Symantec AV is flagging and deleting ubot .exe file

[Kreatus (Ubot Ninja) 422]

Some of our users reported that Symantec AV is flagging and deleting the file. This is not new with ubot I know. As kaspesky and some other AVs do the same, but never heard about Symantec. I was aware of the below post but with the new ubot built this should not have happened.

 

http://ubotstudio.com/forum/index.php?/topic/3629-virus-alert-not-good/page__p__13104__hl__kaspersky__fromsearch__1#entry13104

 

 

Info says:

 

A Possible threat : Developers who use this should get it white listed – see:

Updated: May 13, 2010 8:18:54 AM

Type : Other

Risk Impact : High

Systems Affected: Windows XP, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

 

 

 

White-listing

Software developers who want to accelerate the reputation building process for their new software applications should submit new applications to the Symantec white-listing program. Details of that program can be found here.

 

Disputes

If you believe that a program has been incorrectly classified by the Symantec reputation-based security system, then you may submit a dispute using this Web form.

 

Thanks

[Enigma 78]

Symantec (Norton) is already known as flagging uBot bots as a virus/trojan/malware, but the uBot Devs promised this will be solved in uBot v4 as it should not use Spoon (formerly known as Xenocode) anymore.

 

That's what the uBot staff says...

[howtomakeawebsite 1]

Why not Seth takes up with the AVs. I don't think Ubot need to feel intimidated taking this with with the AVs. If not addressed this issue will surely hurt our sales and brand in future.

 

It's simply not possible to reach out to all our buying customers' and say "trust us" AVs are incorrect they are big they don't listen to us...etc. etc.

 

This matter need to be hammered out with priority.

 

Thanks

[UBotBuddy 331]

It all comes down to money. The AVs want more! Period.

 

I don't use any of those companies because they themselves lack focus, no standards, and they push their own agendas.

[howtomakeawebsite 1]

It all comes down to money. The AVs want more! Period.

 

I don't use any of those companies because they themselves lack focus, no standards, and they push their own agendas.

 

So what do you think we should tell our buying customers'?

[UBotBuddy 331]

WHat I have sent to my customers:

 

"The development software that I use is cutting edge. So much so, that companies like Symantic, MicroTrend, McAfee, Vipre as well as others flag these bots as problems. Make no mistake those product are okay if you have nothing but I do not use them because they do not adhere to industry standards and their primary focus is making money. If you run each of those products on the same computer they will all report different results hence no standards.

 

So if you use those products then you should work with their tech support to place proper rules in place to avoid conflicts.

 

Thanks!"

 

For me, I put it in the users lap. I am not going to chase AV conflicts for them. That is my policy and it seems to work okay.

[howtomakeawebsite 1]

I don't agree with your "customer unfriendly" policy though. Sorry to be cut but the reply will make me sound crazy to the customers'. You ask them to do away with their well known AVs and trust you?

 

Since you and me know the ubot issue, our customers' are not expected to know what is going at the background. They don't care really. If I am the customer to buy a bot and realize after purchase that my renowned and trustworthy AV is flagging the same, I'd first stop the prog. and raise a Paypal dispute with the seller or blog somewhere about this issue.

 

Better uBot find out the core issue of being flagged and work towards that instead of being defensive.

[meter 145]

Some of the AV companies want a couple of thousand dollars to whitelist your software. It's a protection racket.

 

-meter

[UBotBuddy 331]

@howtomakeawebsite,

 

Its not being unfriendly, it's the fact. My business is creating bots, not trying to maneuver my way around pious AV companies. My customers know this before they ever contract with me.

 

I come from a Security/Auditing background so my comments have quite a bit of fact.

 

I will say that the customers I have shared that policy with are not your average customers.

[howtomakeawebsite 1]

Well though good to know the backgrounds of fellow botters.

 

Maybe you are missing something on after sales and customer satisfaction side. End of the day "your business is creating bots," agree but your business don't get results unless someone buys from you right?

 

They buy your bots for some purpose. If they can't use the same for virus alerts any explanation really falls flat.

 

I think it is good to get some opinion of uBot officials in this regard.

 

I echo the post of Daniel Tan as below: You can find the old thread here http://ubotstudio.com/forum/index.php?/topic/3629-virus-alert-not-good/page__p__13104__hl__kaspersky__fromsearch__1#entry13104

 

IN BUSINESS BEING BEST IS MANDATORY, NO EXCUSE, NO EXPLANATION...

 

Hi uBot team,

 

Yes, I agree. Kaspersky is crashing in. Please get this passed or there is really a lot of problem. Don;t ever hope users who paid for uBot software will ever accept it is a failpositive. They want a working version, error free, and definitely not here to listen for explanation.

 

In business, being BEST is MANDATORY. No excuse, no explanation.

 

Daniel

[UBotBuddy 331]

I am just the Mod here so my comments are my own. No I am not missing anything in terms of customer service.

 

My customers (like I said) are not your average customers so they come by way of word of mouth.

[howtomakeawebsite 1]

@botbuddy

 

thank you for your own comments and perception. I am unsure how many bots you have sold and business created by "word of mouth." I don't deny it don't work but limits the potential...that is where I have the problem. Why do I compromise when I know I have the ability to do better? Perfection matters. Anyway thanks for your own views....

 

As I told....we expect to get an official update from uBot admins.

[Bob The Builder 62]

I am also in the security industry, have been for 15 years. While I agree false positives are a fact of life, they are usually fairly rare for most users. People who use security tools and automation tools will see many more false positives.

 

To an end user, this is a big deal for a few reasons. First, most of them don't know enough about how to use their AntiVirus product to actually white list an application via the software. They also don't really understand the concept of a false positive and think if their AV is flagging a file, it is bad. By the same token, they don't even understand the reverse when files are not flagged they think their system is virus free.

 

Many vendors will correct their signatures to remove any issues with their antivirus software. Kaspersky is very good about this, this is the AV I use and sell to my customers, sending an email to newvirus@kaspersky.com will a lot of times get a response back saying it is safe and their definitions have been updated to reflect that.

 

If at possible, remove all things in your product that cause these false positives, it just makes life easier to everyone.

 

As for UbotBuddy's policy, I think it would work with a few people, but many people won't buy it. Your trust is already in question when they buy their first product from you, this is a very tough sell and puts you off on the wrong foot right from the start.

 

As for industry standard? There is no real industry standard, and each company has their own research team and find and decide on malware totally differently. They all will react similarly to high visibility threats but day to day their databases are extremely different. AV is a necessary evil and isn't going anywhere soon.

[howtomakeawebsite 1]

I am also in the security industry, have been for 15 years. While I agree false positives are a fact of life, they are usually fairly rare for most users. People who use security tools and automation tools will see many more false positives.

 

To an end user, this is a big deal for a few reasons. First, most of them don't know enough about how to use their AntiVirus product to actually white list an application via the software. They also don't really understand the concept of a false positive and think if their AV is flagging a file, it is bad. By the same token, they don't even understand the reverse when files are not flagged they think their system is virus free.

 

Many vendors will correct their signatures to remove any issues with their antivirus software. Kaspersky is very good about this, this is the AV I use and sell to my customers, sending an email to newvirus@kaspersky.com will a lot of times get a response back saying it is safe and their definitions have been updated to reflect that.

 

If at possible, remove all things in your product that cause these false positives, it just makes life easier to everyone.

 

As for UbotBuddy's policy, I think it would work with a few people, but many people won't buy it. Your trust is already in question when they buy their first product from you, this is a very tough sell and puts you off on the wrong foot right from the start.

 

As for industry standard? There is no real industry standard, and each company has their own research team and find and decide on malware totally differently. They all will react similarly to high visibility threats but day to day their databases are extremely different. AV is a necessary evil and isn't going anywhere soon.

 

I completely echo your view "Bob the builder". The main issue is how to convince the customers' that this is a "false positive"....when you are in e-commerce you need to be trustworthy this is the no.1 criteria doing on-line business. Why they trust me and not trust their AV?

[Seth Turin 223]

Yeah I mean we're doing what we can. It's a priority to us because it hurts our credibility. The thing is, the AV companies don't publish which activities will get your software flagged. If it were simple as just making a list of what not to do and then not doing those things, then this wouldn't be an issue in the first place. As it is, all we can do right now is go back and forth with the individual companies trying to fix it the best we can, and believe me, we are doing that.

[howtomakeawebsite 1]

Yeah I mean we're doing what we can. It's a priority to us because it hurts our credibility. The thing is, the AV companies don't publish which activities will get your software flagged. If it were simple as just making a list of what not to do and then not doing those things, then this wouldn't be an issue in the first place. As it is, all we can do right now is go back and forth with the individual companies trying to fix it the best we can, and believe me, we are doing that.

 

Thank you Seth for your kind reply. Yes, credibility is the factor for sure. Till such time we hear back something from you. Do we need to apply individually here? Symantec White-list Form

[Bob The Builder 62]

Yeah I mean we're doing what we can. It's a priority to us because it hurts our credibility. The thing is, the AV companies don't publish which activities will get your software flagged. If it were simple as just making a list of what not to do and then not doing those things, then this wouldn't be an issue in the first place. As it is, all we can do right now is go back and forth with the individual companies trying to fix it the best we can, and believe me, we are doing that.

 

This is good to hear you take it seriously, I am not compiling bots right now but it would be problematic for people buying bots.

 

I am curious if Ubot 4 is flagging false positives as well. Is this just with Ubot 3 because of XenoCode, or Ubot 4 as well?

I won't likely be compiling bots for sale prior to Ubot 4 going final.

[UBotBuddy 331]

In the network world there are programs that do a much better job at scanning for viruses and they do a much better job than the name brands. Like F-Prot and F-Secure (I used those two together a few years ago for a consulting company I worked for). So I cannot vouch for them now.

 

For some reason the industry has inflated these companies to a God-like level so they do not believe they belong to any standard nor do they want to be dictated to by a standards committee. But in reality, they hurt everyone and until users realize that, they will continue raking in dollars based upon fear that they themselves elevate through bogus scanning.

 

Maybe its a myth, but sometimes I think AV companies are responsible for the new viruses that pop up in companies. After all, they are the ones that benefit from them.

 

I remember several years ago, I had a Symantec product and it flagged MASM.exe as a virus. That exe was Microsoft's Assembler compiler. What a joke they are.

[Bob The Builder 62]

In the network world there are programs that do a much better job at scanning for viruses and they do a much better job than the name brands. Like F-Prot and F-Secure (I used those two together a few years ago for a consulting company I worked for). So I cannot vouch for them now.

 

For some reason the industry has inflated these companies to a God-like level so they do not believe they belong to any standard nor do they want to be dictated to by a standards committee. But in reality, they hurt everyone and until users realize that, they will continue raking in dollars based upon fear that they themselves elevate through bogus scanning.

 

Maybe its a myth, but sometimes I think AV companies are responsible for the new viruses that pop up in companies. After all, they are the ones that benefit from them.

 

I remember several years ago, I had a Symantec product and it flagged MASM.exe as a virus. That exe was Microsoft's Assembler compiler. What a joke they are.

 

F-Secure and F-Prot are no where as good as they used to be. Malware has gotten much more aggressive and more financially motivated rather than just pop up windows says "I pwn joo!". Most of the malware these days strives on being hidden and not showing any signs of itself.

 

Microsoft products have been flagged as viruses numerous times still today, lsass has had numerous false positives from multiple vendors. It isn't really a joke, creating signatures to detect viruses but not flag 10 billion unknown other applications is a tricky business. Especially now days were a good AV is measured by its ability to detect malware prior to a signature being available (zero day theats). Back in those days, zero day threats were not an issue, almost everything was signature base and no heuristics. AV is moving towards less (and hopefully eventually none) signatures and more heuristics. Good heuristics is what makes a good AV great, but it is also what is what causes false positives.

 

I really doubt AV companies make viruses, maybe some do, but the simple fact is they don't have to. There are over 200 new viruses a day found in the wild and that's just the known ones.

 

The problem is security and automation tools make calls that look similar to the ones made by hackers. If you are using these tools, you know enough to identify a false positive and react accordingly, but with bots you compile for clients it isn't as easy. If they didn't monitor and alert when these tools used system calls that were not found in mainstream applications, we would be dependent 100% on signature based protection (meaning the AV needs to know the specific file and exe files to detect it) it would be amazingly easy to bypass av products. You could throw something together and infect ever fortune 500 company in the world. Of course the industry doesn't accept this risk so there are heuristics.

 

Not sure what programs you are referring to in the network world, but anything less than real time (i.e. on demand) is unacceptable. If your referring to gateway systems like IPS and HIPS, this is not practical for home users, which makes up a large percentage of the user base.

[UBotBuddy 331]

Oh I agree with what you said. It was several years ago and it is shame about F-Secure and F-Prot they were killers in their day. Shame they fell.

 

Yes, the tools you mentioned in the business world are VERY superior to home products.

 

Yeah, I remember those days when my development tools were being flagged. LOL I even had MS Access flagged once. That was a hoot.

[great2bme 5]

I manually submitted one of my bots to Symantec and had it whitelisted within 2 weeks, however, their process was easy to find and straightforward.

 

Does anybody know of a service that automatically submits a new bot.exe to multiple AV companies for whitelisting consideration?