Programmer and Antivirus II - end of story
Perhaps someone will be interested to know what ended my story with NOD32 .
Let me remind you that after discussions, technical and other aspects of interaction with NOD32, a comment appeared [allegedly] Pavel Potasuev, Director of IT at the Russian representative office of ESET:
Good afternoon, habra people. I am the very representative of the leadership to whom you appeal in the comments.
Yesterday I already studied this post when it was published in the sandbox.
')
First: Essentially, I can say that the technical support service did everything they could. If your application performs any suspicious actions at startup, then NOD32 honestly informs the user about this. I think that this is one of those functions, because of which people buy antiviruses (to be notified about what "left" activities occur on the computer). To remove or not remove such alerts from our product is not for us to decide. If NOD32 developed “like everyone else” and followed the advice “from the side”, then we would never see a breakthrough in heuristic analysis technologies.
Second: You, as a developer, must understand the priorities perfectly well (nothing personal). It's one thing to make changes to heuristics for MS or Adobe products, and another thing for your (no less respected) product (honestly!). It would be unpleasant if 60,000,000 users worldwide, due to heuristic fixes for your product, would get a decrease in the security level on their computers.
Compote: In fact, this problem could have been fixed at the beginning (and tech support did just that). When the fake detector happened the second time, you had to give you special technical recommendations for your program so that this would not happen the next time. But there are no specialists of such level in the technical support staff. The service itself deals with the entire list of issues, which is described on our company's website in the "technical support" section. Up to 36,000 calls are honestly served per month. These are mainly questions of home users and the SMB sector.
We were mistaken somewhere in escalating your question. We will conduct an investigation, we will make a corrective action.
Dessert: we in the company plan to launch a new division into the work in the spring, which will also be responsible for the false positive detection.
PS: no one from ESET participates in anonymous debates on incomprehensible websites.
All will be!
Amen.
Pavel Potasuev, IT Director, ESET Russian Representative Office.
However, my question is:
Interested in "special technical recommendations for your program so that this does not happen again the next time." Will they follow?
There was no answer, but thanks to the existence of the virustotal.com service (thank you so much for AndrewTishkin’s hint) it became possible to conduct experiments with disabling various functions of the program and studying the NOD reaction without installing it. About what exactly causes the NOD reaction, in the comments to the previous article there were many disputes and assumptions: the packer, Eurikalog, direct reading of the memory of other processes, something else were questioned ... After some short experiments, the answer was found. Whatever-you-think, turned out to be the same, because of which “60,000,000 users worldwide, due to the correction of heuristics for your product, would get a decrease in the level of security on their computers”?
This is an entry in the registry by the button "Add to autorun" in
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
Let me remind you that after discussions, technical and other aspects of interaction with NOD32, a comment appeared [allegedly] Pavel Potasuev, Director of IT at the Russian representative office of ESET:
Good afternoon, habra people. I am the very representative of the leadership to whom you appeal in the comments.
Yesterday I already studied this post when it was published in the sandbox.
')
First: Essentially, I can say that the technical support service did everything they could. If your application performs any suspicious actions at startup, then NOD32 honestly informs the user about this. I think that this is one of those functions, because of which people buy antiviruses (to be notified about what "left" activities occur on the computer). To remove or not remove such alerts from our product is not for us to decide. If NOD32 developed “like everyone else” and followed the advice “from the side”, then we would never see a breakthrough in heuristic analysis technologies.
Second: You, as a developer, must understand the priorities perfectly well (nothing personal). It's one thing to make changes to heuristics for MS or Adobe products, and another thing for your (no less respected) product (honestly!). It would be unpleasant if 60,000,000 users worldwide, due to heuristic fixes for your product, would get a decrease in the security level on their computers.
Compote: In fact, this problem could have been fixed at the beginning (and tech support did just that). When the fake detector happened the second time, you had to give you special technical recommendations for your program so that this would not happen the next time. But there are no specialists of such level in the technical support staff. The service itself deals with the entire list of issues, which is described on our company's website in the "technical support" section. Up to 36,000 calls are honestly served per month. These are mainly questions of home users and the SMB sector.
We were mistaken somewhere in escalating your question. We will conduct an investigation, we will make a corrective action.
Dessert: we in the company plan to launch a new division into the work in the spring, which will also be responsible for the false positive detection.
PS: no one from ESET participates in anonymous debates on incomprehensible websites.
All will be!
Amen.
Pavel Potasuev, IT Director, ESET Russian Representative Office.
However, my question is:
Interested in "special technical recommendations for your program so that this does not happen again the next time." Will they follow?
There was no answer, but thanks to the existence of the virustotal.com service (thank you so much for AndrewTishkin’s hint) it became possible to conduct experiments with disabling various functions of the program and studying the NOD reaction without installing it. About what exactly causes the NOD reaction, in the comments to the previous article there were many disputes and assumptions: the packer, Eurikalog, direct reading of the memory of other processes, something else were questioned ... After some short experiments, the answer was found. Whatever-you-think, turned out to be the same, because of which “60,000,000 users worldwide, due to the correction of heuristics for your product, would get a decrease in the level of security on their computers”?
This is an entry in the registry by the button "Add to autorun" in
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
Source: https://habr.com/ru/post/78192/
All Articles