Recession Has Hit AVG
Not so long ago, I wrote here about the very good service I received from Grisoft, the makers of AVG Free, the antivirus product I was using (and have recently returned to). I had sent in a file for perusal that was from the Donation Coders website. The site features authors who do a lot of coding of single solution products, products that do one thing not available elsewhere, and deemed to be of need to more than a few persons.
I use several of these on a daily basis, and one of the products had shown up as being a Trojan program. That is, one day, after weeks of usage, it suddenly became identified as being a Trojan. knowing this was not true, and not being allowed by the resident portion of the program to execute it, although I was able to keep it from deletion, made a sending of the file, for analysis, necessary. I got a reply the very next day, saying that the file would be unflagged in the very next update of the definitions file. It was.
For the last couple of months, I have had the same problem with another file from Donation Coders, and from that same author. The problem is that this author uses a toolkit that consists of a basic runtime module that gets specific instructions grafted upon it for the given use. Apparently, rather than clearing the runtime as whole, Grisoft has only done each specific instance I have sent in (Can I be the only one using this stuff?).
This time, instead of a personal letter, I got a form letter. Alright, not every one can expect a personal reply, especially since this is a free product. However, the generic form letter only goes so far. This form letter goes so far as to tell me that the problem is that the file might be contaminated, or it might be a false positive. Well, that certainly speaks volumes. This is one of those leaps of logic right up on the same pedestal as ‘You’re either pregnant or you’re not!’
This email is an auto-response message. Please do not reply.
AVG Anti-virus Research Lab has analyzed the file(s) you have sent from your AVG Virus Vault. Below you can find the results for each file. The final verdict on the file is either a correct detection or a false positive detection.C:\Program Files\Applets\DimScreen.exe” – detection is correct
Best regards,
AVG Technical Support
website: http://www.avg.com
Either we have a failure to communicate (differences in languages) or the site is telling me that if I want better results, I should get the paid version.
I’m currently saving nickels for that upgrade to F-Prot from Frisk.
-
4 Comments
Aryeh Goretsky
November 22nd, 2008
at 4:58am
Hello,
It is not unusual for antivirus software to detect toolkits or libraries used in software development if the same program code is used by malware authors. For example, a library used to do process injection might be used to add missing functionality to a program, but it could also be used to install malware or gain and maintain privileged access to a computer system (i.e., a rootkit).
So, when an antivirus company sees a particular library used over and over again in malware, it makes sense to look for that library, since its presence could indicate your system has been infected (which is, after all, what you pay for your antivirus software to do).
Antivirus vendors deal with false positive alarm issues all the time, and usually are able to fix them very quickly.
Perhaps someone from AVG will your blog post and be able to address the issue.
Regards,
Aryeh Goretsky
Recession Has Hit AVG | Qelly Security Center
November 22nd, 2008
at 10:22am
[...] posted here: Recession Has Hit AVG Tags: antivirus, donation-coders, internet-safety, joined-forces, makers, microsoft, products, [...]
the oracle
November 22nd, 2008
at 11:34am
Aryeh , thanks, I knew that, but wasn’t thinking of it that way.
The one thing I didn’t say is, if you look in that code, the author has his signature, so when someone at AVG takes a look, I would think that they might make a connection, and possibly check a little closer.
FWIW, I know they must be busy guys, but I also know how when one is involved in something, it is easy to recall details of things seen, so when the file is examined, it would be easy to see that it probably was fine, and after doing the due diligence, should be put on the whitelist immediately.
Aryeh Goretsky
November 23rd, 2008
at 11:40pm
Hello,
It seems pretty simple, doesn’t it? Unfortunately, things are usually not that easy. Here’s one scenario I just came up with, off the top of my head:
Author creates a legitimate application using code used in both legitimate and non-legit applications.
Anti-virus vendor whitelists author’s legitimate application.
Author’s legitimate application gets infected with malware using the same code.
So, what is the flow of logic for the antivirus vendor? Also, keep in mind, there’s usually an infinite number of samples to process, and a finite number of virus researchers to process them, so, how do they invest their time?
Regards,
Aryeh Goretsky