15 replies to this topic

[pscEx]

The reason to publish some ideas here is a post speaking about a possible infection.

#1: If you want to be 100% protected against virusses, unplug the cable which connects your PC with remote PCs and the internet.

I'm sure, nobody wants this. 99,999... % of PC users need this connections.

Now some theory:

There are a couple of AV program supplyers, who all do the same:
They search through files and check for patterns which are known as 'virus stamps' in their database.

Of course, if there are different supplyers, there are also different databases filled with different patterns.
And it is propable that they are more or less successful 'hitting' because the pattern method only looks for some known strings.
Maybe one supplyer does not detect a certain virus, and a different one thinks to have detected a virus, inspite there is none.
That depends on the patterns in the data base.

The responsibility to decide is still yours!

Now we make a test and give a file for test to 40 different suppliers.
Most of them do not detect a virus, but some of them do so.

Please allow me here to give an OT sample:

The propability that I have an accident when crossing a street, is 'A'
The propability to win in a lottery is 'B'
And 'B' is much lower than 'A'.

I cross the street because I do not think that 'A' will become active.

For what reason I should play in the lottery and think that my much less propable 'B' will become active?

(BTW: I really never played in a lottery)

Now back to propabilities:

My statement:
If there are less than 33% of supplyers detecting a virus, there is no one (especially if they report different virusses).
If there are more than 66% of supplyers detecting a virus, there is one.

Between them there is a grey zone where the user has to decide.

I'm waiting for comments!

Peter

EDIT: Following Jaclaz's post #2:

If the VirusTotal percentage is below 33%, but increases with a next trial some hours later: Maybe there is really a virus!
If the VirusTotal percentage is above 66%, but decreases with a next trial some hours later: Maybe there is a wrong positive!

Edited by psc, 26 April 2009 - 03:15 PM.
Some more information

[was_jaclaz]

My statement:
If there are less than 33% of supplyers detecting a virus, there is no one (especially if they report different virusses).
If there are more than 66% of supplyers detecting a virus, there is one.

My counter-statement :
someone already thought about this problem and came out with Virus-Total:
http://www.virustotal.com/sobre.html

VirusTotal is a service developed by Hispasec Sistemas, an independent IT Security laboratory, that uses several command line versions of antivirus engines, updated regularly with official signature files published by their respective developers. This is a list of the companies that participate in VirusTotal with their antivirus engines.AhnLab (V3)Antiy Labs (Antiy-AVL)Aladdin (eSafe)ALWIL (Avast! Antivirus)Authentium (Command Antivirus)AVG Technologies (AVG)Avira (AntiVir)Cat Computer Services (Quick Heal)ClamAV (ClamAV)Comodo (Comodo)CA Inc. (Vet)Doctor Web, Ltd. (DrWeb)Emsi Software GmbH (a-squared)Eset Software (ESET NOD32)Fortinet (Fortinet)FRISK Software (F-Prot)F-Secure (F-Secure)G DATA Software (GData)Hacksoft (The Hacker)Hauri (ViRobot)Ikarus Software (Ikarus)INCA Internet (nProtect)K7 Computing (K7AntiVirus)Kaspersky Lab (AVP)McAfee (VirusScan)Microsoft (Malware Protection)Norman (Norman Antivirus)Panda Security (Panda Platinum)PC Tools (PCTools)Prevx (Prevx1)Rising Antivirus (Rising)Secure Computing (SecureWeb)BitDefender GmbH (BitDefender)Sophos (SAV)Sunbelt Software (Antivirus)Symantec (Norton Antivirus)VirusBlokAda (VBA32)Trend Micro (TrendMicro)VirusBuster (VirusBuster)

If your antivirus finds a problem with a file:

• check yourself the single file giving problem against the Virustotal online service (more dependable that the otherwise nice suggestion by psc - who would do the work? )
• report to your antivirus firm telling them it is probably a false positive and attach the non-positive results from other firms
• decide yourself to wait for them to verify the issue or change antivirus or risk your PC's health trusting the result from other makers
• report on the board what your antivirus firm replies (possibly and hopefully a simple change to the database removing the false positive)

This is the only way to correct "wrong" behaviour of antivirus, make their developers check the false-positives (if false ).BE WARNED : Probabilities play strangely when variables or data are a-missing.

Say that maker A is faster (and rightful, for the sake of the reasoning) than all the other 39 suppliers.

Would that mean that probably the file is safe?

And if two hours later the same file becomes positive from another 13 antivirus makers?

You trusted the low percentage and the virus had two full hours to do whatever it was supposed to do.....



jaclaz

[pscEx]

My counter-statement :
someone already thought about this problem and came out with Virus-Total:
http://www.virustotal.com/sobre.html

VirusTotal is the background of the link I gave in the first post!

EXACTLY what I'm telling:

In the actual case VirusTotal brought a hit of 15% DIFFERENT virusses.

In my (propability driven engeneer's opinion): THAT IS NO VIRUS.

BTW: I never saw that several hours later the number of detected virusses inreased (Tried it some weeks ago with an 'infected' ???.zip, reported by domestic)

Peter

EDIT: I changed my first post due to 'increasing number of detected virusses'

[was_jaclaz]

Yep.

The point I was trying to make was how the initial procedure was not carried out in a "logical" way, basically:

• saydin77's (crappy IMHO) AntiVirus marked as a virus SLock.exe
• saydin77 PMed Lancelot
• Lancelot ran the file against VirusTotal, which gave the result that a few more (as well crappy IMHO) AV's thought the file to be affected by a worm
• Lancelot asked Galapo's opinion (and though Galapo is a knowledgeable and helpful member that included the file in on of his projects, he is presumably not qualified to say whether the file is infected or not, and not being it's Author, and being the .exe NOT Open Source, cannot say whether it may contain a threat )

In other words a (smallish ) boo-boo was raised and probably NOONE contacted the only two people in the world that could make anything about it or properly comment the issue:

• the Slock.exe Author CWorks:
  http://www.911cd.net...showtopic=18431
• the Norman Antivirus maker:
  http://www.norman.com/

Now, boo-boo's, even little ones are dangerous, as they can have two effects (BOTH negative):

• unjustifiedly scare people away from the projects, and somehow indirectly discrediting boot-land, or the project developer or the actual .exe Author
• unjustifiedly make people get used to "false positive", and trust blindly anything that comes form boot-land, which is as well wrong, as noone can guarantee the cleanliness of files on the board

Now, if you have an antivirus, most probably you pay for it, and you are entitled to have support and notify the maker about files that need to be further analyzed.

USE THIS RIGHT you have!

This way, the antivirus will be bettered, there will be no false alarms, and only a very few, important REAL alarms.

The detection was probably related to the Auto-it engine behind the app, someone must have notified the AV firms, as results of the same procedure done today:
http://www.virustota...a9d826c7290f22b

show that esafe (that is using STILL the definitions from 23.04.2009 ) STILL recognizes the file as suspicious, and prevxl (that had nothing to say on it) classifies it as High Risk Worm, for ALL the others, including Norman, it's allright.


However, another thing that could be made is (besides making a sticky with instructions similar to those in my previous posts on how to handle a "positive") to provide a page similar to the one on the UBCD4WIN site:
http://www.ubcd4win.com/faq.htm#false
but, again, due to the different nature of the various projects here, WHO will take the responsability of the guarantee?

I guess that it can be made for a few "known" troublemakers, but nothing more.

The final user is the ONLY one responsible for whatever he downloads or installs to his/her PC, and your (psc) logical and appreciated suggestion, while being nice and very "common sense advice" , cannot be proposed as a definite "foolproof" method/approach.

jaclaz

[Lancelot]

Hi jaclaz,

Agreeing with your ideas but just an addition:
I choose to first ask Galapo instead of contacting to author CWorks because for this special case i remember Galapo working on script and au3 (which is in script too) as well, I thought maybe compiling au3 with a different way can solve the issue (or maybe some other ideas from Galapo).

For most other cases i would choose using ContactInfo to inform the author if available

[was_jaclaz]

For most other cases i would choose using ContactInfo to inform the author if available

Yep and, again that isn't the "proper" procedure , for two reasons:

• it's a partial one
• it is carried by the "wrong" (no offence intended ) subject

Let's imagine (absolutely and totally fictionally, of course ) that CWorks or Galapo are actually hackers intentioned to steal all personal data from other people's PC .

A seemingly innocuous file is made available, that is time-bombed to do the job only on odd wednesdays when the moon is full (just to add some spice to this fictional horror story ).

You write him/them telling that saydin77's AntiVirus has found a problem with the .exe.

What do you expect the fictional malware Author(s) would reply? (choose one):

• No, don't worry it's a false positive.
• Damn , you got me, I intentionally put some malware into the program.

Let's assume that the given reply is #1.....

Are you going to take yourself the responsability to guarantee saydin77 that the file is perfectly safe (and that his current AntiVirus is crappy)?

And what would happen once the condition is met and the payload is delivered (and saydin77's private data is stolen)?

Will you re-pay him the fraudulent expenses made on his Credit Card?

Or indemnify him because compromising photos made their way to the Internet?

Comeon , the most we can do is to make the final user aware of what the risks may be and make him take his own decisions/take his chances in an informed way.



jaclaz

[Lancelot]

jaclaz

for this special case, as there au3 coding available, i asked galapo
for other cases, when source is not available, i would prefer delete the script from the project in order not to make a new user "first touch" creating suspicions in his mind , better letting him google-fu around and add new scripts to his project and get false-positives and blames av softwares (or blame what ever possible ) .....

[Lancelot]

Ahhhh, and:

You may say, with decision to delete all false-positive, project will be unusable in future , but for now it is not the case. If we come to a point like that, than i can close my eyes to false positives

[was_jaclaz]

for other cases, when source is not available, i would prefer delete the script from the project in order not to make a new user "first touch" creating suspicions in his mind , better letting him google-fu around and add new scripts to his project and get false-positives and blames av softwares (or blame what ever possible ) .....

So you would "elect" yourself "guardian of safety"?

Deleting what you presume may cause (false) positives?

You understand that this is hiding knowledge , and it is depriving a final user of some of his freedom?

Every kind of Censorship (you know the thing I am usually accused to exercise on the Board ) is originally motivated by the need of protecting the innocents, but is this the case?

Is this need to keep the "good name" of LiveXp (or whatever project) so pressing that you feel allowed to subtract even a small, tiny, rarely used tool from public availability?



jaclaz

[pscEx]

Ahhhh, and:

You may say, with decision to delete all false-positive, project will be unusable in future , but for now it is not the case. If we come to a point like that, than i can close my eyes to false positives

Lancelot, you didn't read Jaclaz's post carefully enough:

Comeon , the most we can do is to make the final user aware of what the risks may be and make him take his own decisions/take his chances in an informed way.

That means:

There is only one person deciding what I download: That is me, the USER! Not somebody else.

I, the end user, have to calculate the risk if my AV tells me something.

Therefore removing files from the server archive may be only recommended, when you definitively know that there is a virus.

Peter

[Lancelot]

I am only concerning about "new user "first touch"" (i do not "elect" myself "guardian of safety" , only responsible what is delivered with the project)

with all respect, i agree with you, maybe a warning on script interface !! (not sure, than project developer is more responsible ..... ) but for now deleting seems to me better choice. (But my first choice is asking galapo for au3 source availablitiy)

deleting from project dont have a trouble for "public availability" (no decision made yet), script can(will) be in apps section of boot-land (as well author site is availble on 911)

Just trying to be a good, responsible knight

now girlfriend time, cu later

Edit: Fixed (bold)

[was_jaclaz]

Just to clarify,
the idea of contacting an Author was NOT that of posting on half the Internet about a NON-EXISTING problem, I thought to be obvious that since the original scope is that of avoiding false alarms/birth of myths/unjustified fears the suggestion was (eventually) to notify him/her privately.

And the one contacting him/her should have been the same one that had the problem (because of the IMHO crappy Anti Virus app he chose to use) and NOT the "guardian of safety"

I apologize for the inconveniences to anyone involved.

jaclaz

[Lancelot]

the suggestion was (eventually) to notify him/her privately.

will be do this way next time. (very sorry)

To avoid being counterproductive post on 911 changed.

[was_jaclaz]

will be do this way next time. (very sorry)

To avoid being counterproductive post on 911 changed.

I guess everything is really cool now.



jaclaz

[Galapo]

Lancelot asked Galapo's opinion (and though Galapo is a knowledgeable and helpful member that included the file in on of his projects, he is presumably not qualified to say whether the file is infected or not, and not being it's Author, and being the .exe NOT Open Source, cannot say whether it may contain a threat )

A good guess, but not quite true.

For the LiveXP script which Lancelot refers, I actually did the compile of the EXE, so qualifies me to offer an opinion on the infection status of the file.

Regards,
Galapo.

[was_jaclaz]

For the LiveXP script which Lancelot refers, I actually did the compile of the EXE, so qualifies me to offer an opinion on the infection status of the file.

Yep.

Sorry for the presumably...

However, is my guess that your qualified opinion is #1, correct?:

• No, don't worry it's a false positive.

jaclaz