I had a strange support call from a customer last week. It went something like this:
Customer: Your software isn’t working. It crashes whenever I try to run it.
Me: Has anything changed on your machine? New security policies, antivirus, new software installed, anything like that?
Customer: No.
I ask the customer for a screenshot of the .NET error message and only manage to get a generic “This application has stopped responding” error. Somewhat confused but determined to reproduce and fix the issue I remotely dial into the customer’s machine and see the problem. Customer attempts to launch our software, there’s a short delay and then a generic Windows non-responsive application message and then nothing. To compound matters, our software could not write out to the windows event log nor to it’s debug log file location.
It wasn’t long however before another customer logged a support ticket for exactly the same issue and something was common between them. They both used McAfee antivirus.
It turns out that McAfee had decided in one of it’s latest heuristic updates, that one of our supporting applications (the one which performs some of our security and licensing) was in fact a Trojan and was surreptitiously preventing the user from opening one of our files necessary for the smooth running of our software.
The component in question was a home-rolled licensing component that was protected by Thermida – a packing technology from Oreans Technology that helps to prevent applications from cracking. It was this part of the component that was throwing a false positive on the McAfee protected systems.
Since we didn’t have control over McAfee (or any other antivirus vendor) I implemented a quick hotfix to bypass using this component altogether.
Whilst Antivirus is incredibly important in this day and age, I think the way in which these antivirus companies work calls into question their business practices in how they stop their customers from using other legitimate businesses software on their machines.
Understandably there are a constant stream of new strains of viruses and trojans and in order to be proactive these antivirus providers write their software to match some general patterns and then loosely identify “new threats” and unfortunately the protection mechanism that we used to use was identified as such a threat and the knock on effect of this was that our customers couldn’t use our software. Thanks, McAfee.
Since our software and most commercial legitimate software is fully code-signed, I would like to propose that the various antivirus vendors get together and agree that in future if software is found to be suspicious that they would send out an alert email to the listed support contact of the software (this info is in the code signed executable) so that we can then advise our customers and have an open dialog with the antivirus companies. At least that way we can work together as vendors and antivirus companies to serve our common customer.
Now is a good a time as any to give a shout out to VirusTotal, the online service that lets you quickly analyse suspect files by uploading them to their website and in turn they check the file against all of the various antivirus engines. Here’s a report of the file in question:
Wishing you a happy virus-free new year 🙂
Mike.
Resources:
- Win32/Packed.Thermida
http://www.wilderssecurity.com/showthread.php?t=184840 - VirusTotal (an online virus checker)
http://www.virustotal.com
McAfee… pfft! I’m surprised it doesn’t flag itself up as a virus; it’s about as malevolent as one!
There’s actually a blog article about this exact issue on the McAfee website:
http://www.avertlabs.com/research/blog/index.php/2009/05/28/who-digs-the-elephant-trap/
The McAfee recommendation is, in a nutshell – “Don’t protect your work using a packer, because malware authors do it”.
Gee, thanks, McAfee!
Hi Mike,
Sorry to hear about this, not that it’s not incredibly common.
Like the suggestion for them to read the signed exe as that can be easily automated in the anti-virus software. Chance of it happening – snowballs and hell spring to mind.
The thing with the anti-virus companies, I’m sure, is they have a sign over their desks that reads “Yes, as a matter of fact, I do own your computer!” 🙁
Take a look sometime at how some of them behave on multi-processor machines. Symantec for example, splices into several if available.