Antivirus reports IMatch V. 5.4.12 as having a virus

Started by dkorman, June 18, 2015, 04:42:46 AM

Previous topic - Next topic

dkorman

Norton Security Suite 21.7.0.11 analyzes the download file and reports virus WS.Reputation.1, then deletes the download file.  Is this a Norton "fluke?"

Mario

I test IMatch with 4 different virus checkers before uploading it.
c´t (renowned German computer magazine) checks the IMatch trial version with over 40 virus checker engines. They pull the file directly from the photools.com server.

On the photools.com CustomerWeb server runs yet another virus checker engine.

Each download is signed with my digital certificate. This allows you to verify that the file has been downloaded correctly and not been tampered with. Right-click the file in Windows Explorer and check the certificate.

As a secondary security mechanism I specify a SHA1 checksum you can verify after the download to ensure that the file is valid.


The 5.4.12 is available for two weeks now and has been downloaded and installed hundreds of times. This means that the file has been checked with probably all common virus checkers in addition to the five used by me. No reports.

I've just downloaded the 5.4.12 and tested it with two virus checkers. The file is reported as clean.

Sounds like another Symantec false positive. Interestingly, when there is one of the (rare) reports about a virus in IMatch, it's usually Norton or another Symantec product.

sinus

"Avira Anti Virus" says also "no virus, the file is clean".  :)
Best wishes from Switzerland! :-)
Markus

Ferdinand

When there's a file that I'm uncertain about, I upload it to https://www.virustotal.com, which checks it with 54 different anti-virus programs. This can be a bit of an eye-opener about false positives.

Yes Mario, I know it's now owned by Google, but it seems to me that this is a useful service. You have expressed concern in the past about them getting access to your code if the program was uploaded, but I think it's going to be hard to prevent them getting it somehow, such as some worried user from uploading it.

Mario

The trial version of IMatch is checked via VirusTotal because I host it on c't as well.

Uploading the licensed version of IMatch violates the IMatch license agreement you have agreed upon during installation and is thus illegal. It not only gives access to the uploaded licensed version to Google and other companies, but also allows VirusTotal to share the file via it's community. This means that by uploading a licensed version of IMatch to VirusTotal (or other 'online' virus checker services) yo make your licensed copy available to an unknown number of persons. This is clearly in violation of the EULA you have agreed to and also vastly improves the distribution of pirated copies of IMatch.


There are a vast number of online virus checker web sites out there which do nothing, except waiting for unsuspecting users to upload copies of licensed software. Then the companies or individuals behind these shady anti-virus test sites distribute the licensed copy of the software (often associated with your personal license number and thus detectable and tr-traceable) to piracy networks all over the world.

VirusTotal is not one of the shady sites, but by uploading a file you give permission (and take legal responsibility) to everything they do with the uploaded file - including distributing licensed versions of IMatch or other software you upload to unspecified communities and individuals.

Carefully read the terms of service and the privacy statement before you use VirusTotal or any other service. For example, in their terms of service, VirusTotal states:

QuoteWhen you upload or otherwise submit content, you give VirusTotal (and those we work with) a worldwide, royalty free, irrevocable and transferable licence to use, edit, host, store, reproduce, modify, create derivative works, communicate, publish, publicly perform, publicly display and distribute such content.

Which in case of licensed software, e.g. IMatch, you are clearly not. And I don't want Google (or the companies they work with) to distribute, modify, publish or otherwise use licensed copies of IMatch.

hro

I also use Norton Security Suite and never had a problem with any IMatch version.

Ferdinand

I stand corrected. As a rare user of that service, I hadn't thought through the implications. It's a useful service for some things, but not this.

jch2103

Quote from: dkorman on June 18, 2015, 04:42:46 AM
Norton Security Suite 21.7.0.11 analyzes the download file and reports virus WS.Reputation.1, then deletes the download file.  Is this a Norton "fluke?"

I had the same situation, but told Norton to install anyway. One of those strange false positives, which usually occur because a version is very new/not yet often downloaded. The odd thing about this one is that I had just successfully downloaded and installed the newest IMatch on my laptop w/o any issues from Norton, but then had an issue with my desktop. I suppose it's better to have an occasional false positive you can ignore than a false negative that infects your computer...
John

Mario

If your virus checker reports a virus, it's always better to stay on the safe side.
Use a second virus checker to check the file - but don't violate license agreements by uploading a licensed copy of whatever to sites like VirusTotal which take ownership of the file.

Contact the vendor of your anti-virus software and upload the file so they can check the file and update their signatures accordingly. This is usually done automatically and new signatures are issued within a couple of hours. Then re-test the program or file in question before you install it.

It is possible that some evil force hacks the photoolsweb.com server and uploads a imatch.exe install file with an embedded virus. Very unlikely, but theoretically possible. That's the reason why I use digital certificate to sign the installer and also each .exe and .dll file shipped with IMatch. The digital certificate guarantees that the file has not been tampered with after i have signed it. And your browser and Windows test this certificate and allow you to view it easily.

Unfortunately, there is a recent trend in browsers (IE mostly) to rate a download as 'suspicious' when it has not been downloaded 'often'. What? How does this make sense. If IMatch is downloaded 1000 times, that's a lot. If a free software like Picasa is downloaded 1000 times, it's nothing. I wonder how IE decides what 'often' means for a specific download...

jch2103

Quote from: Mario on June 18, 2015, 06:58:21 PM
Unfortunately, there is a recent trend in browsers (IE mostly) to rate a download as 'suspicious' when it has not been downloaded 'often'. What? How does this make sense. If IMatch is downloaded 1000 times, that's a lot. If a free software like Picasa is downloaded 1000 times, it's nothing. I wonder how IE decides what 'often' means for a specific download...

It's worse than that - if you happen to be one of the very first to download a new version (even a 'popular' program), it will always have a limited 'reputation'. The early bird get the ...problem...

I downloaded IMatch again (identical file to prior download); this time Norton reported that IMatch was 'exonerated' and didn't block installation.
John

Mario