| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat Dec 10 21:54:14 2005 From: fyodor at insecure.org (Fyodor) Subject: Re: McAfee VirusScan vs Metasploit Framework v2.x On Fri, Dec 09, 2005 at 01:17:30PM -0600, H D Moore wrote: > > Looks like some overzealous idiot at McAfee added "Trojan" signatures for > 202 files in the latest version of the Metasploit Framework. Hi HD. I know the feeling! Their "VirusScan" have been improperly labeling Nmap for years. When naive users have their download blocked or a virus alert show up, they regularly send me complaints accusing me of trying to infect their system or distributing spyware. Of course Nmap is free, open source, and contains no spyware, phone-home code, or advertisements of any sort. It is not bundled with anything else, and doesn't even offer an executable installer. So it is hard to imagine someone installing it by accident. I asked McAfee why they would possibly flag Nmap in their virus scanner. McAfee responded that they never called it a virus/trojan/adware/spyware/etc. Instead, they describe it using the weasel-words "potentially unwanted application". In mail to software authors like me, they act like this is a benign and rather meaningless designation that few people would enable. After all, anything can be "potentially unwanted". But what they tell their users is a whole different story! You can see the VirusScan checkbox for enabling "PUP protection" on page 22 of their User Guide[1]. It says: "Potentially Unwanted Program (PUP) protection quickly detects and removes spyware, adware, and other malware that gathers and transmits your private data without your permission" The screen then notes that enabling this "protection" is "recommended". How does Nmap possibly fit that description? A few months ago we added a clear warning to the Nmap download page, urging users to steer clear of McAfee's so-called virus scanner. That has at least reduced the number of flames I get from people after bogus McAfee alerts. Competitors such as Trend Micro and Norton seem to focus on actual malware. But while McAfee wastes their time pestering legitimate free software authors, they kowtow to the rich companies that make millions infecting PCs with malicious spyware. The scummy spyware company Claria/Gator even issued a press release this year [2] praising McAfee VirusScan. That isn't a good sign for an anti-malware product! The release was titled "McAfee finds Claria's GAIN ad-supported software does not present a malicious threat to consumers". According to the release, McAfee had made a mistake and "inadvertently labeled Gator software" as #2 in their "top 10 threats in 2004" alert. I certainly support and wish you luck in your campaign to educate McAfee/Avert in the difference between malicious spyware that covertly infects millions of PCs, and legitimate security tools that users desire and manually install. Unfortunately, my 2 years of discussions with McAfee have been fruitless. They just don't seem to care about accuracy in their product. So instead, I try to spread the word about how useless and inferior VirusScan is. It often seems that the only people who like that product are the Spyware companies themselves! Cheers, Fyodor [1] http://download.mcafee.com/products/manuals/en-us/VSH_UserGuide_2006.pdf [2] http://www.claria.com/companyinfo/press/releases/pr050425.html
Powered by blists - more mailing lists