Why Your Bot Is Showing Up As A Virus (And What To Do About It)

Over the years, we’ve changed our mind about antivirus software.

Everyone used to need it. Back when the internet was filled with trojan horses, logic bombs, viruses, and malware, virus scanners used to be necessary. Back when you downloaded software willy-nilly and Google didn’t pre-label sites as potentially dangerous, it seemed like within no time at all you could pick up a virus, just by browsing the web.

But since then the need for virus protection has changed. In the Wall Street Journal, Symantec’s own Senior VP for Information Security has said anti-virus software “is dead.” Virus scanning software has become nearly obsolete in the business world, and companies like Symantec, who invented commercial antivirus with the ubiquitous Norton antivirus protection suite, now defend against cyber threats via automated threat forensics (checking network traffic to detect threats early on, for example). Journalists are writing headlines like “Antivirus Is Ailing” and “The Antivirus Era Is Over.” In the last decade, security experts have switched their focus from detecting software on your PC via antivirus products to stopping viruses before they ever get to your computer, and minimizing lost data once the viruses do get there. (In fact, Symantec only has about a 70% success detection rate – so it’s no surprise these companies are moving away from endpoint protection.)

When your AV software tries to remove Skype because it’s “dangerous”.

Many don’t realize how anti-virus scanning works. For example, are more scanners better than one? Virus Total, a virus scanning aggregator, now lists over 50 virus scanners, and many often use this product to test files across many different scanners, but Virus Total specifically recommends AGAINST this: “In VirusTotal desktop-oriented solutions coexist with perimeter-oriented solutions; heuristics in this latter group may be more aggressive and paranoid, since the impact of false positives is less visible in the perimeter. It is simply not fair to compare both groups….Very often antivirus solutions and URL scanners will produce false positives, i.e. detect as malicious innocuous files and URLs. These erroneous detections may severely hinder the business activity/popularity of third party products (e.g. refrain access to a given site, dissuade users from downloading and installing a given application, etc.).”

Virus scanners, even according to the makers of them, often find out about actual problems too late, and often what they detect is a false positive. Some even detect chat clients because they’re productivity killers, and torrent clients because they might be used to download viruses accidentally.

Virus scanners, frankly, are often crap.

So if you ever notice that something you’ve compiled in UBot Studio is being detected as malware or as containing a virus, first, relax, and remember that this is almost certainly a false positive report, and it’s being sent from a dinosaur in a dying industry. Then, follow these steps to fix the problem.

Click the “Angel” icon to vote for a file as harmless on Virus Total

1. If the scanner is on your computer, be sure to add the file to the virus scanners exceptions list. This will let you continue using the file.
2. Don’t upload your file to VirusTotal. Search for it there using its md5 hash to determine if it’s been uploaded already. This is quicker, and industry experts have told us that uploading your file is one reason that some products are falsely detected. (According to Virus Total, they help “antivirus labs by forwarding them the malware they fail to detect.”) The md5 hash is just a string that helps verify a file quickly. To check the hash, use the command line in Windows or OSX.) If your file is on Virus Total, make sure to vote that it is “Harmless” in the top right.
3. Read your virus scanner results carefully. Make sure to check any “Additional Information” sections. Take note of any specifically important and ambiguous wording, such as: “While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat.” (Actual language from Virus Total.)
4. Let the company or companies reporting it as malicious know that it’s a false positive. There are several ways to do this, but the best is to submit a false positive report. This site has a list of where to submit false positives for each company. A short message is all you need to give them in most false positive reports, along the lines of “Dear company, the executable I’ve attached was compiled using UBot Studio. Your virus scanner reported it as containing {virus x}. It does not contain this and this was a false positive. Please refrain from reporting this UBot Studio compiled executable as containing x.”
5. No, really, tell the virus scanning company that it’s a false positive. Tweet to them. Email them. Post on their forum. Get your friends together and anyone else having this problem, and explain that you compiled the software yourself in UBot Studio, and it is definitely a false positive. If you do this as soon as you notice the issue, you are more likely to get a speedier resolution. Make no mistake – these AntiVirus companies are wrongly accusing you of a crime, and in doing so they may be harming your business unjustly. It is crucial that you do whatever you can to make these companies aware that you won’t be bullied.
6. Let us know at http://tracker.ubotstudio.com. Be sure to link us to the Virus Total report and let us know the following:
   • Were you including the installer in your compilation?
   • What plugins were included?
   • What virus scanners are detecting your product as a false positive?
   • Include the script, if possible.
7. Send anyone who might be using your compiled executable an email letting them know what’s going on. Here’s a quick message you can use or modify:

I just got word that the software I made is being detected as a virus by X antivirus program. First of all, let me assure you that it does not contain any malicious script and is entirely safe to run.

Second, I’ve contacted X, the company listing it falsely, and you can follow the progress of this false positive submission here: [Link to your sales page or blog or forum post explaining where the ticket or email is and how they can get more info.]

As you know, virus scanners work by analyzing software for specific actions and potential threats. My software checks with a server when it’s loaded to see if it has to download any additional support files, and this is probably why it’s being detected as malicious. This is known as a “generic downloader” signature and is a common problem for producing false positives. [Here include any ambiguous wording that could help explain that the virus scanner isn’t sure that it’s actually a virus, and maybe even send this link to show that even Info Security professionals have this same problem.]

Sometimes virus scanners help, but often times, they tell you there’s something dangerous on your computer when there really isn’t. In this case, you are totally safe to run the file and I’m working on getting this issue corrected. If you have any questions please let me know. To run the file, simply add it to the ‘exceptions list’ in your AV scanner. Contact me if you need help doing this.

Yours,

Concerned Software Creator

Over the years, we’ve worked to make UBot Studio friendlier to AV software, by changing how compiling works and how the calls-to-home work. We’ve done everything we can to keep AV companies out of our business, and out of your business. As a software creator, it is now up to you to take that flag, carry it with pride, and, if necessary, beat a few AV company executives over the head with it.

Jason