Перейти к содержимому


Фото
- - - - -

Reporting a false positive and getting a real, detailed reply from Dr Web

false positives

  • Please log in to reply
7 ответов в этой теме

#1 danarm

danarm

    Newbie

  • Posters
  • 5 Сообщений:

Отправлено 02 Апрель 2019 - 13:49

Hello.

 

During the past year Dr Web has been detecting all our software as malware. These are, in my opinion as a software engineer, false positives. I have worked on these software programs and I can confidently and sincerely vouch that they don't contain any malware functions.

 

We have reported the false positives to Dr Web many times, and asked for an explanation on why our software is considered malware. Dr Web has always responded with the canned phrase: "Your request has been analyzed. This is not a false positive"

 

Files detected as false positive:

 

Advanced Uninstaller PRO installation kit: http://download.advanceduninstaller.com/soft/uninstaller/Advanced_Uninstaller12.exe

DriverMax installation kit: https://www.drivermax.com/soft/dmx/drivermax.exe

Orange Defender installation kit: http://www.orange-defender.com/soft/orange-defender/orangedefender_setup.exe

 

The oldest program above (Advanced Uninstaller PRO) has been first released in 2002. It has been available for 17 years, spanning 10 major versions and countless updates, and has managed the transition from Windows 95, Windows 98, XP, Vista, Windows 7, Windows 8 and now Windows 10, and works on 32-bit and 64-bit editions of Windows. Does anybody think that any company would make such an effort to develop and update programs only to later add malware to them?

 

DriverMax has also been available for a very long time. We have been the first to offer peer to peer driver updates, and massive development time and effort has went into it.

 

All the programs above are detected by Dr Web under the FALSE label "Program.Unwanted.2892"

 

I wonder what is the exact (technical) reason why our programs, which have been appreciated and purchased by tens of thousands of users, have been published by magazines such as PC World, CHIP, PC Welt and others, is considered "unwanted"? Perhaps Dr Web doesn't want competition in the form of high quality PC utilities?

 

Below is a partial list of EXE files from our company which trigger FALSE POSITIVES by Dr Web antivirus - and for which Dr Web refuses to explain WHY they are considered malware.

 
 Directory of C:\Program Files (x86)\Innovative Solutions\Advanced Uninstaller PRO
 
29-Mar-19  02:06 PM            13,912 adv_lib.exe
29-Mar-19  02:06 PM         1,637,464 checker.exe
29-Mar-19  02:06 PM         1,020,504 explorer.exe
29-Mar-19  02:06 PM         6,885,464 healthcheck.exe
29-Mar-19  02:06 PM         1,665,624 innoupd.exe
29-Mar-19  02:06 PM         1,017,432 LoaderRunOnce.exe
29-Mar-19  02:06 PM           427,096 mon_run.exe
29-Mar-19  02:06 PM         3,884,120 Monitor.exe
29-Mar-19  02:06 PM           478,296 stop_aup.exe
 
 Directory of C:\Program Files (x86)\Innovative Solutions\DriverMax
 
01-Apr-19  08:29 AM         7,735,896 drivermax.exe
01-Apr-19  08:30 AM         1,078,360 innostp.exe
01-Apr-19  08:29 AM         1,665,624 innoupd.exe
01-Apr-19  08:30 AM            14,424 rbk32.exe
01-Apr-19  08:30 AM            14,424 rbk64.exe
01-Apr-19  08:29 AM           415,832 stop_dmx.exe
 
 Directory of C:\Program Files (x86)\Innovative Solutions\Orange Defender Antivirus
 
20-Mar-19  09:57 AM         1,665,624 innoupd.exe
20-Mar-19  09:57 AM         7,831,128 orangedefender.exe
20-Mar-19  09:57 AM         1,174,104 servpc.exe
20-Mar-19  09:57 AM           917,592 stop_all.exe
20-Mar-19  09:57 AM         1,539,672 updAvTask.exe

 

 



#2 RomaNNN

RomaNNN

    Ковальски

  • Posters
  • 6 001 Сообщений:

Отправлено 02 Апрель 2019 - 14:39

"Program.Unwanted.2892" is not malware detect, but soft which Dr.Web not recommends to install and protects clients. Usually it is the case when the soft is installed silently with another soft or does nothing useful (bloatware). It is conscious detect.


Если есть два способа, простой и сложный, то выбирай сложный, так как он проще простого способа, который тоже сложный, но ещё и кривой.

#3 danarm

danarm

    Newbie

  • Posters
  • 5 Сообщений:

Отправлено 02 Апрель 2019 - 16:21

Hello. You say that "Program.Unwanted.2892" means that a program:
 
- "is installed silently with another soft"
     AND
- "does nothing useful"
 
Some of our .EXE files that Dr Web detects as "Program.Unwanted.2892" are described bellow. It means that each one of the EXE files bellow must meet the criteria you mentioned.
 
Can somebody from Dr Web explain to me, in detail, exactly HOW each of the EXE files bellow satisfy the 2 (rather vague) criteria you mentioned above?
 
I would like to mention that all the files I'm mentioning here are digitally signed by our company, and have done this since well before the release of Windows Vista release in 2007. We are NOT hiding because we have nothing to hide. We are a honest, legit company and stand beside our products.
 
- the Advanced Uninstaller PRO installation kit, which you can download from the link in the first post of this topic
- the DriverMax installation kit, which you can download from the link in the first post of this topic
- drivermax.exe (the main executable of DriverMax)
- uninstaller.exe (the main executable of Advanced Uninstaller PRO)
- stop_dmx.exe (a program which we call from the DriverMax installation kit, to make sure that DriverMax is stopped before installing)
- innoupd.exe (the DriverMax updater)
- stop_aup.exe (a program which we call from the Advanced Uninstaller PRO installation kit, to make sure that Advanced Uninstaller PRO is stopped before installing)
- monitor.exe (the installation monitor of Advanced Uninstaller PRO, which can monitor the installation of other programs in order to fully remove them)
- mon_run.exe (a program which is an integral part of Advanced Uninstaller PRO, which is needed to run the Installation Monitor part of Advanced Uninstaller PRO, a perfectly legit program)
- healthcheck.exe (the Daily Health Check part of Advanced Uninstaller PRO, which detects browser malware and announces the user whenever a new browser plugin or toolbar appeared)
 
The files above are NOT useless or "bloated". I have just described what they are used for, and therefore, are not useless.
 
Also, I have personally worked on this software and I can tell you that they don't "install silently with another soft".
 
Of course there is the issue of the autoupdater. But if an autoupdater is considered malware, then the Dr Web antivirus (which I'm sure contains an autoupdater) should detect itself as malware. Why doesn't the Dr Web antivirus detect its own autoupdater as "Program.Unwanted.2892", since it fulfills your own criteria for malware?


#4 danarm

danarm

    Newbie

  • Posters
  • 5 Сообщений:

Отправлено 02 Апрель 2019 - 16:26

I think it is an interesting question, but I will stop here for now, so I will end with a request:
 
Please re-examine and whitelist our software!
 
These are blatant, obvious false positives by Dr Web, and this has gone on for far too long!


#5 danarm

danarm

    Newbie

  • Posters
  • 5 Сообщений:

Отправлено 02 Апрель 2019 - 17:50

Full list of files belonging to our programs - perfectly legit software - which Dr Web falsely detects as Program.Unwanted.2892.
 
The interesting thing is that sqlite3.dll and memmgrset.dll, which our programs install, are third-party tools. Perfectly harmless third party tools - not malware!
 
The first is a well-known database engine and the second is a memory manager (all programs written in high level programming languages such as C, C++, C#, Java, Go, Delphi, Kotlin, Scala, etc contain a memory manager - for some programs it is compiled in the .EXE, for some it is a part of the virtual machine (such as the JVM), and for some it can be an external DLL).
 
adv_lib.exe
checker.exe
drivermax.exe
explorer.exe
exporter10.exe
healthcheck.exe
innostp.exe
innoupd.exe
innoupd.exe
LoaderRunOnce.exe
memmgrset.dll
mon_run.exe
Monitor.exe
rbk32.exe
rbk64.exe
servpc.exe
sqlite3.dll
stop_all.exe
stop_aup.exe
stop_dmx.exe
sync.dll
uninstaller.exe
updAvTask.exe
 
The functions of most of these files are explained above. They are NOT malware.
 
Dr Web, please reexamine and whitelist our programs. There is no malware in them.
 
I have submitted some of the files to https://products.drweb.com/home/?lng=en and will keep submitting until the problem is solved.
 
I have also noticed that our site https://www.drivermax.comis considered by Dr Web a "Non-recommended website".
 
Please tell us exactly why our web site is not recommended. I want to know the reason.
 
I would also like to know the exact reason, with concrete details, of why each of the files above is detected, so I can prove to you that each of the files above is harmless.
 
Thank you.


#6 sergeyko

sergeyko

    Guru

  • Dr.Web Staff
  • 3 925 Сообщений:

Отправлено 02 Апрель 2019 - 19:18

You promised to stop there... 

They are NOT malware.

And Dr.Web does not detect them as MALWARE. 

 

and will keep submitting until the problem is solved.

Ok, but don't do it here, on the forum, please, as it is neither technical support, nor a place where official requests are to be posted and answered. 

 

In general you've already got an answer - Doctor Web considered your software and found it a program.unwanted, this detect is optional and the users who want to can either turn it off or ignore. 


Sergey Komarov
R&D www.drweb.com

#7 danarm

danarm

    Newbie

  • Posters
  • 5 Сообщений:

Отправлено 03 Апрель 2019 - 10:14

Dear Sergey,

 

Thank you for writing back.

 

Please understand that this situation, of Dr Web detecting our programs as Unwanted, is very bad for us. The programs are not "Unwanted", as I have written above. I have to choice but to keep writing - perhaps not on this forum but in other venues.

 

I have submitted many of our files which are flagged by Dr Web to your web page at https://products.drweb.com/home/?lng=en- and I got, for each file, the stereotypical reply " Your request has been analyzed. This is not a false positive."  - the same reply for all the files I submitted during the past months.

 

I can understand that you want me to keep submitting there, but since the problem isn't getting solved, you are practically forcing me to use other venues and persisting until a human actually looks over our programs, and either whitelists us, or explains to us with technical details what we did wrong, so we can fix the problem and apply again.

 

It's been months since this problem isn't resolved - the first time I submitted our programs to you for reanalysis is sometime in October 2018. I will submit our EXE files again, later today.

 

We are more than willing to cooperate with the fine Dr Web technical team in order to get this fixed - just explain to us (in detail) what we did wrong, and we will remove the problem as fast as it is technically possible. But for that we need a clear description of the problem, and not a vague reply such as "This is not a false positive".

 

How would you feel if somebody wrongly accused you of something, in public, and then, when asked what it is that you did exactly, they answered "No, you did X, and I will not give you any details, and I will keep stating in public that you did X"

 

There is also the issue of Dr Web detecting our DriverMax web site, https://www.drivermax.com, as bad. This is another issue I can't understand. Point to us what is wrong about our site (but with details, please - no vague, unverifiable and unfixable explanation) and we will be more than happy to fix all the problems quickly.

 

I hope you understand that me writing to you in this forum is because we were unable to fix this problem through the standard ways you offer.

 

I wish you and your colleagues a nice day!



#8 Dmitry_rus

Dmitry_rus

    Guru

  • Helpers
  • 3 621 Сообщений:

Отправлено 04 Апрель 2019 - 11:13

Hi!

The programs are not "Unwanted", as I have written above
Obviously I can't get into the Stuff's brains :) but I (personally) think that all critical software (updates/drivers/system utilities/low-level tools/etc.) should be downloaded only from official sites of their developers. If some program (even digitally signed) tries to download and install something unknown from unknown locations... Hmmm... It's time to run Advanced Uninstaller PRO! :)

Thanks for reading & understanding. Have a nice day!





Also tagged with one or more of these keywords: false positives

Читают тему: 1

0 пользователей, 1 гостей, 0 скрытых