Nmap Development mailing list archives
Re: False positives on antivirus
From: Fyodor <fyodor () insecure org>
Date: Fri, 29 Jan 2010 15:11:16 -0800
On Fri, Jan 29, 2010 at 06:23:17PM +0000, Brandon Enright wrote:
It's nice to see that Panda fixed their signature but I think we're going to run into a time when detection is deliberate, not accidental.
If any AV company intentionally flags Nmap as a virus or adware or malicious software, then they are at war with the Nmap project and we should do everything we can to fight them. The Avira situation is different, as that was an accidental signature problem. And the Panda one was almost deserved, since we were intentionally obfuscating. Plus, Panda was very resonsive. Props to them! Nmap is more than 12 years old and has millions of users. So its not like the companies don't know about it. Yet here are the results for nmap-5.00-setup.exe: http://www.virustotal.com/analisis/f280a42f359e28f0698e7013c6cf7911d3972d884cfffae0ef6d0c9196070650-1264443940 Result: 41 out of 41 consider it clean. McAfee's VirusScan flagged Nmap for a while. They would tell me that its no big deal being listed as a "potentially unwanted program" and that any softare could potentially be unwanted. But their own documentation said "Potentially Unwanted Program (PUP) protection quickly detects and removes spyware, adware, and other malware that gathers and transmits your private data without your permission". Obviously Nmap does nothing of the sort! McAfee doesn't flag Nmap any more.
We may win this battle at first but eventually we're likely to lose it.
We have succeeded for 12 years and I think we can continue to succeed as long as we're vigilant. If one of the 41 products on VirusTotal starts flagging us, we should address it immediately. If one company succeeds at slandering Nmap, it gives the green light to others that they can get away with it. Note that there is a big difference between flagging Nmap as malicious/adware/virus and just noting that it is a security tool. If an AV has an optional feature to detect security/networking tools, and they detect Nmap as well as all the other popular open source and commercial security tools, and the message makes it clear that the tools themselves have legitimate and useful functions, that's not such a big deal.
I think we should be prepared for AV products to legitimately flag Nmap as potentially unwanted.
Any software could be "potentially unwanted", but the reality I've seen is that AV companies label malware and spyware as PUPs because they're afraid of lawsuits from the malware vendors if they actaually label the malware/spyware for what it is. I won't accept Nmap being in any category with software which intentionally harms its own users, or flagged in a way that confuses users into thinking it might. Fortunately, we haven't had that problem in years (other than accidental false positives like the recent ones). Cheers, -F _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- False positives on antivirus Ron (Jan 28)
- Re: False positives on antivirus Michael Pattrick (Jan 28)
- Re: False positives on antivirus Ron (Jan 28)
- Re: False positives on antivirus Fyodor (Jan 28)
- Re: False positives on antivirus Ron (Jan 29)
- Re: False positives on antivirus DePriest, Jason R. (Jan 29)
- Re: False positives on antivirus Brandon Enright (Jan 29)
- Re: False positives on antivirus Fyodor (Jan 29)
- Re: False positives on antivirus Ron (Jan 29)
- Re: False positives on antivirus Fyodor (Jan 29)
- Re: False positives on antivirus Michael Pattrick (Jan 28)
- Re: False positives on antivirus David Fifield (Feb 12)
- Re: False positives on antivirus Ron (Feb 12)
- Re: False positives on antivirus David Fifield (Mar 03)