Antiviruses hall of shame

aluigi · **Posted:** 13 Apr 2008 12:03

if someone has found problems to use or download my stuff due to an antivirus, please report here the name of the AV and the detailed problem.

For the moment I'm aware that Kaspersky is so stupid to block all the advisories from my website (it should show a small image at their place) which is one of the most ridiculous things I have heard in my life since they are just plain text files! 8-)

This is the objective proof that who maintains Kaspersky has choosen the wrong job or is just an idiot at all.

Although it's obvious I want to stress the fact that all my stuff is free and open source (from the informations to the programs, anything) so in case of problems anyone can ever recompile the source code with his hands using Mingw or another C compiler:
http://aluigi.org/about.htm#compile

The following are the ONLY trusted sources from which is possible to download my stuff:
http://aluigi.org
http://backup.aluigi.org -> http://aluigi.altervista.org
http://mirror.aluigi.org -> http://luigi.eliott-ness.com

Sethioz · **Posted:** 13 Apr 2008 16:44

dont have details, but tcpfp is detected by zonealarm antivirus system. (prolly by anything else too, like kasp. nod ..etc)
theres others too, i will post them once i get details on others.

-Anti-Virus programs should detect ONLY stuff that is dangerous to YOUR computer NOT to others. If its exploit, flooder (whtever) then its NOT dangerous to your pc, but still detected by AVs. its STUPID.
WPE pro is not urs, but also gets fucked up by nod32, kaspersky and zonealarm (havent used other AVs). ..and its only sniffer.

Sethioz · **Posted:** 11 May 2008 08:42

sof2boom detected by zonealarm anti-virus:
-Exploit.Win32.Aluigi.fw

aluigi · **Posted:** 12 May 2008 12:15

probably means that these idiots have added as signature my name, right? (since win32.aluigi.fw is too much generic for being relative only to sof2boom)
if this is the case this is an excellent new entry in the hall of shame

Sethioz · **Posted:** 12 May 2008 15:10

i had lots of stuff in ''ignore always''
3 of them was ''Exploit.Win32.Aluigi.**''

evan1715 · **Posted:** 15 May 2008 21:46

aluigi wrote:

probably means that these idiots have added as signature my name

lol.

aluigi · **Posted:** 29 May 2008 14:32

Other 2 entries for the "hall of shame" but this time I'm not referring directly to antivirus.

There is a website which says to have a list of hosts which (in his opinion) have "malware" stuff, the following is the link:

http://www.malware.com.br

Already in 2005 this brasilian website listed my aluigi.altervista.org site in its blacklist because the antivirus he used classified mtaboom.zip (a proof-of-concept for a vulnerability in a multiplayer mod for GTA) as W32/MTAboom.A-exploit, note the "exploit" category since will return later.

I contacted him immediately when I saw this error and received his apologies which are the following:

Quote:

Hello Mr Auriema, thank you for contacting me. There are 10 URL from
host http://aluigi.altervista.org/ and in fact just one of then:

http://aluigi.altervista.org/poc/mtaboom.zip

has being set in the list as malware. All the other were correctly
detected as non-malware stuff. This zip file was recognized as a
W32/MTAboom.A-exploit, not a malware in fact but the automated system
had no way to figure this out. The block hapenned to the /poc directory,
not the whole site.

I apologize for the inconvenience and want to let you know that this is
the first time I have a false positive included in the list and I'm
working to make the system less likely to make such mistakes.

Tks for reporting this to the Malware Block List. Your address has being
removed.

Best regards

In the first half of 2007 I received 3 mails from his automatic system about other 3 proof-of-concepts: genecysbof, panza and raydiumx all "correctly" (I know that it's not correct but I'm talking about the usual AV classification) classified as "exploit" but seems he didn't learn from his previous errors.

So my website returned newly on the blacklist but I had no time to lost for the errors of someone else and so I decided to recontact the author of that website later... very later since a lot of time passed from that moment and I thought he checked the entries on his blacklist, but I was wrong.
From April 2008 I have sent 3 mails to this person with 10 days of delay between each one and only at the third one he finally replied saying:

Quote:

Hello Mr Auriemma, I got your 3 messages and simply had not time yet to
go over then and prepare a reasonable answer. I apologize for that and
assure you'll get an answer no later then this weekend.

Today is 29 May 2008... do you think I have received a reply from this person?
So there is not time to reply to me but there is many time to difame and damage me.

The funny thing (which I said in my third mail too) is just that he added to the blacklist also aluigi.org which is only a redirect... aluigi.org DOES NOT hosts files and he has listed it too!!!
That's really ridiculous.

So I'm sorry for this Andre Correa but if he makes the same errors multiple times is just his problem, I don't want to be the subject of his personal errors so if he is not able to manage a blacklist website is probably better if he gives up without insulting (being in a blacklist is an insult for me) the others.

And another note, I reply EVER to anyone and is a shame that someone must send 3 mails for receiving a "non-reply" as reply since he has never answered to me.
Conclusion: big shame to http://www.malware.com.br, this website does NOT check the hosts on its blacklist and so must be NOT used since contains false positives which are NEVER corrected!

---

Edit 31 May 2008: the misunderstanding with the owner of http://hostsfile.mine.nu has been clarified, so now it's all solved.

Sethioz · **Posted:** 29 May 2008 15:32

my opinion is that this kind of ppl just don't want to admit that they DON'T WANT to take your site off of the blacklist. They simply throw ALL kind of exploits, scripts, hacks, cheats..blabla into one big list and makes no difference between them.
just like they have no clue that terms ''hack'' ''cheat'' ''exploit'' ''virus'' ''malware'' .. etc are NOT the same. they just put all of that into one big list and r happy with it, because their software, site ..etc detects most of stuff and ofcourse normal computer users are too dumb to notice that.
they come and whine here (tht your stuff is virus), before even checking WHAT did the site/software said about it.

I even dont understand why such tools are reported as virus, trojan, malware..or whtever they come up with if all it does is damages something else not your own computer. isnt Antivirus meant to protect YOUR computer not others computers/servers. ..sometimes it really pisses me off when my zonealarm's AV starts to whine about simple scripts and exploits..so annoying.

about those sites btw...they seem so messed up sites to me. full of crap and hard to even find something. I wouldn't even bother to contact them..they NEVER do anything. only roll their eyes and thts all.

ok ill add another thing into list:
netcat is being reconized as:
not-a-virus:RemoteAdmin.Win32.NetCat (its a name it gives) and risk level is medium given to it.

darkmoon · **Joined:** 04 Jun 2008 12:57 **Posts:** 6

peerchat_irc.exe contains Backdoor/Agent 84992 courtesy Antivirus/Avira

xD

aluigi · **Posted:** 04 Jun 2008 15:47

update about malware.com.br: the author has manually removed my website from the blacklist and is working on a more accurate handling of false positives.

instead about http://hostsfile.mine.nu I and the author of that website have worked (respectively coder and ideas/suggestions/tester) on a new tool for checking tons of hostnames (in the order of 100000 in half hour) to know if they still exist and with the possibility to check also other type of DNS queries or secondary queries (for example if doesn't exist the A record but exists the NS one and so on).
The tool will be released in these days.

aluigi · **Posted:** 11 Jun 2008 10:54

I retire the last update about malware.com.br, in fact after the initial removing now aluigi.org/poc (yes the redirect that doesn't contain files) is still in the blacklist ah ah ah 8-)

do NOT use the malware.com.br blacklist since it has demonstrated to be UNRELIABLE!

The following is the latest mail I have received from Andre Correa the 03 Jun 2008:

Quote:

Hello Mr Auriemma, regarding your complain on the inclusion of URLs
pointing to your web site in the Malware Block List, our understandings
of this matter are as follows:

- - We contacted our Anti-Virus partners and some security SPAM and
found an understanding that providing Exploits and HackTools in their
binary form is dangerous and can be object of black listing;

- - There is also a deep concern on not blocking access to web sites of
security researchers, security companies and security communities
containing educational materials;

- - Reviewing your files we found those Exploits are not directly usable
in Phishing Scams. Thses Scams are the main target of our project,
therefore your software may not be included in our block lists;

- - Taking this into account we decided to _temporarily remove_ from the
block lists 8 URLs pointing to your domains;

- - This temporary removal will be in place for the following 8 URLs:

MBL# 27066
http://aluigi.altervista.org/poc/uvncbof.zip
Exploit.Win32.Agent.x

MBL# 31419
http://aluigi.org/poc/raydiumx.zip
Exploit.Win32.Agent.ae

MBL# 31423
http://aluigi.org/poc/genecysbof.zip
Exploit.Win32.Agent.ae

MBL# 32636
http://aluigi.org/poc/panza.zip
Exploit.Win32.NetPanzer.a

MBL# 70198
http://aluigi.org/poc/skulltaghof.zip
Exploit.Win32.Aluigi.bu

MBL# 70199
http://aluigi.org/poc/soldatdos.zip
Exploit.Win32.Aluigi.bw

MBL# 84835
http://aluigi.org/poc/quicktimebof.zip
HackTool.Win32.QuickTime.a

MBL# 85492
http://aluigi.org/poc/yasslick.zip
Exploit.Win32.Agent.aq

- - This removal will last until we restructure our system in the
following manner:

- We`ll provide our users with a basic Malware list, that will include,
but not limited to: Trojans, Worms, Viruses, Backdoors and Downloaders;

- There will be an additional Badware list available, including but not
limited to: Adwares, HackTools, Exploits, Flooders, GenPacks, Hoaxes and
SpamTools;

- Users will be able to choose using just the basic Malware list or
also downloading the Badware list;

- There is no expected date to conclude this development;

We also want to make clear that:

- - We do believe that the Anti-Virus softwares we are using are the
cutting-edge technology in Malware and Badware detection and will
continue using then or any others that may be of interest to the project;

- - The usage of an automated system lasts. We believe our system is
accurate to our goals and treat every received complain very seriously;

- - The number of false positives reported during the three years of
existence of this project is really low. All false positives are removed
from our lists after proper investigation;

- - We have almost 3 million hits per month, demonstrating that the
Internet community finds our project useful, stable and trustworthy. We
strive to continuing providing the best lists we can;

- - All our users abide to our Terms and Conditions of Use
(http://www.malware.com.br/terms.html). Please review these Terms and
Conditions for more information:

Feel free to contact us in case of any doubts or new complains.

Best regards.

Wow what shame

aluigi · **Posted:** 11 Jun 2008 11:32

Update about Kaspersky

After more tests (thanx a lot to my friend s4tan and is patience eh eh eh) I have more details about the filtering problem about I discussed at the beginning of this thread and which now I have seen that is NOT related to my stuff or my website but to ANYTHING.

In short this ehmmm "antivirus" filters any URL containing the "adv" word in it and which points to a file so all the following links will display a small 1x1 image instead of error pages or the real files if they exist:

Quote:

http://www.kaspersky.com/web/adv/file.txt
http://www.kaspersky.com/madv123/file.txt
http://www.kaspersky.com/advortex/file.txt
http://www.kaspersky.com/file-adv.txt

while the URLs like the following work:

Quote:

http://www.altavista.com/web/adv

but if you use the following one it will no longer work:

Quote:

http://www.altavista.com/web/adv/file.txt

Now I'm sending a mail to Kaspersky showing this silly bug in their product and I will keep you update about news.

In the meantime is possible to find the websites that have the "adv" word in the URL using inurl:adv in Google, as already said the problem doesn't seem to affect the URLs without a filename (like the above /adv/ example of altavista)

Sethioz · **Posted:** 12 Jun 2008 08:02

nice, but one thing you kind a left out. does it count only specific word ''adv'' OR any word containing it or any word tht begins with adv* ?
for example if

Code:

http://test.tes/adv/image.jpg

doesnt work. then would this work ?:

Code:

ttp://test.tes/advanced/image.jpg

aluigi · **Posted:** 12 Jun 2008 09:37

unfortunately I haven't made deeper tests since I don't hat that AV, so I broke the balls to a friend of mine 8-)

Sethioz · **Posted:** 12 Jun 2008 11:51

next time you should post it :)
i have np installing it into virtual pc and make the tests.

wtf_gamer · **Joined:** 09 Jun 2008 18:15 **Posts:** 3

antivir/ avira dectects many apps including, tcpfp, ventboom, bfccown. listed as TR/Expl.Aluigi.C, a trojan.

Sethioz · **Posted:** 13 Jun 2008 23:42

tcpfp got fucked by zonealarm too.

aluigi · **Posted:** 14 Jun 2008 10:30

probably I should be happy to have an entire category with my name 8-)

Sethioz · **Posted:** 14 Jun 2008 13:40

how about you simply change Aluigi ?
if your site's url is there then its enought i'd say. or just use Luigi or A.Luigi or Luigi.A. i doubt they check it again and even if they do it takes ages.

cause some of your tools gets detected as aluigi.xxx (something at end..like ws or fs..blabla)

ofcourse if they did add your name as signature. then you can use different name combination in each tool. like ''a.luigi'', ''a-luigi'', ''a,luigi'', ''a_luigi'' etc. so they would have to add each tool seperatly if they really wanna put bad light on your tools.

aluigi · **Posted:** 14 Jun 2008 14:07

naaa, they need to change, not me

Sethioz · **Posted:** 15 Jun 2008 11:15

i doubt they even understand tht they did something wrong. prolly if they idiot enought to count ur tools as malware, they never change anything.
changing ur name in programs would make their life lil bit harder :)

Sethioz · **Posted:** 20 Jun 2008 00:00

here's a pic of my AV..stuff it detected.

Sethioz · **Posted:** 24 Jun 2008 18:45

nfshp2fp - Exploit.Win32.Aluigi.at
reconized by zonealarm AV

aluigi · **Posted:** 24 Jun 2008 19:57

well I think this is the same for any tool in the Proof-of-Concept and the Fake Players section.
What I don't understand is if there is a zip containing one of these executables indexed by the AV database (like nfshp2fp.exe) and 10 text files (like the source code), can you see and handle these files?
A real AV should block only the executable and not the entire zip since it's senseless.

Sethioz · **Posted:** 26 Jun 2008 15:43

no it didnt block zip or rar. it blocked exe when i unpacked it and this is the msg it showed me.
i just throw them all into ''always ignore''.

aluigi · **Posted:** 27 Jun 2008 09:07

this is a very good thing, so people can compile the source code if the exe is blocked (hoping that the resulted exe is not recognized by the signature)

Sethioz · **Posted:** 28 Aug 2008 14:43

ok this is getting retarded already.
F-Secure 7.03 build 110 - detects uTorrent version 1.6.1 as a trojan. here's details:
''Trojan-Downloader.Win32.Banload.ujv''

evan1715 · **Posted:** 28 Aug 2008 20:43

utorrent uses too much of the internet >_<... u cant even surf the web while its open...
i hated it lol...
2mb of lameness

Sethioz · **Posted:** 28 Aug 2008 22:15

...fix your computer dude. seriously. uTorrent is BEST there is. works GREAT. only disabled my DNS, but i just put openDNS servers there and now it works just GREAT. you need to set it up with YOUR computer. max connection ..etc.
sry for out of topic.

aluigi · **Posted:** 28 Aug 2008 23:06

evan you need to configure the number of connections to use and the max download/upload bandwidth (it's a p2p program, sucking resources is its job), otherwise the p2p programs will never work on your PC

Sethioz seems that false positive with utorrent is enough (in)famous, I have searched for utorrent Banload and there are tons of results

Luigi Auriemma

Antiviruses hall of shame