Wednesday, April 16, 2014

Anti-virus issues and open letter to Anti-virus

Anti-viruses have a bright side and a dark side.

Well, Antivirus are like baby sitters, they prevent dangerous thing happening to your computer. In a certain light, it's a good thing but when you grow up (in this case, know how to use computers safely and want to use security tools), that baby sitter becomes more an annoyance.

What I mean is that most security tools are flagged by anti viruses and Aircrack-ng isn't an exception. Sometimes, they just flag it as 'hacktool' or 'not-a-virus' but a few of them have weird looking names and googling them doesn't even give you an answer of what it means.

I had to deal with a lot of stuff because of that:

  • Emails from people telling me their antivirus detected aircrack-ng as a virus and I had to tell them it's perfectly safe and their antivirus is wrong
  • Yahoo who has or had a safe page system using MacAfee. It was telling Aircrack-ng website wasn't safe despite all messages saying it's perfectly safe
  • VIPR anti-virus who was removing links to Aircrack-ng.org because they thought it wasn't safe.
  • And a few other things I don't even remember. Here is one I just found in the forum

It hasn't been a problem until now because my hosting provider uses a service from C-Sirt.org to do online scanning of files to make sure there's no virus. In most cases, they are right but there is always an exception. The problem is that they think their system is perfect as you can see when they talk about false positive:


At first, I was surprised and took their incident seriously. I started checking the MD5 and SHA1 of the file (which haven't changed), submitted files to virustotal.com. That's where I saw why they think Aircrack-ng is a virus. As you can see, some of them give a name that will make you freak out (and using google to find out what that means gives you NOTHING) but most of them don't detect or clearly see it as Aircrack-ng.

I emailed the guy behind C-Sirt.org. Unfortunately, his english is more than approximate and if I understand correctly what he tells me, I should simply contact all anti-viruses and ask them to remove Aircrack-ng from their definitions so that his algorithm won't flag it as a virus anymore.
Well, I would be more than happy to do so but my experience with first line customer service is not successful so I doubt it will work out.

Back to my provider. Even though I've been a customer for more than 6 years, they blindly trust C-Sirt.org and wrongfully shut down one of my server where they thought the file was (and I'm still having issues getting it back up) and threatened to shut down my hosting where I told them where the file is because of a mistake in C-Sirt (due to antiviruses definitions). I tried to convince them without any success and I'll gladly show you the emails if you guys want (as well as the single email I got from C-Sirt.org).


So, Anti-virus vendors, please be smarter nannys. I'm ok with you flagging viruses but flagging security tools, that doesn't make sense and hurt us. Please remove Aircrack-ng and other security tools from your definitions.
In the meantime, I'll just repack the file and add a password so you won't be able to scan it and it won't be wrongfully flagged.
And if you're not planning to take it off your definition, I've got a request to add another well know security tool who's using Aircrack-ng: Core Impact. They even submit a new attack for Aircrack-ng which gives you a good reason (and a proof that it's not a virus) to take it off your definitions.