The MASM Forum

Projects => MASM32 => AV Software sh*t list => Topic started by: jj2007 on January 27, 2013, 12:20:45 PM

Title: False negatives (17)
Post by: jj2007 on January 27, 2013, 12:20:45 PM
Just for fun, I downloaded a zip file from a phishing mail. M$ Security Essentials didn't find anything, but five out of 21 AV at Jotti found five different viruses (http://virusscan.jotti.org/en/scanresult/b2b3ba7f5763bbaba7b0973a31d754368904838e). So seventeen AV scanners didn't find anything suspicious in that executable. Maybe I should run it?
 ;)
Title: Re: False negatives (17)
Post by: Magnum on January 27, 2013, 03:49:34 PM
"If you hang around a barbershop, eventually you'll get a haircut."

Title: Re: False negatives (17)
Post by: Vortex on January 27, 2013, 08:29:06 PM
Hi Jochen,

In such situations, human is the best antivirus. Identifying the message as phishing , the most simple and effective action is to click the delete button.
Title: Re: False negatives (17)
Post by: jj2007 on January 27, 2013, 10:51:53 PM
Hi Erol,

I fully agree. The problem is that too many people are confident that their AV can handle the virus attached to the mail (and 17 of them can't handle it, including MSE), and that the same crappy AV cripple the good products of small software companies and hobby coders by falsely declaring them "dangerous".
Title: Re: False negatives (17)
Post by: Vortex on January 27, 2013, 11:01:57 PM
Hi Jochen,

Your explanation is perfect, thanks. As you mentioned, the keyword is confidency. We, the assembly coders here in the forum are lucky  as we know more about the internals of the OS and this will encourage us to make decisions about the measures to take against malwares. What is important is to be always careful as much as possible.
Title: Re: False negatives (17)
Post by: Gunther on January 28, 2013, 02:30:40 AM
Hi Jochen,

Maybe I should run it?  ;)

delete it and you're on the safer side.

Gunther
Title: Re: False negatives (17)
Post by: MichaelW on January 28, 2013, 03:13:47 AM
A failure to detect a problem in a scan does not equate to an inability to detect it, and kill it, when it becomes active on a protected system. If they could rely on scans to detect a problem, there would be no need for real-time protection.
Title: Re: False negatives (17)
Post by: anta40 on January 28, 2013, 03:36:04 AM
Maybe I should run it?
 ;)

Maybe it would be safer if you run it on virtualized Windows?
Title: Re: False negatives (17)
Post by: Don57 on January 28, 2013, 03:56:04 AM
I just got nailed with a trojan that went through AVG, but it only takes a couple hours to rebuild my machine. Re installing everything gets rid of alot of crap, and i have an extra 150G of disk space now.The only problem is installing masm, my AV thinks that alot of the examples are viruses, so it takes a little time to set up the exceptions. Still it not a bad thing to clean out your machine once in a while.
Title: Re: False negatives (17)
Post by: Vortex on January 28, 2013, 04:30:20 AM
Maybe it would be safer if you run it on virtualized Windows?

or running a sandbox software.
Title: Re: False negatives (17)
Post by: Greenhorn on January 28, 2013, 04:32:19 AM
Microsoft relativiert schlechte Ergebnisse von AV-Test (http://www.heise.de/security/meldung/Microsoft-relativiert-schlechte-Ergebnisse-von-AV-Test-1786029.html)
Key lessons learned from the latest test results (http://blogs.technet.com/b/mmpc/archive/2013/01/16/lessons-learned-from-the-latest-test-results.aspx)

Many AV tests are - like benchmarks - unrealistic. It always depends on the setup of the test.

"If you hang around a barbershop, eventually you'll get a haircut."
Full ACK.

Greenhorn
Title: Re: False negatives (17)
Post by: sys64738 on December 07, 2013, 12:05:34 AM
I'm using AVIRA and I finally had m y first acknolwedged false postive. :)

I was writing a small program which just encrypts some data and suddenly the AV started to tell me that there is a trojan in that program. :) Maybe I should upload it to some online scanners and see what they have to say about it.
Title: Re: False negatives (17)
Post by: Gunther on December 07, 2013, 01:27:25 AM
Hi sys64738,

I'm using AVIRA and I finally had m y first acknolwedged false postive. :)

AVIRA tends to produce false positives.

Gunther
Title: Re: False negatives (17)
Post by: Magnum on December 07, 2013, 01:51:18 PM
I'm using AVIRA and I finally had m y first acknolwedged false postive. :)

I was writing a small program which just encrypts some data and suddenly the AV started to tell me that there is a trojan in that program. :) Maybe I should upload it to some online scanners and see what they have to say about it.

I have found all scanners to be next to useless.

I have uploaded both live samples and perfectly safe assembly programs.

They have greatly misidentified real anti malware.

They identify perfectly normal small assembly programs as malware.

This includes programs that are so small, that it is impossible to have any payload.

:-)

That's maybe why some Russian nuclear plants got Stuxnet many months after it's very public announcement.

Andy
Title: Re: False negatives (17)
Post by: dedndave on December 07, 2013, 06:03:38 PM
AdAware does a decent job for me
i also use MalwareBytes - but it doesn't catch some viruses
Title: Re: False negatives (17)
Post by: hutch-- on December 08, 2013, 12:14:57 PM
People who rely on AV scanners have been fooled by the marketing hype aimed at the technically illiterate. They will catch many things that don't matter, deliver an ever increasing list of generic tests (heuristic scanners) that deliver false positives and regularly miss the newer dangerous stuff.

There is no substitute for knowing your OS/Computer, knowing how to secure it, never ever run anything that you don't know and have a disk image of your boot partition as a backup. While there are exceptions, I have the suspicion that virus writers and AV scanner vendors are respectively the demand and supply sides of selling security software that are part and parcel of the same operation. I generally recommend Kaspersky, Eset and the generic Microsoft AV scanners for those who must use them but only if they maintain the correct discipline of not running trash and properly securing their computer. A VM sandbox is also a handy toy if you must run risky things.
Title: Re: False negatives (17)
Post by: TWell on February 13, 2014, 01:53:12 AM
False Alarm Tests here (http://www.av-comparatives.org/false-alarm-tests/)
Title: Re: False negatives (17)
Post by: jj2007 on February 13, 2014, 03:21:30 AM
False Alarm Tests here (http://www.av-comparatives.org/false-alarm-tests/)

Cute - that merits a ranking (September 2013 (http://www.av-comparatives.org/wp-content/uploads/2013/09/avc_fp_201309.pdf)):
#false positives
0      MSE
1      ESET
2      F-Secure
3      Fortinet
5      Kaspersky
7      Emsisoft
8      BitDefender
8      BullGuard
8      Sophos
10      Avast
13      AhnLab
13      Qihoo
14      Trend Micro
20      Avira
20      Kingsoft
20      McAfee
20      Panda
20      Tencent
22      G Data
28      AVG
28      eScan
37      Symantec
37      Vipre
Title: Re: False negatives (17)
Post by: Gunther on February 13, 2014, 03:45:46 AM
Avira is at the rear third of the AV scanners. What a shame.

Gunther
Title: Re: False negatives (17)
Post by: hutch-- on February 25, 2014, 11:45:49 AM
More or less fits my view on AV scanners, the classy ones like Eset and Kaspersky have a far lower false positive count and so far the Microsoft one seems to be OK. Anything on the tail end of the list needs to be converted to free disk space.
Title: Re: False negatives (17)
Post by: Magnum on February 25, 2014, 02:59:19 PM
I don't believe the MSE ranking.

When I used it, it had all kinds of false positives.

Even on 2000 byte files that I made that did next to nothing.

Andy