Community

Contacted by user today after their viewer got removed by Windows Defender. Didn't know why it happened, and told her to download the 6.9 and of course, "a window popped up saying “viewer6.9.msi contained a virus and was deleted” so the download didn’t complete."

Since this is the second time this happened for this user in just a few months, with the loss of productivity after this happens, I'm anticipating the conversation about switching to something else. Telling people to temporarily disable their antivirus is not a solution that works more than once.

I cannot think of any software I use that has this level of problems with AV software, so it sticks out as an outlier. I understand the predicament you are in, it's especially harder as you're in an industry where AV vendors have to distinguish between malicious RATs and intentional RATs, but it is a problem that is mainly yours to make any improvement if there are false positives.

So what can be done about this situation?

First thought, was that the signatures should automatically be made available to the Virus Total AV vendors before officially releasing the final builds and have a high or 100% vendor update confirmation. At the very least, the main ones, like Defender, Kaspersky, McAfee, ESET, etc. I think people can look at a Virus Total and ignore false detections when the main ones don't flag it and only the super obscure ones do. I know you can submit false positives to each vendor, not sure if you can pre-submit to prevent false positives. I assume so.

But yeah, getting on Defender blocklist is bad. Anything and everything to prevent this proactively in the future should be done.

Conrad wrote:

Hello Max,

Just as I was writing this answer Microsoft informed us that they removed the detection and that one should update their definition files.

I perfectly understand what you say and agree completely. Unfortunately, there is little we can do because the antivirus software industry is in dismal state. How else can we characterize them if they cannot even distinguish a digitally signed file from an unsigned trojan-loaded one?

Just think about it - a file signed with an EV Code Signing Certificate coming from a legit developer gets detected as a trojan :) Well, of course not all a/v software is that bad though, but some are.

And there is this VirusTotal, which is another sad story. For almost three years we have been trying to convince them that not all antivirus software are created equal and that they should take a closer look at the quality of the a/v engines they use. Yet, they keep presenting their scan results alphabetically and in red type (even the relatively benign detections). So the never-responding-to-false-positive-requests Chinese antivirus by the name "AntiyAVL" (without VirusTotal you wouldn't even know that it exists) always gets at the top of the list with their bold red warning that Remote Utilities is unsafe :)

Was the Microsoft response an automated one (I'm sure) or possibly a human? Could you ask them about what impact an EV signed certificate does on AV scans? Because I don't see that as an automatic whitelist for AV vendors, just an additional safety check that the .exe you have is from the people you expected it from before executing it (ie, from Microsoft, not Micros0ft). If it was an automatic whitelist, then the cost to mass malware infections would be very cheap. Legit developers signed certs get stolen all the time and we find out days, weeks or months later something malicious got slipped in without someone knowing. An AV vendor that trusted a file on EV alone would be swiss cheese and not something people would really want to install.

But yeah, the big 6-10 vendors that will be installed by your customer base is main priority. I know from reading bleepingcomputer forums over the years, people tend to ignore the really obscure VirusTotal AV engines, but if one or more of the main vendors detects something, there is probably something to it.