Anti Virus Community Creates False Positives For Fun and Profit
I’ve always believed in fair use. And as such I often acquire the “warez” community versions of software I legally own because they often have abilities (such as portability) the “legitimate” versions lack. Considering I own the licenses to the relevant software I consider this to be squarely in the fair use category.
In doing this I often have encountered worms and other malware in keygens. But after a while you get a feel for what is obviously fake, used to spread bad code, and what seems like false posatives.
Well, I found a case in point. An instance of strong evidence that the commercial AV community is abusing our trust in order to police a Corporate agenda.
If one runs “Office 2010 Toolkit and EZ-Activator”
Instantly MSEA balks. Crying “severe threat” and I couldn’t help but add in my mind “… to our pocket book.” Which of course is itself a fallacy. Piracy no more harms the software industry’s earnings than libraries and xerox machines destroy book sales. People who pirate do so because they are poor. Poor people aren’t buying software either way. People with money buy the software because it’s easier.
So anyway, I dug into the problem of false posatives a little bit. I figured if it’s a “severe threat” then I can find a record of just exactly what it’s doing to my system and in this case I could prove or disprove my hypothesis.
And check out what I found. First of all, here is MSE’s report. (Microsoft Security Essentials)
Here is the forum where in the authors of the toolkit comment about this very issue.
http://forums.mydigitallife.info/threads/18746-Office-2010-Toolkit-and-EZ-Activator./page97
Here are a pair of relevant comments from the linked thread, but I suggest reading the whole thing.
It is Not the AV communities job to police the Internet for piracy. What’s next? False posatives on downloaded mp3s?
Also consider that while a false positive might be in a sense harmless, a false negative would be far more dangerous.
Sony’s infamous root kit taught us that The Company is more than happy to invade our systems and privacy to protect its profit margin. If the AV community has betrayed us on the issue of false posatives, who’s to say they aren’t doing so for false negatives?
I think it’s clear that this seriously wounds trust for commercial antivirus software. When I run AV, I’m not scanning for contraband, I’m scanning for infection.
It would seem that even the commercial av ware, at least in the case of MSE, knows that false posatives are common. It was trivially easy for me to “allow” this “threat” to persist on my system. Which begs the question, if they are so good, and these really are threats, then why isn’t allowing a threat more complicated?
And why is their language so ambivalent and cautious? (…programs that may compromise…) Smells like CYA to me.
If anyone has any more proof one way or the other, I would like to see it. If this activator is really dangerous then it undermines my point, not that it applies to me one way or another. But on the other hand, if there is some third party proof that the toolkit is not dangerous, then a wider investigation is warranted.......!!!!!
Have some knowledge of antiviruses you purchase!!!!!!!!!!
In doing this I often have encountered worms and other malware in keygens. But after a while you get a feel for what is obviously fake, used to spread bad code, and what seems like false posatives.
Well, I found a case in point. An instance of strong evidence that the commercial AV community is abusing our trust in order to police a Corporate agenda.
If one runs “Office 2010 Toolkit and EZ-Activator”
Instantly MSEA balks. Crying “severe threat” and I couldn’t help but add in my mind “… to our pocket book.” Which of course is itself a fallacy. Piracy no more harms the software industry’s earnings than libraries and xerox machines destroy book sales. People who pirate do so because they are poor. Poor people aren’t buying software either way. People with money buy the software because it’s easier.
So anyway, I dug into the problem of false posatives a little bit. I figured if it’s a “severe threat” then I can find a record of just exactly what it’s doing to my system and in this case I could prove or disprove my hypothesis.
And check out what I found. First of all, here is MSE’s report. (Microsoft Security Essentials)
"Category: TrojanYet when I scanned the item with Clamwin (Open source AV.) I get the following…
Description: This program is dangerous and executes commands from an attacker.
Recommended action: Remove this software immediately.
Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the Allow action and click Apply actions. If this option is not available, log on as administrator or ask the security administrator for help.
Items:
file:C:\Windows\AutoKMS.exe
Get more information about this item online."
"Scan Started Mon Apr 04 13:27:38 2011So, either commercial AV software lies, or Clamwin sucks.
——————————————————————————-
———– SCAN SUMMARY ———–
Known viruses: 938128
Engine version: 0.97
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 1.36 MB
Data read: 0.62 MB (ratio 2.20:1)
Time: 3.827 sec (0 m 3 s)
————————————–
Completed
————————————–"
Here is the forum where in the authors of the toolkit comment about this very issue.
http://forums.mydigitallife.info/threads/18746-Office-2010-Toolkit-and-EZ-Activator./page97
Here are a pair of relevant comments from the linked thread, but I suggest reading the whole thing.
Hey Sherlock Holmes, CODYQX4 and I wrote the code of AutoKMS.exe and it’s NOT a virus, it’s not even close of being a trojan. The Keygen.exe (which is a different file) opens a port because it’s a KMS Server emulator, yes, Office needs to conect to a port of the KMS Server to activate.Later on…
Hope it’s clear
"Here’s what the Keygen.exe does.This is important because while the toolkit may be illegal (I believe it isn’t but that’s a fair use debate) it is NOT malware by definition.
(Log window showing the file’s activity.)
As you can see, the “Create File” operation is made only with read attributes, which means that the Keygen.exe is reading/using the file. There are also the TCP operations made in the activation attempt using the toolkit “Activate” function.
Here’s an xlsx file if you want to view it in excel as a table:
Keygen.exe Activity Report
I used process monitor, added the filters:
- “Process name” –> “Keygen.exe”
- “Operation” –> “CreateFile”, “TCP-” (all of the TCP operations available to filter)"
It is Not the AV communities job to police the Internet for piracy. What’s next? False posatives on downloaded mp3s?
Also consider that while a false positive might be in a sense harmless, a false negative would be far more dangerous.
Sony’s infamous root kit taught us that The Company is more than happy to invade our systems and privacy to protect its profit margin. If the AV community has betrayed us on the issue of false posatives, who’s to say they aren’t doing so for false negatives?
I think it’s clear that this seriously wounds trust for commercial antivirus software. When I run AV, I’m not scanning for contraband, I’m scanning for infection.
It would seem that even the commercial av ware, at least in the case of MSE, knows that false posatives are common. It was trivially easy for me to “allow” this “threat” to persist on my system. Which begs the question, if they are so good, and these really are threats, then why isn’t allowing a threat more complicated?
And why is their language so ambivalent and cautious? (…programs that may compromise…) Smells like CYA to me.
If anyone has any more proof one way or the other, I would like to see it. If this activator is really dangerous then it undermines my point, not that it applies to me one way or another. But on the other hand, if there is some third party proof that the toolkit is not dangerous, then a wider investigation is warranted.......!!!!!
Have some knowledge of antiviruses you purchase!!!!!!!!!!
No comments:
Post a Comment