Programmer and antivirus
I develop software for high-speed and automated trading in securities and derivatives in the Russian stock market, mainly for individuals. The project is a little more than six months and distribute the product freely. Until recently, everything went as usual - expanding functionality, catching bugs, adding new ones, catching, expanding, adding, in general, the normal life cycle of a project and so on until I encountered an unexpected problem, the solution of which seemed to me at least amazing and worthy of this publication.
It all started with the fact that after the next program update I received complaints from users, it turned out that the new version of the program is recognized by the NOD32 antivirus as “probably unknown NewHeur_PE virus”. In this case, the antivirus behaves very aggressively with respect to the program: it prevents the program from downloading the archive, deletes the exe-file from the user's hard disk, directly from the archive. The remaining antiviruses respond to the program adequately. Well, okay, okay, I swear to users that the program does not contain any virus, I recommend checking the program with other antiviruses or adding NOD32 to the exceptions, and in the meantime I am trying to solve the situation with ESET. About a month of talking with phone support and email correspondence, I get a long-awaited response from ESET:
Hello.
The problem is solved in the virus signature database version 4613. If
there will be any problems - please inform
But my joy was not long. After the release of the new version (about a month has passed since the start of negotiations with ESET, I substantially updated the functionality and fixed another batch of bugs) new complaints fell from users: the problem began to manifest itself again. I swear again to users that the program does not contain any virus, I recommend checking the program with other antiviruses or adding NOD32 to the exceptions, and in the meantime I am trying to resolve the situation. Which leads to the following interesting correspondence with ESET employees:
')
>>>
Response to the appeal number 159 914
Hello.
Add this application to Antivirus Exceptions.
<<<
>>>
Your appeal is registered with the number 160 768
You do not understand me. I am an application developer and I want to
Antivirus users did not block the application, did not interfere with it
download from the site, did not delete from the archive and did not deliver them other inconveniences.
And I notify you that in order to improve the quality, your answers to my letters will be available to users of the program and will be published on the program's website.
Respectfully,
<<<
>>>
ESET. Response to the appeal number 160 768
Hello.
Advise users to add this file to Antivirus Exceptions.
Since the creation of new versions every 10 days and the addition of their “white” signatures to the virus database is not a solution.
<<<
>>>
Your appeal is registered with the number 160 792
Hello.
Are you sure that this is a good solution for antivirus technical support that prevents users from working with another, non-infected application, to recommend that users add this application to the exception?
You do not think that the function of the anti-virus interferes with malicious activity of the programs, and also does not interfere with work with other programs?
The rest of antiviruses can distinguish infected from non-infected programs, including for any versions of this program, which means there is a way, it is a question of competence
Respectfully,
<<<
>>>
ESET. Response to the appeal number 160 792
Hello.
Your file is detected by heuristics - which automatically detects the malicious functions of the files.
If the file is detected by the antivirus, it means that it carries malicious functions. Another question is whether these functions are necessary for the program to work or not.
In this case, the user himself must decide whether he trusts this program or not.
<<<
>>>
Your appeal is registered with the number 160 822
Hello.
Your antivirus does not allow the user to make a choice and does not inform him that the user must make a choice. It prevents the antivirus from downloading, deletes the exe-file from the archive and writes the user “Virus: Unknown Virus”. And how after that
my explanations to users look like a tech support specialist said this
message does not mean that the program is a virus? What does this not at all antivirus swears, but only an automatic heuristic analyzer?
Once again I remind you that this problem does not have other antiviruses, which means that the problem is in NOD.
If you refuse to look for a further solution, then I will give the appeal number and recommend NOD users and my program on the site who doubt the “cleanliness” of the program to call and write to you personally, and ask for confirmation whether the program really has no virus.
Then please introduce yourself so that users ask you personally and do not disturb other employees.
Respectfully,
>>>
>>>
ESET. Response to the appeal number 160 822
Hello.
You were not told that your program does not contain a virus.
Read the previous letter.
Regarding the possibility of choice - when the antivirus finds a malicious program - the user receives a notification with a choice of actions where there is a “do nothing” option, and then he can add the file to the exclusions.
"Once again I remind you that other antiviruses do not have this problem, which means that the problem is in NOD." - this phrase has no semantic meaning.
My name @@@ @@@@@@. I would like to warn you that the dissemination of personal data of a person without his consent is an angular crime. Accordingly, I am not allowing you to use my name on my site and on other resources.
If your user calls this problem, he will receive exactly the same answer - as in the previous letter - that this program is malicious and he can install it, adding to Exceptions under his responsibility.
<<<
>>>
Your appeal is registered with the number 161 013
Hello.
ESR> Hello.
ESR> you were not told that your program does not contain a virus.
Is that so? Your statement, to put it mildly, is surprising.
The previous version of the program was even included in the updates.
the anti-virus database and the anti-virus did not detect anything malicious in
program, in the previous letter, the problem was commented by you
in the following way:
"Since the creation of new versions every 10 days and adding them" white "
virus signature signatures are not the answer. ” Now suddenly
was the reason for the harmfulness of the program? Why such an unexpected turn?
ESR> Read the previous letter.
ESR> About the possibility of choice when the antivirus finds
ESR> Malware - the user is notified with
ESR> the choice of action, where there is a point "do nothing", and
ESR> can then add the file to the exceptions.
You know, I'm not a NOD user, but judging by the user feedback, they
Surprise watching, as from just downloaded archive antivirus
deletes the exe file.
ESR> "Once again I remind you that this problem does not have others
ESR> antivirus means the problem is in NOD. ”- this phrase is not
ESR> has a semantic load.
Well, how can not be. We check the program with other antiviruses - nothing
suspicious, as it should be.
ESR> My name is @@@ @@@@. I would like to warn you that
ESR> distribution of personal data of a person without his consent
ESR> is an angular crime. Accordingly, my name, I do not
ESR> permits. Use on your site and on other resources.
Do not worry, without your permission I am not going to publish your
name. All correspondence will be published, except for your
name.
I think public discussion is a chance for you in public.
demonstrate your competence and solve the problem promptly.
Interested in this and I and you.
ESR> If your user calls this problem, he
ESR> will receive exactly the same answer as in the previous letter
ESR> this program is malicious and it can install it,
ESR> adding to the Exceptions under its own responsibility.
Since you know criminal law very well, you probably know
that slander is also a criminal offense, and I want you to
warn against such actions. This information will be knowingly
your previous letters will be false and proof of that.
the company's actions to incorporate the program into the signature database, as well as
check results by other antivirus programs. Besides you
will have to specify exactly what malicious actions does
the program, and since there are none, you cannot do it.
Although you do not want your name to be in public
discussion, when responding to the client by phone or by correspondence, to you (or
another employee) will have to introduce themselves at the request of the client and carry
responsible for their words.
<<<
No answer.
I swear to users that the program does not contain any virus, I recommend checking the program with other antiviruses or adding NOD32 to the exceptions and using the program at your own peril and risk.
I am surprised most of all in this story 2 things:
First, until I came across, I did not think that it turns out that an antivirus company is a special kind of power that has come from nowhere, thanks to which interested persons can damage the reputation of any software product, and the more popular this company is, the more power it has .
Secondly, it is surprising how this power can be used by an ordinary employee of the company's technical support, whose mood change, the program for which the issue was previously resolved positively, further becomes unequivocally malicious.
PS While I was writing this article, I had the following dialogue with the [presumably] ESET employee on the program website:
abibos
Well, you give, in the whole opus is considered the reluctance to understand the other side or lack of knowledge.
Try to figure it out:
Heuristics - a set of methods for finding a solution to a problem that can reduce the number of searches.
You can read more here - ru.wikipedia.org/wiki/%D0%AD%D0%B2%D1%80%D0%B8%D1%81%D1%82 %D0BB% D1%87%D0%B5% D1% 81% D0% BA% D0% B8% D0% B9_% D0% B0% D0% BD% D0% B0% D0% BB% D0% B8% D0% B7
Simply put, heuristics are a search engine for suspicious actions and conditions that are considered antivirus to be malicious. Therefore, false positives or, more precisely, the detection of malicious actions of "useful" programs are very frequent.
That is, to solve the problem of detecting your program, you need to either redo the heuristic mechanism in the antivirus (which, you agree, few people want to do), or add a special signature to the virus database, this “internal” exception is what was done at the beginning.
Then, you released a new version and the problem repeated - because the signature that was added was no longer matched to your program.
To add every time - when a new version of your program is released - signatures increase the size of virus databases (which is critical for antivirus programs), as well as unnecessary work for you and for antivirus developers. That's why you were told that it is necessary to add a file to the antivirus exceptions.
If I were you, I would start digging in the direction of the code of my program - find what causes the detection of the antivirus and fix it. It can be any anti-virus functions, and even the use of certain packers.
Once I ran into it myself, so I know what I'm talking about)
abibos
I tried to interact with ESET on this issue constructively, and would calmly go on editing the code if I received any recommendations from technical support staff. But no one has suggested anything like this to me in ESET. Instead, I get a one-time addition of a version of the program to the database, then a refusal to continue this practice and a refusal to look for other solutions, then, after my objections, that recommending users to add a program to exceptions is not a solution either, I’m getting offended by the kings who proclaim the program as malicious.
Those. in this situation, in the absence of support from the antivirus, in order to “dig my code” I have to do what? buy and install NOD, remove your antivirus and conduct a series of experiments to disable features and search for which one of them activates the NOD heuristic analyzer. Forget that this situation greatly upsets me. Maybe someday I'll do it. But at this stage I have a lot of plans that I intend to devote priority to the functionality of my product, and this struggle with windmills is at their very tail and is a big question. I think that at this stage I can live without NOD32
I understand perfectly what the essence and cause of the false positives of the heuristic analyzer are. The fact is that the antivirus responds to the diagnosis of heuristics as aggressively as a real virus. And I understand why: trying to protect the user from a possible virus that the antivirus does not yet know. But at the expense of the user experience with non-malware programs that the antivirus suspects. This is a fine line, but, in my opinion, the developers of antiviruses, and not software, should walk on this fine line in the first place. With the approach “to alter the mechanism of heuristics in antivirus very few people want”, I disagree radically. There are many antiviruses and each of them has a heuristic analyzer. And the quality criterion of heuristic analysis is the maximum correct detection of malicious objects and the minimum number of false positives (otherwise, why heuristics are needed, let's suspect all objects in general and completely block the user's work). And if the heuristic of all antiviruses except NOD32 responds to the object adequately (and QuikOrdersDOM is not an isolated case in this respect, NOD has a frequent history), then the approach “to alter the heuristic mechanism in antivirus few people want” leads to a defeat in a competitive comparison of NOD with other antivirus software.
abibos
Maybe you are right, but on the other hand you need all this, and not technical support - they have no tasks to solve these problems.
These are tasks of antivirus developers, look for ways to interact with them (for example, an official forum).
About - “And if the heuristics of all antiviruses, except NOD32, responds to the object adequately (and QuikOrdersDOM is not an isolated case in this respect, this is a frequent story for NOD)” - I don’t agree with you. I “rotate” a little in this topic and I know that official tests of independent laboratories recognize that this antivirus has the minimum number of false heuristic positives.
Just you and your program "no luck")
abibos
> Maybe you are right, but on the other hand you need all this, not technical support, they have no tasks to solve these problems.
> These are the tasks of antivirus developers, look for ways to interact with them (for example, an official forum).
As far as I need it, I have determined in my priorities. I have already interacted with the staff, I understood the official position
> Regarding - “And if the heuristics of all antiviruses, except NOD32, responds to the object adequately (and QuikOrdersDOM is not an isolated case in this regard> case, NOD has a frequent history)” - I don’t agree with you. I “rotate” a little in this topic and I know that the official tests of independent> laboratories recognize that this antivirus has the minimum number of false heuristics.
> Just you and your program "not lucky")
Are you an eset nod employee? Then no one else will hear from you and expect
On the Internet, you can find many stories about the false positives of ESET.
And then it also sounds ridiculous how to advertise near a soft-boiled broken car because of an accident due to the fault of the designers, that it has excellent safety characteristics, just this car was not lucky
abibos
No, I'm not an employee of this company.
Just as it was stated above, I came across this problem, figured out the position of technical support - it was about the same - I just understood everything faster)
Then I turned to the official forum where the developers of the antivirus answer - www.wilderssecurity.com - where they helped me fix the “flaws” of my program.
I sometimes use your software, and use this antivirus, when problems arose just added a file to the exceptions and that's it.
I painted everything here only because I do not like it when people are accused of not understanding their position or because of the unwillingness to do something myself.
Behind this I take my leave.
abibos
> No, I am not an employee of this company.
Then perhaps it is a coincidence that the external IP address from which you write has the domain name eset-mail.esetnod32.ru
I do not understand why making a show on a blog now and giving some recommendations on workarounds when it was possible to resolve the issue in direct correspondence. I haven’t received an answer to the last letter
======
Well, not a circus? What generally happens in this ESET? Initially, I want to think that a solid company and employees should be adequate, life shows that, unfortunately, this is not always the case (
Source: https://habr.com/ru/post/77587/
All Articles