1

We make free software available on our web site. A few years ago, one of the virus scanners started complaining about some of our executables. We rebuilt everything from source code, verified things were working correctly, etc. There are no viruses or any other malware in our executables.

Apparently the less sophisticated virus scanners just a do simple pattern match, and something in one of our low level libraries when linked into most programs matched a pattern.

This was just a annoyance for a few years, and even seemed to get better over time. Probably as changes were made to software, some executables got linked differently and no longer had whatever pattern was triggering the virus scanners. However, a few months ago things got dramatically worse. Apparently Google is using one of these virus scanners that indicates a false positive, and now throws up nasty warnings, blocks Chrome from getting to our site, etc. Even worse, I just found that our ISP (InfoQuest) apparently just took Google's warning at face value and renamed one of our files without asking us or even notifying us.

This has now become a serious problem that can no longer be ignored. How do I fix this? Talking to tech support at a virus scanner company doesn't go well. The support droids just can't seem to wrap their minds around the fact that their software is wrong. I can't fix this at our end because there is nothing actually wrong with our executables. I even sent them a test case once, but of course never heard anything back.

In case anyone wants to see, the page in question is http://www.embedinc.com/pic/dload.htm. Unfortunately, this is not always there as it gets renamed or removed occaionally. We offer a bunch of free software there that contains Win32 excutables, but none of them contain any malware.

What do I do about this?

Some Linux Nerd commented:

If you unpack it it looks like it's due to a handful of utilities: embedinc/com/flines.exe waitenter.exe get_pic_info.exe hex_dump.exe sum.exe test_embusb.exe test_env.exe Not really helpful. It's being misdetected as f-secure.com/v-descs/trojan_w32_ransom.shtml by a number of AVs.

Yup, that's exactly the problem. These are all programs derived from our own source code all the way down to OS calls. They are utilities that do various handy things for us. I can assure everyone that none of them contain any malware. I've rebuilt them from source code (which is available in the "everything" release from that same page) just to be sure, but get the same thing.

It's not just one program. There is something probably in a commonly used low level library routine that looks like malware to less sophisticated scanners.

The question here is how to get Google and various malware scanners to stop warning everyone about our programs since there is actually nothing to warn people against.

Olin Lathrop
  • 179
  • 1
  • 1
  • 8
  • False positives aside, why on earth is your ISP in the position to rename the files on **your** webserver? That is horrible. – EEAA Apr 27 '16 at 21:30
  • `Even worse, I just found that our ISP (InfoQuest) apparently just took Google's warning at face value and renamed one of our files without asking us or even notifying us.` First thing's first... get a new ISP. After that, well, getting an AV company to do something about false positives is not going to be an easy task. Once upon a time, I worked for such a company, and they lost a Fortune 10 company as an account over their engine's false positive rate... so... I don't like your odds, but wish you the best of luck. – HopelessN00b Apr 27 '16 at 21:32
  • 2
    If you unpack it it looks like it's due to a handful of utilities: embedinc/com/flines.exe waitenter.exe get_pic_info.exe hex_dump.exe sum.exe test_embusb.exe test_env.exe Not really helpful. It's being misdetected as https://www.f-secure.com/v-descs/trojan_w32_ransom.shtml by a number of AVs. – Some Linux Nerd Apr 27 '16 at 22:14
  • 2
    If you really really need to partially figure it out, some book on malware suggested doing a binary search by overwriting a section of an "infected" exe and seeing what section triggers av. It could honestly just be that those utilities wound up in that fairly lame ransomware's installer – Some Linux Nerd Apr 27 '16 at 22:15
  • @SomeLinuxNerd That strikes me as pretty helpful actually. That handful of utilities being flagged as ransomware tells us that the false positive won't be fixed, and which specific binaries need to be replaced to stop the AV from triggering. In fact, it's an answer and you should post it as such. – HopelessN00b Apr 28 '16 at 01:53
  • @EEAA: Yes, I'm seriously considering that. However, that's not going to change Google telling everyone to stay away from our site. – Olin Lathrop Apr 28 '16 at 11:29
  • @SomeLinuxNerd: Yes, that's the problem, and I've added your comment to the question. However, the overall question remains as to how to get Google to stop warning about our site. Trying to jiggle our code to not trigger a particular scanner on that day isn't really a solution. Somehow there must be a way to deal with false positives head on. Maybe someday Google will do this to a large company that has the resources to sue them for defamation or something. In the mean time I'm still stuck because people believe Google and can't imagine they every get something like this wrong. – Olin Lathrop Apr 28 '16 at 11:43
  • I totally know what you mean, but I think it's being flagged by too many anti viruses to appeal to a single entity for delisting. Also I've never been able to contact a human at google about problems like that :(. You should check Jotti's antivirus scan - https://virusscan.jotti.org/. I bet your toolkit accidentally got submitted to some sort of antivirus aggregator like VirtusTotal or the like. It's a tricky problem! Maybe a different installer could hide it from google? You could try a demo of a different installer and then submit it to Jotti's AV scan to see if it still gets flagged. – Some Linux Nerd Apr 28 '16 at 18:15

0 Answers0