Results 1 to 4 of 4

Thread: Deliberate false positives?

  1. #1
    Senior Member SephStorm's Avatar
    Join Date
    Aug 2008
    Posts
    166

    Default Deliberate false positives?

    I am wondering, what is the possibility of anti-malware vendors, or the RIAA and similar organizations to create deliberate false malware claims, to prevent the use of unlicensed software.

    I came across a file that was reported to be a "anti WGA" tool. So I installed in on a VM running a legally purchased copy of windows, and did not input the required Validation information. I then ran a scan of the computer using MBAM, a common, and in my experience effective ant-Malware scanner and remover. The scanner detected a Trojan, Trojan.I.Stole.Windows.

    Based on my analysis, no changes were made to the system, outside of the specified changes that were stated by the program makers, and no trojan activity was displayed, or recognized by any other AV software on the computer.

    This brings the question, Is it possible and/or likely that vendors could flag know piracy software as malicious to prevent it's use? Is such an action ethical?
    "You're only smoke and mirrors..."

  2. #2
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by SephStorm View Post
    This brings the question, Is it possible and/or likely that vendors could flag know piracy software as malicious to prevent it's use?
    Sure its possible, each antimalware vendor makes their own decision as to what is detected as malicious by their software. Its possible for them to detect whatever they want. Whether they actually start to detect pirated software will probably depend on their relationships with the software vendors and how their customers react to such things.

    Quote Originally Posted by SephStorm View Post
    Is such an action ethical?
    Questions about ethics are always very subjective, and Im sure the point could be argued either way. Personally my opinion on the matter is I don't want software I use to do anything other than what I got it for. i only want antimalware software to detect legitimate malware, and I don't want it trying to enforce copyright or anti piracy restrictions. If I want that functionality I will get software that is designed to do that.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  3. #3
    Senior Member SephStorm's Avatar
    Join Date
    Aug 2008
    Posts
    166

    Default

    Here is an example, John the Ripper, a common tool that many of us have used, Some vendors will report it to a user as a PUP: potentially unwanted program PWCrack-JohnTheRippr

    some as a password cracker: Application.Pwcrack.Johntherippr.A
    and some, as a Trojan: Trojan.Agent.IRC
    "You're only smoke and mirrors..."

  4. #4
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Yes, I see many such alerts on my work PC.

    A recent example (the detection actually happened last night ) is win32dd detected as Hacktool.Rootkit. Win32dd is a tool used to take forensic memory images from Windows machines.

    Guess Im not going to be able to use that tool to capture memory from Windows systems running this particular AV product any more...
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •