I used to work on an anti malware team. There were two controversial issues that related to that work that I want to bring up here.
First, what is malware? It’s actually very hard to define in such a way that makes everyone happy. The line gets really blurry on the border of nuisance vs malicious, and on security tools, which might do things in the name of privacy that malicious software might do to hide its tracks.
The other issue is false positives. We tried really hard to avoid false positives; we ran tests with known good binaries to see if they were inappropriately detected, etc. We feared false positives more than false negatives.
I am sure that the MS antimalware team is having a bad day and not acting in bad faith.
I don't believe they're acting in bad faith either, and certainly nothing is being removed it from the system as the clickbait title implies. The user has the option to stop if from being removed, and the team recommends "adding Tor to Microsoft’s protection software exclusion list and restoring “tor.exe” from quarantine if Defender affected Tor’s operation". Seems perfectly reasonable to me.
I find it especially funny when anti-malware tools flag things like 4k intros or even smaller demoscene production.
The people doing that are shaving bytes, fitting music and 3D graphics in self-contained executables smaller than many HN posts. Having enough space for malware after that would be insane.
The reason these are often flagged as malware is that they are typically using runtime compression and a variety of tricks to save space, these techniques are unusual in legitimate programs and common in malware. Malware scanners could add support for the likes of crinkler and kkrunchy, but these are probably too niche to care.
While it is true those executables may be small files, that doesn't mean they can't be part of a larger malware suite, one where the vestibulk of innocent looking code is elsewhere, and the specially-packed executable contains the damning secret sauce.
This is getting down voted and I'm not sure why. Google has flagged some of my personal domains as "deceptive login" (why: I could not fucking tell you... they give no info, and my logs show absolutely nothing going on. My best guess is I used chrome auto fill in them while testing letsencrypt staging certs after switching cert providers)
But... they are very clearly publishing info claiming my site is malicious, and it's not. It seems like a super clear case of libel, which I won't pursue because it's personal sites and I'm not losing revenue or anything, but it seems open and shut.
It's not even exempt due to general section 230 clauses. It's not user content. It's just them.
Yes [1]. In this case, the issue was that the AM software itself contained security bugs, but depriving you of use of your computer would probably be actionable. IANAL and have no idea if you could win that.
The software does have disclaimer of warranties and limits on liability to the purchase price as part of the terms of use [2]
This would be similar to spam and blocklists. I know people have tried to sue blocklists (maps and spamhaus) but from memory they were not successful in the end. That included blocking email , sometimes with larger blocks with ip ranges not directly involved but in a similar range. Malware being flagged on an anti virus would be similar but in those case the user has an option to exclude the block. Google and Firefox block domains for phishing regularly as well.
"Staggering incompetence" is indistinguishable from "bad faith." Someone didn't do the most basic of QA:
> Microsoft Defender is detecting the latest version of Tor Browser as malware because it is using a new heuristic detection method that is designed to identify Trojans that use Tor to hide their activity. However, the heuristic method is too broad and also flags the Tor Browser itself as malware.
The lack of consideration for the impact is what makes it bad faith; they clearly didn't care to properly test it, or did and didn't care that they were also flagging the browser itself. I'm sure quite a few people thing the Tor browser doesn't have a legitimate use.
How are they supposed to discover every new binary for every application as soon as it is released, correctly classify them as known good, and add them to the QA testing, in a time frame that you would not classify as “incompetence”?
If it’s so easy that only incompetence or malice could explain it, why don’t you go work for them and fix it? I’m sure that people who have spent decades in the field would appreciate your wisdom.
I certainly hope this is false positive rather than Microsoft considering it malware, since it obviously is not unless you live in some place like North Korean and have the NK secret police's perspective.
Just because the car eventually rolled off the pedestrian, doesn't mean there's no news story.
Reportedly, mass removal of Tor Browser happened, and damage is done: a lot of privacy/security stuff disabled, couldn't be used, some won't be reinstalled, there's extra vulnerability at reinstallation time, etc.
And the demonstration that Microsoft can easily do this is of interest to people tho don't want that kind of thing to happen, as well as to people who would like that capability.
Also, this is Microsoft actively removing a competing Web browser (after long ago being put on notice about sneakiness around competing browsers specifically).
Mass removal, but someone aware that it happened can still go in and fetch the EXEs back out of quarantine.
Which would be a good feature request for Defender, make it automatically do that in the event of a legitimate EXE whose detection status changes after it has been quarantined.
This isn't surprising, frankly. AVs have a history of accidentally removing other software. That a browser that does really sketchy things (ie: things malware does) was flagged is not news, it's just an unfortunate bug.
> And the demonstration that Microsoft can easily do this
Pretty much every platform with hash-based antivirus can do this. It's bad, but so is the fact that Tor on iPhone can't use the same browser engine and privacy patches as Android/Desktop does. The average user is far-removed from caring about their OS vendor's power, apparently.
I love outrage as much as the next edgelord but a) you can turn off Windows Defender if you don’t like it, b) false positives are a fact of any antivirus program, and c) Microsoft corrected it faster than you could even post. You are failing to make it seem like Microsoft acted in bad faith here. Comparing this to running cars over people is hyperbolic.
I hate Windows Defender, every time I roll out an update for our relatively small video game, it often ends up being flagged and removed from our players' computers, we then have to submit the file to Microsoft to get it unflagged. What's funny is that the instructions say to upload an entire package with all the files necessary to run the application, but in my experience I can file for a false positive, upload just the .exe, and get someone to unflag it the next day, it's tiresome.
Or you drop ~800$/yr on an EV codesigning cert to switch your binaries from "malware unless proven otherwise" to "harmless until proven otherwise". It's basically a protection racket.
I'm more worried about the fact that the antivirus industry hasn't gone the way of the dodo due to EDR systems, which emit warnings based on behavioral analysis instead of moving stuff to quarantine just because it happened to see a pattern of bytes in the binary.
I once got my own program falsely detected as virus while developing it. It was such a bizarre experience: you press "Run" in the Visual Studio, it apparently builds successfully but then it can't run because the executable does not exist. Huh?
Anyhow, it turned out that apparently my hand-coded base64-decoder was sufficiently similar to a base64-decoder used in some trojan out there (which was apparently built with the same version of MSVC): removing/sufficiently rewriting my decode_base64 function made the detection go away reliably. So yeah, I believe now that those virus signatures are quite arbitrary in nature.
> just because it happened to see a pattern of bytes in the binary
It’s bizarre. I built an app and it was flagged by numerous AVs, and many of them had a “submit false positive” thing which eventually removed them. There’s no way that involved manual review so I assume bad actors can do the same.
Apparently these misclassifications are extremely common, and affect certain devs more than others. For instance, I had a Go binary which was flagged for a certain Trojan/worm and it was apparently common with other Go projects on GitHub.
Without any knowledge of what they're really doing: automated sandbox analysis is a common tool. They could also be doing reputation analysis of the submitter.
My little hobby projects that I write end up getting flagged by all these ML AV systems and I don't seem to have any recourse against it as a developer.
It causes issues and general confusion by my albeit small communiy of users.
Such systems are even more useless than hash/pattern matching scanners. I've had CrowdStrike on my machines before and it would've had no qualms with me exposing root-level access over an RPC interface.
That'd be great if hardware vendors didn't use dirty hacks to control their devices. One of my laptops fan control software still requires an open source kernel driver that someone else once used to setup a bootkit in EFI, so now I have to run with vulnerable driver blocklist off forever.
That's pure marketing fluff, just like the difference between antivirus and EDR.
Heuristic detection has been a thing for literally decades, and cloud-based antivirus which uses aggregate detection has been around for almost as long. It's notable that NIST does not seem to distinguish between these and just lumps them under endpoint protection.
Not saying this is the case here, but in the hands of dictatorial regimes, systems like Microsoft Defender, Play Protect, Gatekeeper, etc, can be used to expose and silence critics, dissidents, and persecuted groups.
A corporate-enforced inscrutable system that uses cryptography and OCSP to potentially remotely approve and deny what users run on their machines would be coveted by leaders who want to crackdown on their constituents.
Had a lovely experience with this a few months ago. I built a little WPF GUI as an internal tool for my company. Literally all it does is read some data from an XML file and squirt some bytes out of a serial port. I zip up a build and send it over to the production team and windows refuses to open it. It absolutely insists it's a Trojan or something. Fortunately there's an option to ignore Defender and keep doing our jobs.
I submitted the build to Microsoft for verification and it reports totally clean. Gee, thanks.
We also get Defender warnings for anything that isn't signed. We also get Defender warnings for things that are signed. Apparently we have to pay an extra couple hundred dollars a month for the "real" signing certificate. The one we already pay for apparently isn't secure enough to disable Defender warnings?
There are some sandbox detection's on VT as well FWIW. [1] Some companies pay to ingest data from VT. MS probably had to override the findings in Defender.
Yesterday I helped in an 'investigation' why a remote WinSvr2012R2 VM with a public IPv4 is no longer allows logging in.
To no one's surprise it was hacked, but what was quite amusing is what the hacker wannabe installed... RDPGuard to protect 'his' machine from other hacker wannabees.
Also years ago mIRC was a popular component of the Windows 'rootkits' because it has control and communications built-in.
Yes, Tor is used by malware to securely communicate so it's no wonder it can trigger AV. Refer to [0] for details.
Readit News
First, what is malware? It’s actually very hard to define in such a way that makes everyone happy. The line gets really blurry on the border of nuisance vs malicious, and on security tools, which might do things in the name of privacy that malicious software might do to hide its tracks.
The other issue is false positives. We tried really hard to avoid false positives; we ran tests with known good binaries to see if they were inappropriately detected, etc. We feared false positives more than false negatives.
I am sure that the MS antimalware team is having a bad day and not acting in bad faith.
The people doing that are shaving bytes, fitting music and 3D graphics in self-contained executables smaller than many HN posts. Having enough space for malware after that would be insane.
The reason these are often flagged as malware is that they are typically using runtime compression and a variety of tricks to save space, these techniques are unusual in legitimate programs and common in malware. Malware scanners could add support for the likes of crinkler and kkrunchy, but these are probably too niche to care.
win32 shellcode for downloading the real malware could very easily fit even in a 4k intro.
https://www.exploit-db.com/exploits/13515
But... they are very clearly publishing info claiming my site is malicious, and it's not. It seems like a super clear case of libel, which I won't pursue because it's personal sites and I'm not losing revenue or anything, but it seems open and shut.
It's not even exempt due to general section 230 clauses. It's not user content. It's just them.
The software does have disclaimer of warranties and limits on liability to the purchase price as part of the terms of use [2]
[1] https://www.prnewswire.com/news-releases/consumers-file-clas...
[2] https://www.microsoft.com/en-us/legal/terms-of-use [note: I am not 100% certain that this is the TOU specifically applicable to MS AM but most TOU look similar]
There's an easy definition: does it give value to the user, or act against the user's interests? The former isn't, the latter is.
Of course, by that definition, Windows itself would be considered malware.
I suspect the other comment here referencing libel is why "potentially unwanted" is another category that they often use.
Next time you propose a definition, try to break it as an adversary as a test.
Here's Microsoft's definition: https://learn.microsoft.com/en-us/microsoft-365/security/int...
> Microsoft Defender is detecting the latest version of Tor Browser as malware because it is using a new heuristic detection method that is designed to identify Trojans that use Tor to hide their activity. However, the heuristic method is too broad and also flags the Tor Browser itself as malware.
The lack of consideration for the impact is what makes it bad faith; they clearly didn't care to properly test it, or did and didn't care that they were also flagging the browser itself. I'm sure quite a few people thing the Tor browser doesn't have a legitimate use.
If it’s so easy that only incompetence or malice could explain it, why don’t you go work for them and fix it? I’m sure that people who have spent decades in the field would appreciate your wisdom.
It is not the first time they do this.
https://forum.torproject.org/t/torbrowser-12-5-6-no-longer-f...
"With the latest signature database (1.397.1910.0), tor.exe is no longer considered a trojan by Windows Defender."
Reportedly, mass removal of Tor Browser happened, and damage is done: a lot of privacy/security stuff disabled, couldn't be used, some won't be reinstalled, there's extra vulnerability at reinstallation time, etc.
And the demonstration that Microsoft can easily do this is of interest to people tho don't want that kind of thing to happen, as well as to people who would like that capability.
Also, this is Microsoft actively removing a competing Web browser (after long ago being put on notice about sneakiness around competing browsers specifically).
Which would be a good feature request for Defender, make it automatically do that in the event of a legitimate EXE whose detection status changes after it has been quarantined.
I see no malice here.
Pretty much every platform with hash-based antivirus can do this. It's bad, but so is the fact that Tor on iPhone can't use the same browser engine and privacy patches as Android/Desktop does. The average user is far-removed from caring about their OS vendor's power, apparently.
Dead Comment
See also this helpful list (getting out of date unfortunately): https://github.com/hankhank10/false-positive-malware-reporti...
Anyhow, it turned out that apparently my hand-coded base64-decoder was sufficiently similar to a base64-decoder used in some trojan out there (which was apparently built with the same version of MSVC): removing/sufficiently rewriting my decode_base64 function made the detection go away reliably. So yeah, I believe now that those virus signatures are quite arbitrary in nature.
It’s bizarre. I built an app and it was flagged by numerous AVs, and many of them had a “submit false positive” thing which eventually removed them. There’s no way that involved manual review so I assume bad actors can do the same.
Apparently these misclassifications are extremely common, and affect certain devs more than others. For instance, I had a Go binary which was flagged for a certain Trojan/worm and it was apparently common with other Go projects on GitHub.
My little hobby projects that I write end up getting flagged by all these ML AV systems and I don't seem to have any recourse against it as a developer.
It causes issues and general confusion by my albeit small communiy of users.
Heuristic detection has been a thing for literally decades, and cloud-based antivirus which uses aggregate detection has been around for almost as long. It's notable that NIST does not seem to distinguish between these and just lumps them under endpoint protection.
A corporate-enforced inscrutable system that uses cryptography and OCSP to potentially remotely approve and deny what users run on their machines would be coveted by leaders who want to crackdown on their constituents.
I submitted the build to Microsoft for verification and it reports totally clean. Gee, thanks.
We also get Defender warnings for anything that isn't signed. We also get Defender warnings for things that are signed. Apparently we have to pay an extra couple hundred dollars a month for the "real" signing certificate. The one we already pay for apparently isn't secure enough to disable Defender warnings?
Sounds like an absolute racket to me
[1] - https://www.virustotal.com/gui/file/88c33af6f1963eb94683be1f...
To no one's surprise it was hacked, but what was quite amusing is what the hacker wannabe installed... RDPGuard to protect 'his' machine from other hacker wannabees.
Also years ago mIRC was a popular component of the Windows 'rootkits' because it has control and communications built-in.
Yes, Tor is used by malware to securely communicate so it's no wonder it can trigger AV. Refer to [0] for details.
https://news.ycombinator.com/item?id=37740584