Re: False positives on antivirus

[Fyodor <fyodor () insecure org>]

On Fri, Jan 29, 2010 at 06:23:17PM +0000, Brandon Enright wrote:
> It's nice to see that Panda fixed their signature but I think we're
> going to run into a time when detection is deliberate, not accidental.

If any AV company intentionally flags Nmap as a virus or adware or
malicious software, then they are at war with the Nmap project and we
should do everything we can to fight them.

The Avira situation is different, as that was an accidental signature
problem.  And the Panda one was almost deserved, since we were
intentionally obfuscating.  Plus, Panda was very resonsive.  Props to
them!

Nmap is more than 12 years old and has millions of users.  So its not
like the companies don't know about it.  Yet here are the results for
nmap-5.00-setup.exe:

http://www.virustotal.com/analisis/f280a42f359e28f0698e7013c6cf7911d3972d884cfffae0ef6d0c9196070650-1264443940

Result: 41 out of 41 consider it clean.

McAfee's VirusScan flagged Nmap for a while.  They would tell me that
its no big deal being listed as a "potentially unwanted program" and
that any softare could potentially be unwanted.  But their own
documentation said "Potentially Unwanted Program (PUP) protection
quickly detects and removes spyware, adware, and other malware that
gathers and transmits your private data without your permission".
Obviously Nmap does nothing of the sort!

McAfee doesn't flag Nmap any more.

> We may win this battle at first but eventually we're likely to lose
> it. 

We have succeeded for 12 years and I think we can continue to succeed
as long as we're vigilant.  If one of the 41 products on VirusTotal
starts flagging us, we should address it immediately.  If one company
succeeds at slandering Nmap, it gives the green light to others that
they can get away with it.

Note that there is a big difference between flagging Nmap as
malicious/adware/virus and just noting that it is a security tool.  If
an AV has an optional feature to detect security/networking tools, and
they detect Nmap as well as all the other popular open source and
commercial security tools, and the message makes it clear that the
tools themselves have legitimate and useful functions, that's not such
a big deal.

> I think we should be prepared for AV products to legitimately flag
> Nmap as potentially unwanted.

Any software could be "potentially unwanted", but the reality I've
seen is that AV companies label malware and spyware as PUPs because
they're afraid of lawsuits from the malware vendors if they actaually
label the malware/spyware for what it is.  I won't accept Nmap being
in any category with software which intentionally harms its own users,
or flagged in a way that confuses users into thinking it might.

Fortunately, we haven't had that problem in years (other than
accidental false positives like the recent ones).

Cheers,
-F
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/