Re: WallWatcher - Spyware?

From: B. R. 'BeAr' Ederson (br.ederson_at_expires-2004-09-30.arcornews.de)
Date: 09/29/04 

Date: Wed, 29 Sep 2004 08:22:33 +0200

On 28 Sep 2004 14:35:22 -0700, Dan Tseng - WallWatcher author wrote:

>> [Identify regions which an AV regards suspicious]
[Snip]
> Well BeAr, once you planted the seed, it grew into an irresistable
> urge to try a variation of your suggestion.

Hm. I start to feel a bit guilty. ;-)

> So, I proceeded to remove a few sections (functions) at a time from
> WallWatcher, and checked each result with AVP. It continued to
> complain. By the time I was finished, ALL of the code had been
> removed; ALL of the external support modules had been removed; and ALL
> of the objects in the WallWatcher window had been removed. In fact,
> there was nothing left at all, except whatever Microsoft's compiler
> simply couldn't bear to drop from an empty program. AVP still said it
> was Spyware.

That's the worst case of false positives I ever heard of!

> The person who first reported this to me has been in communication
> with the company that makes AVP, and he forwarded this escapade to
> them. Finally, they actually took a look at WallWatcher, and wrote
> back to him that he was right: they could not find anything suspicious
> in the program, and would update their virus definitions in the near
> future.

The least they should do. I always thought the AV companies should
maintain a list of last current false positives to check against.
(Found nothing on their site regarding wallwatcher or false positives.)
They could include file date, size, and an MD5 dump or sth. similar
to ensure there will be no exploit of these publications by some
kind of free-rider.

It does not only clear the reputation of falsely detected programs,
but can be used as a reference when upgrading to a new AV version.
If an earlier suspicious program isn't detected any more, and it
does not show up on the list, it is probably a throwback in the
detection rate. (Hence an error of the new engine or the definition
files.)
 
> Since I'm retired and derive no income from WallWatcher, these False
> Positive incidents have mostly been amusing to me. But, if I was
> still earning my living by selling software, these "incidents" would
> have been upsetting, to say the least, and likely very costly. Unlike
> a bad review in a printed magazine, which a few people may see once
> and then forget, everything on the Web remains available for years,
> and can cause continuing damage long after the truth comes out.

That's really true enough! A very frustrating situation.

Hope you're out of these embarrassments now (and forever)!
BeAr 

-- 
===========================================================================
= What do you mean with: "Perfection is always an illusion"?              =
===============================================================--(Oops!)===