Author Topic: False negatives (17)  (Read 22202 times)

jj2007

  • Member
  • *****
  • Posts: 13937
  • Assembly is fun ;-)
    • MasmBasic
False negatives (17)
« on: January 27, 2013, 12:20:45 PM »
Just for fun, I downloaded a zip file from a phishing mail. M$ Security Essentials didn't find anything, but five out of 21 AV at Jotti found five different viruses. So seventeen AV scanners didn't find anything suspicious in that executable. Maybe I should run it?
 ;)

Magnum

  • Member
  • *****
  • Posts: 2399
Re: False negatives (17)
« Reply #1 on: January 27, 2013, 03:49:34 PM »
"If you hang around a barbershop, eventually you'll get a haircut."

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

Vortex

  • Member
  • *****
  • Posts: 2788
Re: False negatives (17)
« Reply #2 on: January 27, 2013, 08:29:06 PM »
Hi Jochen,

In such situations, human is the best antivirus. Identifying the message as phishing , the most simple and effective action is to click the delete button.

jj2007

  • Member
  • *****
  • Posts: 13937
  • Assembly is fun ;-)
    • MasmBasic
Re: False negatives (17)
« Reply #3 on: January 27, 2013, 10:51:53 PM »
Hi Erol,

I fully agree. The problem is that too many people are confident that their AV can handle the virus attached to the mail (and 17 of them can't handle it, including MSE), and that the same crappy AV cripple the good products of small software companies and hobby coders by falsely declaring them "dangerous".

Vortex

  • Member
  • *****
  • Posts: 2788
Re: False negatives (17)
« Reply #4 on: January 27, 2013, 11:01:57 PM »
Hi Jochen,

Your explanation is perfect, thanks. As you mentioned, the keyword is confidency. We, the assembly coders here in the forum are lucky  as we know more about the internals of the OS and this will encourage us to make decisions about the measures to take against malwares. What is important is to be always careful as much as possible.

Gunther

  • Member
  • *****
  • Posts: 4196
  • Forgive your enemies, but never forget their names
Re: False negatives (17)
« Reply #5 on: January 28, 2013, 02:30:40 AM »
Hi Jochen,

Maybe I should run it?  ;)

delete it and you're on the safer side.

Gunther
You have to know the facts before you can distort them.

MichaelW

  • Global Moderator
  • Member
  • *****
  • Posts: 1196
Re: False negatives (17)
« Reply #6 on: January 28, 2013, 03:13:47 AM »
A failure to detect a problem in a scan does not equate to an inability to detect it, and kill it, when it becomes active on a protected system. If they could rely on scans to detect a problem, there would be no need for real-time protection.
Well Microsoft, here’s another nice mess you’ve gotten us into.

anta40

  • Member
  • ***
  • Posts: 315
Re: False negatives (17)
« Reply #7 on: January 28, 2013, 03:36:04 AM »
Maybe I should run it?
 ;)

Maybe it would be safer if you run it on virtualized Windows?

Don57

  • Guest
Re: False negatives (17)
« Reply #8 on: January 28, 2013, 03:56:04 AM »
I just got nailed with a trojan that went through AVG, but it only takes a couple hours to rebuild my machine. Re installing everything gets rid of alot of crap, and i have an extra 150G of disk space now.The only problem is installing masm, my AV thinks that alot of the examples are viruses, so it takes a little time to set up the exceptions. Still it not a bad thing to clean out your machine once in a while.

Vortex

  • Member
  • *****
  • Posts: 2788
Re: False negatives (17)
« Reply #9 on: January 28, 2013, 04:30:20 AM »
Maybe it would be safer if you run it on virtualized Windows?

or running a sandbox software.

Greenhorn

  • Member
  • ***
  • Posts: 488
Re: False negatives (17)
« Reply #10 on: January 28, 2013, 04:32:19 AM »
Microsoft relativiert schlechte Ergebnisse von AV-Test
Key lessons learned from the latest test results

Many AV tests are - like benchmarks - unrealistic. It always depends on the setup of the test.

"If you hang around a barbershop, eventually you'll get a haircut."
Full ACK.

Greenhorn
Kole Feut un Nordenwind gift en krusen Büdel un en lütten Pint.

sys64738

  • Regular Member
  • *
  • Posts: 32
Re: False negatives (17)
« Reply #11 on: December 07, 2013, 12:05:34 AM »
I'm using AVIRA and I finally had m y first acknolwedged false postive. :)

I was writing a small program which just encrypts some data and suddenly the AV started to tell me that there is a trojan in that program. :) Maybe I should upload it to some online scanners and see what they have to say about it.

Gunther

  • Member
  • *****
  • Posts: 4196
  • Forgive your enemies, but never forget their names
Re: False negatives (17)
« Reply #12 on: December 07, 2013, 01:27:25 AM »
Hi sys64738,

I'm using AVIRA and I finally had m y first acknolwedged false postive. :)

AVIRA tends to produce false positives.

Gunther
You have to know the facts before you can distort them.

Magnum

  • Member
  • *****
  • Posts: 2399
Re: False negatives (17)
« Reply #13 on: December 07, 2013, 01:51:18 PM »
I'm using AVIRA and I finally had m y first acknolwedged false postive. :)

I was writing a small program which just encrypts some data and suddenly the AV started to tell me that there is a trojan in that program. :) Maybe I should upload it to some online scanners and see what they have to say about it.

I have found all scanners to be next to useless.

I have uploaded both live samples and perfectly safe assembly programs.

They have greatly misidentified real anti malware.

They identify perfectly normal small assembly programs as malware.

This includes programs that are so small, that it is impossible to have any payload.

:-)

That's maybe why some Russian nuclear plants got Stuxnet many months after it's very public announcement.

Andy
Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

dedndave

  • Member
  • *****
  • Posts: 8828
  • Still using Abacus 2.0
    • DednDave
Re: False negatives (17)
« Reply #14 on: December 07, 2013, 06:03:38 PM »
AdAware does a decent job for me
i also use MalwareBytes - but it doesn't catch some viruses