Information regarding false-positives in antivirus software

Update: There have been many updates since this was written, but the information below still applies. The only false-positive that seems to still be an issue is the Kaspersky heuristic HEUR:Trojan.Win32.Generic, which Kaspersky corrects every time I submit a false-positive report, but they only whitelist that version so it's usually back again on the next update. Because of all the other things I have to do when releasing an update, I no longer submit false-positive reports for this particular false-positive because I'm trying to speed up the release process, and waiting for a false-positive to be corrected slows the process down considerably (usually by a couple days). Keep in mind that the HEUR: (heuristic) means malicious code was not found, but that the program may share code or characteristics with known malware. My best guess is it being caused by encryption functionality in CGWatcher, even though it is using .NET encryption libraries. The program is unobfuscated, so it is not difficult to review the code. If it was doing something malicious I can assure you it would have been exposed by now. It is not my intent to scam or steal or otherwise deceive anyone, and I think this software has been in use long enough and by enough people to vouch for this. You are more than welcome to send the software to Kaspersky and ask them to verify it is a false-positive, or any anti-virus software company flagging it as anything for that matter. Thanks for understanding this and continuing to use and support this project..


    CGWatcher 1.2.0 was the first version to trigger a false-positive. According to the VirusTotal scan I do for every new version, Symantec reported it as WS.Reputation.1 which means it didn't find any malicious code, the software had just not developed a "good reputation" so Symantec pro-actively hurts independent developers by marking their software as malicious... specifically in the beginning, the most crucial time for software to gain acceptance.

    To their credit, Symantec had an easy method for reporting false-positives and after submitting, they responded within an hour or two saying the issue had been corrected. Re-running the VirusTotal scans immediately reflected this, and CGWatcher was once again back to 0/47.

The response from Symantec:
In relation to submission [3248684].
Upon further analysis and investigation we have verified your submission and as such this detection will be removed from our products.
The updated detection will be distributed in the next set of virus definitions, available via LiveUpdate or from our website at http://securityresponse.symantec.com/avcenter/defs.download.html
Decisions made by Symantec are subject to change if alterations to the Software are made over time or as classification criteria and/or the policy employed by Symantec changes over time to address the evolving landscape.
If you are a software vendor, why not take part in our whitelisting program?
To participate in this program, please complete the following form: https://submit.symantec.com/whitelist

Sincerely,
Symantec Security Response
http://securityresponse.symantec.com

    There were not many changes from 1.2.0 to 1.2.1, but apparently enough to trigger another false-positive. The most noticeable difference was code I added to compress and encrypt communication with CGRemote, as the upcoming closed-beta approaches. This code only uses .NET compression and cryptography classes, so I am not sure why it would be flagged and if may be that other changes are causing the false-positive, though I can't think of any. The CGRemote code was the most significant change in 1.2.1.

    This time the false-positive was from Kaspersky, who flagged it as HEUR:Trojan.Win32.Generic. The HEUR: indicates it was a heuristic scan, meaning no malicious code was found but that there is behavior or attributes that may be used for malicious purposes or is used by malicious software. Think of it as a tornado watch compared to a tornado warning. No tornado was found in CGWatcher, but there are conditions that could be used to create a tornado. Again, I'm not exactly sure what those conditions are that cause 1.2.1 to get flagged but not previous versions.

    So I submitted a false-positive report to Kaspersky before going to bed. When I woke up, they had responded and confirmed that it was a false-positive and would be corrected in the next update.

The response from Kaspersky:
Hello,
Sorry, it was a false detection. It will be fixed in the next update.
Thank you for your help.
Also, feel free to check out our whitelisting program:
http://www.kaspersky.com/partners/whitelist
Regards, Ye Jin
Junior Virus Analyst, Kaspersky Lab.
39A/3 Leningradskoe Shosse, Moscow, 125212, Russia  Tel./Fax: + 7 (495) 797 8700  http://www.kaspersky.com http://www.viruslist.com

    Keep in mind that when submitting false-positive, you upload the software in question and send it with the submission. So these two incidents show CGWatcher has been specifically checked out by Symantec and Kaspersky, and has been determined to be clean of any malicious code. Otherwise they would not be correcting the issue.

    Update: After a user reported Kaspersky PURE 3.0 removing CGWatcher even after the false-positive was corrected, I contacted Kaspersky again asking them to check that it was in fact corrected and that the correction would apply to future versions as well. This is the response I received:


Hello,
We were unable to reproduce the detection.
Please update your antivirus bases.
If the problem persists, please send the screenshots or logs of detection.
Regards, Ye Jin
Junior Virus Analyst, Kaspersky Lab.

   So if you find yourself in the same situation, please update your antivirus software/definition files and check if that fixes the problem.

    I will continue to update this page with any future false-positives. We've all seen how prevalent malware has become in the bitcoin/litecoin/alt-coin worlds, so I take false-positives seriously. CGWatcher, nor CGRemote, do anything malicious and I host their download pages on my personal blog using my real name and photo just to help show this. If your anti-malware or anti-virus software flags any of my software, please let me know so I can submit the appropriate report to the developer.

    As it had come up on reddit a few times, there are some additional things I'd like to point out for anyone questioning this software's intent:


  • The software was first released in March; I estimate over 2500 users for CGWatcher as of writing this; and CGWatcher continues to average 100+ downloads per day. If it was doing something malicious, it would have been exposed by now. If you think otherwise, you greatly underestimate redditors and those on the bitcointalk and litecoin forums.
  • You always have the option of keeping the miner's window visible. In fact, this is the default setting. If CGWatcher was, for example, switching pools without your consent, you could see this in the miner's UI. CGWatcher also notifies you any time the pool changes, along with recording it in miner.log. You can also use the miner's logging option (2>>cgminer.log) to have the miner create a log of its own to check against CGWatcher's log. (Note: If using the 2> log option, you must use a batch or command file to launch the miner because there is a problem with setting this as an argument in the .NET process class that I still have to figure out.)
  • CGWatcher only connects to the Internet to a) check for updates, and b) retrieve coin profitability data from http://coinchoose.com. I use Pastebin to host the latest version info, so it should only ever connect to pastebin.com or coinchoose.com.
  • You can run CGWatcher inside a sandbox like Sandboxie. Keep in mind there may be some quirky behavior, such as "Denied attempt to load system driver 'winring0_1_2_0'" messages from Sandboxie, but they don't seem to affect CGWatcher's functionality. Also, if using a sandbox, settings may not be saved after closing because of how sandboxes work. You could save the sandbox to likely resolve this, but I haven't tested this myself. There may be other quirks as well, but it does work in Sandboxie.
  • CGWatcher is an un-obfuscated .NET application, meaning it isn't difficult for someone with moderate development experience to see what it is or isn't doing.

Also check the various comments posted about CGWatcher and you will see there has not been even one report of malicious or questionable behavior:






3 comments:

  1. Hello - I am using ESET NOD32 Antivirus 7 and it detects CGRemote 1.0.8 as a virus too and cleans it out!

    ReplyDelete
    Replies
    1. I'm not sure what code is causing the false-positive... they won't say for obvious reasons (it would make it easier for malware creators to get around antivirus software if they knew the reason it was being flagged.) Most false-positives just classify it as bad because the code is obfuscated, meaning the code is sort of scrambled to make it harder to copy. This is something a lot of malware does too but for different reasons - to avoid detection. You're welcome to submit a CGRemote false-positive report to your antivirus software's creator. This involves sending them the files so they can look at it closely. Unfortunately, even when they do admit it's a false-positive they only whitelist that exact version... so the smallest change I make means the false-positive comes back.

      Delete
  2. If it helps, NOD32 reports CGRemote as MSIL/Packed.Confuser.D

    Don't see how I file the false positive report so I guess I'm out of luck.

    ReplyDelete