalls and spyware companies seem to have taken over the computers. They slow them down, and often don't catch half of what is actually spyware and viruses. It's sad, but I find it easier and safer to run without all that junk running all the time. I have found other ways to be preventative.


I assume that McAfee and Norton/Symantec are terrible. But what about the rest: Grisoft AVG, Avast!, AntiVir, BitDefender, Kaspersky, etc.? Are any of them reasonably responsive to false-positive reports?


In Firefox 3.0.5, Safari 3.2.3, Chrome 2.0.172.37, and IE 8 under XP Pro, after I select my TypePad ID, your page brings up a Preview and Word verification box, but there's no place to enter the verification word, and, in fact, the picture of the word is clipped off at the bottom.


I posted this using Opera 9.52, under which the mouse wheel scrolls the box to expose the place to enter the verification word and the "Post Comment" button. Opera seems to be the ONLY browser that works to post a comment here!


Great program. So little, so easy, so fast and still so effective.

You need such program once a year or less, so put your virus defender software on

off state (disable it) and read your key. next boot its on again. and everything is fine.


How about lobbying the anti-virus/malware testing organisations to include false positives as a negative in their testing? Perhaps some already do this, but when I looked at the latest test from Malware Research Group they seemed to rate the tested programs only according to how many true malware programs were detected (i.e. true positives).


Our product iNet Protector is constantly detected as malware. We communicate with anti-virus vendors every month, but false alarms come back. Today this is harming our business to a very significant extent.


I dont use these softwares except for testing and vulnerabilities research. My advice is NEVER trust them. If people used a restricted user account on Windows, let the system and applications always up to date and specially, didnt open any kind of files they receive like pictures.exe (very well known social engeneering used by malware) which surely is something malicious then they wouldnt need an Antivirus since 99.9999% of the infections are the users fault and not a critical remote vulnerability that was exploited by a recently coded worm/virus .


I ran DNS Data View this morning and Norton Internet Security 2010 flagged it as a dangerous program, but gave me the option to allow it (which I did of course). They also provide a way to pass along through the program to all other users whether something seemed safe after using it. Of course, that is all based on opinion, but I am happy to pass mine along about NirSoft products to try and help.


I agree that this is a problem. I hate it when a software program that I purchased, deletes or quarantines programs that i have installed without asking my permission. This is especially irritating if the action takes place because of a false positive.


I have just a question: is it possible for someone, a hacker, to remotely use MailPassView to steal passowrds from my computer? Or the only way to install it is by having direct access to my computer?


Please excuse for the delay of our response. Please let us inform you that the files attached to your previous e-mail were really infected. We would like to ask you to send us all sample files in a password-protected archive to vi...@avg.com and write the archive password into the body of your e-mail reply.


AVG is allowing me to choose to ignore the threat, but it still stops me from extracting the files. While I can disable the resident shield, soethign else blocks the extraciton which i cannot disable.


I extracted the files on another computer to USB key and copied them to my HD. I still got the warning message but was able to add files to the exceptions list. however if you`re not quick about it will go straight to the remove/heal popup (which i just closed- extraction is prevented but nothign happens when the files are already there.)


Anyway, I thought I would mention my frustration with NIS in this situation after reading your blogs about

most of the major antivirus companies finding false positives for viruses in a lot of programs. Winrar for

example has had at least one of their recent beta releases flagged by NIS as having a virus. In that case,

it may have been a legitimate virus removal since it was the virus that got put into a LOT of programs

worldwide that were using Visual Basic if I remember correctly. As for the adware stuff, I wish every single

system utility program maker was as nice as you are about letting people opt out of the crap they add.


I am glad that I found this blog! I am an independent game developer, and the installation file of my latest game has been detected as malware by many anti-virus programs! I am currently dealing with a number of unhappy customers, and I feel completely helpless to fix the situation. I am both relieved and saddened to find that I am not alone in this issue. I have linked to this blog on my site. Thank you for making us aware of the situation!


Viral behaviour is defined by the AV company in the antivirus software, but often viral behaviour is to try reading passwords from the system (as much malware tries to steal passwords), or taking screenshots, reading keyboard in unusual ways, controlling mouse/keyboard (can be a sign of a Remote Access Trojan, RAT) and such.


And then, the antivirus software detects the function in your software that reads passwords, and then it thinks it is some sort of evil password-stealer software, and then it classifies it as a generic trojan or something like that.


About Christophers case, it can be some code in either the installation packager, which tries to modify a vital system file (to install game drivers or something like that) that the AV survelliances on, or it can be code which detect keypresses in game via hooks, which the AV thinks is a keylogger.


A good idea is to write software WELL, do not use suspicious functions/APIs/Hooks. Instead try to do it via the built-in safe functions, like DirectX and such. This will not cause antiviruses to complain, since such built-in safe functions does have safeguards which prevents malware to use the functions in a feasible way, both in AVs and in the functions itself. For example a function will only allow to run while a fullscreen app is loaded. And AV software could have exceptions that for example a game is allowed to hook keyboard via DirectX while its running fullscreen or has focus.

When focus are removed or game exited, it must remove the hooks.


And when you report a False positive, what AV companies has to do is to either create a whitelist-signature which excepts the software from detection, rewrite the detecting signature (not always easy to do) or add the hash of the false positive to a exception list.


And here comes a security problem too: The problem is that a AV developer cannot whitelist too much, since then virus developer can write their virus in a way so it will fit a whitelist signature and skip detection.

And the AV developer cannot put too much whitelists, since it will be huge for users to download, especially if the user comes home from a long holyday and should apply a update while their last update is 1 month old.


Another problem with whitelisting your software, is that your software might not protect itself enough, so a virus/trojan could then piggyback on your software, for example shell():ing your software and then hooks into it to read of passwords and send it to some server.


This means AV developer has to priority what to put in whitelist and not put in whitelist. Of course they select to whitelist software from larger companies (with a larger user base) than from small developers/companies.

3a8082e126
Reply all
Reply to author
Forward
0 new messages