In the past software I wrote ended up in detection of anti-malware programs, more traditionally known under the term antivirus (AV) programs 1. As you may or may not know I work for an AV vendor and as such I sit on both sides of the table when it comes to false positives. These wrong detections have been a problem for me and software I wrote before I joined my previous employer (vendor of an anti-spyware) and my current employer.
At the VB 2013 conference in Berlin this year, which my superiors allowed me to attend, Mark Kennedy of Symantec and Igor Muttik of McAfee presented a project called CMX or CMX-IEEE, for Clean file Meta-data eXchange. Although I see a few minor flaws and there are things they left to wish for 2, the overall idea sounds quite good. You can find their Blackhat papers from this year here.
Hey, hello! Yes, that was me. The guy who asked after your VB presentation how you are going to vet the vendors allowed to submit clean files. The answer was the precursor to another rather disappointing answer later. For starters only big vendors such as Microsoft, Google and so on would be allowed to submit files at all. Alright, not too bad if that’s just at the beginning and smaller vendors will be allowed in later.
However, when I asked Mark after the session outside he made clear that there was no intention to consider FLOSS projects or the likes. Which is very disappointing indeed. Not only are we in the anti-malware industry really bad at spreading the word about files that turned out to be false positives and are then taken out of detection by a single vendor. Unlike with detections themselves that spread like wildfire. If you have a program and it’s deemed malicious it takes a tremendous effort to get it unlisted. Most of the time I don’t even bother contacting the smaller vendors. So while it is easy to end up in the detection of lots and lots of vendors without any wrongdoing, it takes a lot of work and time to get unlisted. If you volunteer your time already to work on and maintain a project, this really drains all motivation and enthusiasm you have – and quickly. Having a mechanism that more or less ensures that you have done everything humanly possible that your FLOSS program doesn’t end up in detection would be just brilliant.
In the past I’ve had similar experiences with website reputation providers that put me on a blacklist based on some false positive detections on VirusTotal. The nastiest part is that the other side generally can automate most if not all of this procedure, but getting it fixed takes manual intervention and time and concentration on part of the “victim” of the false positive. If you have a technically incompetent bigmouth on the other end, this becomes a really tiring process.
Also, the recent kerfuffle with WinDirStat has taught me that AV vendors at large aren’t always swift in adding detections of real threats. I took the time to look up the contacts and then contact dozens of AV companies and only a few of them replied. Only two or three responded in a manual fashion.
So in conclusion: small vendors and freeware, shareware and FLOSS authors will have no mechanism for preventing their software from being taken into detection and the only ones that benefit are the big guys in the “business”. Sad …
// Oliver
PS: This is my personal opinion and not that of my employer. Just to make sure that people who can’t distinguish my private domain from the ones my employer has 😉