And the reasons are:
#1 - False-positive alarms
I'm sick and tired that my software is being detected as a "virus"...
- ...in spite of being signed with a trusted Verisign certificate.
- ...in spite of being .NET-based (a platform which is not very "virus-authoring-friendly", so to speak) and not even using any code-obfuscation.
- ...in spite of using the "ClickOnce" installation-technology (in other words - the code runs in a sandbox).
- etc.
Because if your software has some kind of copy-protection built-in (encrypts and stores serial numbers, hides parts of the source code to protect from reverse engineering etc.) - an antivirus will most likely detect some "very dangerous" trojan.
Because if your software tracks mouse or monitors keyboard (like our AutoText for instance) - an antivirus will detect a malware.
Because if your software is some kind of a "compiler" - i.e. it's capable of building its own EXE-files - an antivirus will detect a self-replicating virus. Oh, and all your EXE-files will also be marked as viruses by the way (since you're most likely using a "self-executing-unpacker-code + data" architecture, which is considered a risk-factor by most antiviruses, no idea why).
Because if your software uses the "ClickOnce" technology (an auto-update framework that comes from Microsoft and is built-in to Windows!) - an antivirus will detect a "trojan downloader" and block your website in some cases.
These are just the few... And these are the actual reports I deal with every week. "Help, AVG blocks your installer saying it's a Trojan!", "Help, Opera has just blocked the downloaded file!".
EVERY. FUCKING. WEEK.
#2 - Antivirus vendors not dealing with false-positive reports properly
Now, dear antivirus companies! I understand - Users come first. Their security is your utmost concern. If someone sends you a virus sample - dealing with it is your #1 priority. I understand. I'm one of your paying users after all.
But please don't forget about us, the developers. We do send samples as well - the "false-positive" samples. We deserve some response. Fine, let it be within a week. Two weeks. A month. Two months. But please react!
Instead, some of you do not even have a feedback form or a forum on your website so we can upload a false-positive... And those who do, sometimes require us to send you our code-signing certificates, home-addresses, company papers and photo-IDs... We're guilty by suspicion. Everything is a virus until the author proves the opposite.
PS. In fairness, though, some antivirus companies do have these feedback forms in place, have nice developer support, and react promptly.
#3 - Antivirus my ass!
Create a simple C program with a code like this:
#include <windows.h>
#include <string>
int __stdcall WinMain(HINSTANCE,HINSTANCE,LPSTR,int)
{
return MessageBoxA(0,(std::string("->")+GetCommandLineA()+"<-").c_str(),"Cmdline",0);
}
Compile it with a free "express" edition of Visual Studio 2008:
cl -Os -EHs-c- -GR- -MD test.cpp /link -fixed:no user32.lib -incremental:no -out:test.exeNow test this program with your favorite antivirus. Voila! A "TR/ATRAPS.Gen" has been detected.
Congrats! You've just wrote your first virus!
30 comments:
That ain't even the half of it.
The biggest problem is damage-control. AV software claims to be able to 'fix' a problem - but at that point, it's already too late. The system should be considered compromised and the disk should be reformatted. No software on the machine, including the AV, can be trusted once infection has occured.
I know, I used to work at a malware research organization and I've seen some of the nasty things that are out there in the wild. The entire AV industry is a complete scam.
Rich Jones, Gun.io
As a developer I couldn't agree more. I worked on anti-cheat software which naturally involved code obfuscation to deter reverse engineering. Every new release, every time, guaranteed to be detected by some major AV as some generic trojan.
For fun I modified the Windows XP notepad.exe. I added a few imports and some strings to unused portions of the code. The code that executes is identical. Over 50% of commercial AV software now claim it's a virus.
I tried your example. MSE does not detect it as a virus.
I have been using computers since long before Windows... I will be using computers long after Windows... When windows 95 became the most used OS, I quit programming Client side software. Now I only make server side applications that can be accessed by web browsers. I really feel sorry for all the people who have fallen into the trap of Windows software development. It seems I have little empathy for all the problems I see coming from Windows. I don't kn ow how... but I can see it from a mile away and articles like this validate my decision of not developing for Windows.
I actually think this article speaks volumes. I appreciate that your are exposing a deep problem with Windows Development. You even provide details to support the problem you are highlighting.
I actually view Microsoft Windows and most software for Microsoft Windows as a virus... or at least malicious software.
I use Microsoft's antivirus software and don't experience the first issue you mentioned.
About the third issue: most antivirus software deal with signatures that identify the virus with hopefully as few possible false positives. Apparently there's a virus that prints its command line surrounded by those strings. This is also something real software doesn't do. So yes, if you create a program matching a signature, then of course the antivirus software will detect that virus!
The performance hit on compilation is massive with it checking every file you read and write. Its not uncommon for compilation time to be 10x when the virus scanner is on everything you read and create.
It gets even worse when you realize that Norton has had it's source code stolen and reverse engineered multiple times. Similar situations for all over AV programs as well. Not only are they flagging false positives, but there's a good chance they're not even flagging actual harmful viruses. AV software is a huge load of shit. Changing user behavior is a far more effective countermeasure.
Yeah, screw that nonsense. AV doesn't like netcat, thinks it's a "hack tool".
AV does, however, prevent my snazzy password-stealing "Glue" program from working.
http://www.yellosoft.us/portables
Maybe you should rethink does the code obfuscation you've implemented cause more harm than good? Security through obscurity is often a poor solution.
@ rich
Av industry is a scam because disinfection is often impossible? What a load of bull. That's like saying the justice system is a scam because it doesn't undo crimes committed.
Any decent av products don't really focus on disinfection, but on prevention, so that the malware would never be run on the host.
You've totally missed the reason that everybody at my office hates them. Corporate policy has the anti virus scan every file on every access to be secure. This means that every single source file in our substantial Java codebase that is compiled, every single class file that is written, every single Jar file that is compiled, etc, etc. The Windows filesystem is already bad enough, and this just makes things so very much worse...
We recently changed to ESET Nod32 antivirus... While investigating some very strange issues on one of our web apps (unable to connect to webservices, with an error Microsoft suggested was due to TCP port exhaustion), I ran netstat on one of our servers.
I noticed the antivirus (ekrn.exe) had hundreds of connections open to our other services - including SQL Servers, on the SQL Server port! Scary?
I asked our IT guys if our antivirus proxies anything, and was told it did not...
I did a little Googling, and found a page on the ESET website that explained what was happening. It seems they have a CRIPPLINGLY STUPID default in their anti-virus, that goes something like:
- Proxy all traffic on all ports, for any application that might be a web browser
How does it decide what "might be a web browser"? Well, it just flags anything that connects out to Port 80, of course!
Yes, that includes applications that do update checks, and w3wp when it connected out to a web service. With w3wp showing "browser like behaviour", it had been flagged and was now having *all traffic* proxies through out antivirus, including binary connections to SQL Server and other services.
I wouldn't trust an anti-virus vendor as far as I could kick them.
I spent a day once trying to figure out why our software no longer would accept incoming connections. It turned out that installing ESET Nod32 would cause the Win32 AcceptEx() function call to stop working.
I'm going to have to correct you on the ".net isn't a viable virus authoring system". I've seen so many ".net malware" bs things in my career, its not even funny.
[quote]
For fun I modified the Windows XP notepad.exe. I added a few imports and some strings to unused portions of the code. The code that executes is identical. Over 50% of commercial AV software now claim it's a virus
[/quote]
That comment is really silly considering that would be almost 100% guaranteed the file had been modified by another process/application. It isn't like the checksum should differ on each install of notepad.exe. If it has changed, as with your story, 50% is pretty sad. Should have been 85%+ I would hope.
Yes absolutely!
But the thing I really hate is when "AV" software modifies the contents of network packets arbitarily. This caused at least one very difficult to find bug in my career.
The problem with AV software is that you can't test against it. At least, most AV software uses techniques which are badly documented, possibly secret, and subject to change at a moment's notice.
While you can test your software against a few of the major AV vendors, they can update their code at a moment's notice without giving *anyone* prior knowledge of it. Of course that's the whole point... if they released beta versions of their updated engines, then the malware authors would be able to find out how to work-around them.
Not only does AV software reduce desktop performance, but its false positives, network meddling, and constant, unpredictable updates, make things really difficult for software devs.
Operating system vendors always offer a "Beta" or "Preview" release of their new system so you can check compatibility. AV vendors don't.
You develop for Microsoft Windows, you get exactly what you deserve.
And I'm glad that I'm a mobile developer on Android and iOS. No AV (yet) problem ! :)
Yeah, that's right. Because Windows users should be taken out and shot. You, sir, are an idiot and a bigot.
What's wrong with keylogger detection?
> Yeah, that's right. Because Windows users should be taken out and shot. You, sir, are an idiot and a bigot.
Thank you... I am a cross-platform developer. I use Linux, OSX, AND Windows... I don't see why people bash any particular system like they do. They have different audiences, and they all manage to get their job done well. Windows is currently the most popular OS, so this stupid software is more likely to be on it than anything else, and usually antivirus is to protect, the lowest common denominator from viruses. Since they are most likely to be using Windows.
Anti-virus's also effect web developers. I had this problem before on my machine:
http://www.roslindesign.com/2010/10/12/avg-antivirus-2011-corrupting-web-pages-with-injection-of-script-avg_ls_dom-js/
I tried to read your article but the scrolling ticker on the side was too distracting.
I'm with Sublemon: Windows is the problem. I wrote (and still maintain) a client-side app, but it's written in PHP-GTK and has about as much in common with most Windows app as a cat has in common with a sidewinder missile.
Windows is a rat's nest of barbed wire, stomach acid, and electro-convulsive shock therapy. It has architectural problems that will not ever be fixed, and "solutions" that mask the problem in a specific sense while polluting in a general one.
I ran as fast as I could to server-side solutions based on *nix and I've never once regretted it. Linux is rock solid, fundamentally immune to viruses, and generally needs to be rebooted about as often as Windows systems need to be reformatted.
What's not to love?
I have tried your example and scanned it:
http://virusscan.jotti.org/nl/scanresult/0e091708ae7bdca4ba5d9d874aee1a7563c3e747
Only AntiVir detects the TR/ATRAPS.Gen virus.
Other than that, I totally agree with you!
And.. by intercepting all disk i/o doubling build time
Interesting,i would like to try your code..
That's funny because real developers wouldn't even use antiviruses.
That's what you get for trying to develop on Windows. I forget that people try it sometimes, it sounds insane to me.
I've read threw all of the comments and this topic has got me thinking.
If AVs are unreliable then what can i use to protect myself from viruses and maleware?
Do i have to reformat my disk to be 100% sure that the infected files are gone? Is there no software that can remove infected files? If not than what is the point of using an AV? Just slows down my pc and tells me that everything is a threat.
try "eicar" simple "virus" test :)
Post a Comment