Community
Update AV vendors with your latest signatures before releasing a build
Since this is the second time this happened for this user in just a few months, with the loss of productivity after this happens, I'm anticipating the conversation about switching to something else. Telling people to temporarily disable their antivirus is not a solution that works more than once.
I cannot think of any software I use that has this level of problems with AV software, so it sticks out as an outlier. I understand the predicament you are in, it's especially harder as you're in an industry where AV vendors have to distinguish between malicious RATs and intentional RATs, but it is a problem that is mainly yours to make any improvement if there are false positives.
So what can be done about this situation?
First thought, was that the signatures should automatically be made available to the Virus Total AV vendors before officially releasing the final builds and have a high or 100% vendor update confirmation. At the very least, the main ones, like Defender, Kaspersky, McAfee, ESET, etc. I think people can look at a Virus Total and ignore false detections when the main ones don't flag it and only the super obscure ones do. I know you can submit false positives to each vendor, not sure if you can pre-submit to prevent false positives. I assume so.
But yeah, getting on Defender blocklist is bad. Anything and everything to prevent this proactively in the future should be done.
Just as I was writing this answer Microsoft informed us that they removed the detection and that one should update their definition files.
I perfectly understand what you say and agree completely. Unfortunately, there is little we can do because the antivirus software industry is in dismal state. How else can we characterize them if they cannot even distinguish a digitally signed file from an unsigned trojan-loaded one?
Just think about it - a file signed with an EV Code Signing Certificate coming from a legit developer gets detected as a trojan :) Well, of course not all a/v software is that bad though, but some are.
And there is this VirusTotal, which is another sad story. For almost three years we have been trying to convince them that not all antivirus software are created equal and that they should take a closer look at the quality of the a/v engines they use. Yet, they keep presenting their scan results alphabetically and in red type (even the relatively benign detections). So the never-responding-to-false-positive-requests Chinese antivirus by the name "AntiyAVL" (without VirusTotal you wouldn't even know that it exists) always gets at the top of the list with their bold red warning that Remote Utilities is unsafe :)
Was the Microsoft response an automated one (I'm sure) or possibly a human? Could you ask them about what impact an EV signed certificate does on AV scans? Because I don't see that as an automatic whitelist for AV vendors, just an additional safety check that the .exe you have is from the people you expected it from before executing it (ie, from Microsoft, not Micros0ft). If it was an automatic whitelist, then the cost to mass malware infections would be very cheap. Legit developers signed certs get stolen all the time and we find out days, weeks or months later something malicious got slipped in without someone knowing. An AV vendor that trusted a file on EV alone would be swiss cheese and not something people would really want to install.Conrad wrote:
Hello Max,
Just as I was writing this answer Microsoft informed us that they removed the detection and that one should update their definition files.
I perfectly understand what you say and agree completely. Unfortunately, there is little we can do because the antivirus software industry is in dismal state. How else can we characterize them if they cannot even distinguish a digitally signed file from an unsigned trojan-loaded one?
Just think about it - a file signed with an EV Code Signing Certificate coming from a legit developer gets detected as a trojan :) Well, of course not all a/v software is that bad though, but some are.
And there is this VirusTotal, which is another sad story. For almost three years we have been trying to convince them that not all antivirus software are created equal and that they should take a closer look at the quality of the a/v engines they use. Yet, they keep presenting their scan results alphabetically and in red type (even the relatively benign detections). So the never-responding-to-false-positive-requests Chinese antivirus by the name "AntiyAVL" (without VirusTotal you wouldn't even know that it exists) always gets at the top of the list with their bold red warning that Remote Utilities is unsafe :)
But yeah, the big 6-10 vendors that will be installed by your customer base is main priority. I know from reading bleepingcomputer forums over the years, people tend to ignore the really obscure VirusTotal AV engines, but if one or more of the main vendors detects something, there is probably something to it.
This is the usual response that they send when they white list a file. But looks like a template, of course.Was the Microsoft response an automated one (I'm sure) or possibly a human?
It's not only a digital signature. We are also a registered developer with Microsoft.Because I don't see that as an automatic whitelist for AV vendors, just an additional safety check that the .exe you have is from the people you expected it from before executing it (ie, from Microsoft, not Micros0ft).
A compromised signature can get black listed within minutes. And Microsoft's SmartScreen as well as antivirus software are not supposed to let the files signed with such a signature run. Sure, there are must be other detection factors as well, I agree with that. But we still think that digital signatures are a bit underestimated.Legit developers signed certs get stolen all the time and we find out days, weeks or months later something malicious got slipped in without someone knowing.
But yeah, the big 6-10 vendors that will be installed by your customer base is main priority. I know from reading bleepingcomputer forums over the years, people tend to ignore the really obscure VirusTotal AV engines, but if one or more of the main vendors detects something, there is probably something to it.
VirusTotal could add a "trust score" for the engines they use. For example, if an a/v company never cares to respond to false positive requests their trust score should be low and users must see it. Or VT could even ban an engine from the list if they generate a lot of false positves and never respond to software developers.
By the very representation of scan results VirusTotal makes their users think that AntiyAVL, Rising and K7 are as important, precise and well-established a/v companies as Kaspersky, McAfee and Symantec. Perhaps, they just want to avoid being accused of discrimination practices but this does their visitors /users no good.
* Website time zone: America/New_York (UTC -5)