Antivirus Vendors Headed for Court

SkiifGeek writes "A showdown between Rising Tech, a Chinese Antivirus vendor, and Kaspersky Lab in a Chinese court could have implications for software vendors that misidentify system files and files from their competitors as being malicious."

It Could Be Rising Tech Really Is Malicious

[NeverVotedBush]

China and Russia both are big time into state-sponsored computer/network infiltration. In a country like China, it wouldn't be surprising at all that the government would co-opt companies - especially anti-virus companies - to make them help the Chinese government open back doors, exfiltrate data, etc.

The very last piece of software I would ever install on my own computers would be a Chinese or Russian anti-virus package. Sure, it may finger other viruses, but it might also allow free access to the "right" people.

I know this sounds somewhat like tinfoil hat territory, but the SANS organization is frequently publishing articles about state-sponsored hacking/attacks. Why give them an easy pass? A perfect easy pass to use your system in electronic warfare against any country - especially the USA? It is at least something to be aware of and to consider.

Rising Star antivirus? Who's star is rising? China's? And by what means?

Re:It Could Be Rising Tech Really Is Malicious

[El_Muerte_TDS]

And on the other side of the pond you've got companies that are for sale. For all you know Symantec allows certain backdoor software distributed by the MPAA/RIAA.

How much can you trust companies like that?

might as well be selling rocks ..

[rs232]

For all the good the AV industry does, they might as well be selling rocks.

Kaspersky aren't the only ones

I work as a virus analyst for one of the major antivirus vendors. False positives, which we simply refer to as FP's, are a nasty fact of life, especially as detection becomes more based upon bahavioural analysis; and when software developers name their new application explorer.exe with a default Windows icon....

We had a customer send in a Window Portable Executable file which was flagged as containing a virus released in the early 90's (though the exact name escapes me). Very strange. What was stranger was that when analysed, it contained a plethora of code sequences of worms, trojans and viruses, completely ad verbatim. We then realised we were in fact looking at one of the main dll's of the Rising Sun engine! A false positive fix was not issued, as we reasoned that if a buffer overflow/wrongful jump occured, this malicious code could actually execute. Ie, a user could actually be infected by the cowboy AV scanning method.

Anyway, to this story I laugh and simple say to Rising Sun: learn to code an engine before bringing in lawyers. Oh, and flat file unoptimised code matching is hilariously primitive.

PS, unfortunately, there is no conspiracy this time: just badly thought out design and implementation.

Happened to me too

[Spacejock]

I have a website with a bunch of my own freeware apps available. On two separate occasions I've had a number of emails from users of major AV software asking me what the hell I was playing at trying to install trojans on their PCs. In both cases it was false positives, one from NAV and the other from the company mentioned in this article (which is what prompted me to post). Each time they eventually got around to correcting their definitions, but sure as anything it'll happen again. And in the meantime, how many dozens or hundreds of people assumed I was one of them there nasty spammer trojan virus people trying to infect their PC?

Why should the onus be on ME to check THEY haven't stuffed up? You can't install and run all the different brands of AV software on one PC, unless you install a bunch of virtual machines with one AV prog on each, and then you'd have to update the definitions daily.

False positives trick users. MS is adversarial.

[Futurepower(R)]

Apparently ALL anti-virus software gives false positives. Most of the users have little technical knowledge, and the software makers want to give the impression their software is more useful than it really is. I've seen numerous false positives on systems I use. One "virus" was a text file, with a .TXT extension, and nothing in it but documentation!

But why is anti-virus software so important? Apparently only because Microsoft profits more when its software is full of bugs and malware, and Microsoft is very adversarial toward its customers.

The true cost of a Microsoft operating system is perhaps 10 times its retail cost, because of the heavy maintenance expenses.

Microsoft's anti-customer behavior: Here are some paragraphs I wrote to someone having problems with temp files taking gigabytes of drive space.

On one computer I checked, temp files were stored in 49 different places, and that includes only temp file folders made by the Windows operating system and not temp file folders made by application software.

Why doesn't Microsoft provide a utility to find all the temporary file folders and delete the files when starting or shutting down the computer? Apparently because the company is heavily engaged in adversarial behavior. Most people don't know that temporary files are a problem, and they certainly don't know where to find them; that was a challenge even for me. The temp files sometimes take so much space that there is not enough free space, and the file system begins running much slower.

The file defragmentation program won't run when there is limited free space. A fragmented file system is much slower. And most people don't even know that the defragmentation program exists, or why they should run it. So, their computers become imperceptibly slower and slower until they buy a new computer.

That's apparently why Microsoft software has so much malware, also. At present, there are 30 known vulnerabilities in Windows XP alone that haven't been fixed. There are 7 known vulnerabilities in the latest version of Microsoft Internet Explorer browser the the company has not fixed.

Some people say Microsoft software is targeted more often because there are so many copies in use. However, it is well known how to write secure software. Apparently Microsoft managers don't let their programmers finish their work.

Many people who don't know how to keep Microsoft products running buy new computers. Every time someone buys a new PC, they buy a new copy of the Microsoft operating system, even if they already owned a copy. So Microsoft makes more money if the company has defective products.

Microsoft gives each new version of Windows a new name, and many people think the new version is a new product. Somehow it has been arranged that people pay the full amount for new versions, instead of an upgrade price.

The New York Times article Corrupted PC's Find New Home also makes that point.

Note that the Apple operating system, OS X, and the Open BSD operating system have very few vulnerabilities. (The Open BSD web site says 2 in 10 years.) So it is possible to make a secure operating system. The volunteers that make the Open BSD system do security reviews of software to make sure vulnerabilities are not released to customers.

We use Microsoft operating systems because of historical reasons, and because it is expensive to change. In actuality, the business very seldom uses software that runs only under Microsoft Windows, and that is only in specific departments, where it would be easy to provide a second computer.

Re:Why only Kaspersky?

[harlows_monkeys]

What are the other antivirus vendors doing (or not doing) that is avoiding this problem?

At the AV vendor I've worked for, when they get a report from another AV vendor of a false positive on that other vendor's product, they would investigate and get an update out within 24 hours to fix it.

Unfortunately, some vendors are not this fast. I've seen Spybot take years to fix false positives that have been brought to their attention.

Most are somewhere between these two. Generally, it goes like this. Company A notices that company B's product has a false positive on A's files. A contacts B about this, using B's public contact information, which generally is meant for the general public. So, A's complaint might end up in the support system, and might get kicked around there for a while as the support people try to figure out what to do with it. Eventually, it reaches some manager who has got a bunch of stuff on his plate, directly from his superiors, so he doesn't give this high priority.

A notices it is taking a long time, so looks for a better way to contact B. If A and B are reasonably big and in the same country or region, it will probably turn out someone high in A's management knows someone high in B's management, or knows someone who knows someone high in B's management who can introduce them, and then there is a high level request from A to B. That has a decent chance of getting results.

If no such contact can be found, or it fails to get action, then A calls the lawyers, and they write a letter to B's lawyers. That should get some attention at B, and whatever manager the first request got stuck at gets prompted to do something.

If nothing happens then, it is lawsuit time. When a lawsuit is actually filed, THAT gets the attention of B, all the way up to the top, and then things happen. (And the people who failed to act earlier get in a lot of trouble...companies do not like it when they get sued, even if the actual purpose of the suit is just to get someone's attention to fix a problem).

I suspect that a good percentage of lawsuits filed in the software industry (in general, not just AV) are to get the attention of upper management in the defendant to get some simple problem resolved that has fallen through the cracks.

A lesson here for anyone starting a company is to hire some top management people who are well-connected. If your Director of Engineering or CTO or Chief Scientist or whatever, in a situation like this, can say, "Hey...B's CTO went to my school and we were in the same fraternity...I can get his number, call, give the secret Alpha Delta Smegma pass phrase, and I'm sure he'll get the problem taken care of", that's great. The tech industry, just like the other industry groups, has its old boy's network, and you want to have someone who is connected to that.

Re:Why only Kaspersky?

[thegnu]

I've seen Spybot take years to fix false positives that have been brought to their attention.
By "Spybot," do you mean "Patrick Kolla?" I know now he's got help, but how many years ago did these "years" occur?

Plus, it's still part of THE best passive/manual protection you can get:

1. Spybot w. Hosts list & immunize
2. Spywareblaster
3. IESPYADS
4. Firefox
5. WRT54G
6. Merijn's BugOff

I know a router probably isn't really passive, but to the PC it is. Oh, and besides the router, this is all free. My 2 cents.