AZSlow

Hi Alexey,

I used AZSlow a long time ago on my old PC and have just upgraded to a new machine. I was about to install it again but just thought I'd check. VirusTotal is currently marking the 0_5r12b427.exe file as malicious with 38/71 vendors flagging the file as malicious/malware.

I'm certainly not accusing you of anything Alexey as I know false positives are very common and I've also spoken with you before and I know you're a helpful and good person! But I just wanted to see what you think, especially given that even recently the popular CPUID app was hijacked on their website and the installer was infected with malware.

I know it costs money to get the installer signed and I'm sure it's all good but wanted to ask your thoughts as I'm a bit nervous about installing software on my expensive new PC!

Thank you!

Hi,

What I think I have written many times... Till someone (I have no hope for US, but in that respect EU can be better) finally forbid such behavior, there will be no changes.
Note that signing is not helping 100%, it just reduce "the severity".
Upgrading NSIS installer normally reduce the number of false positives (I am using pretty old version).

But no one can win this game till someone finally manage to win in a court. And that is not possible till laws are changed.

Just imagine, I declare (base on some AI decision) that you are... let say a bad boy. And I spread that rumor. Such declaration can damage your reputation, require some investment to mitigate, etc. And there are laws which allows you to fight against me. Logical.

If you look precisely in VirusTotal, you can notice all these "detections" are AI heuristics. That declares my programs as "malicious". The irony, it is NOT possible to do ANYTHING with these declarations at the moment, except ask them (all 38 separately!), giving my name/tel/address/etc. (and signing they can use it!) and they will in days/weeks remove false positive. Without any "please excuse us...", some even without any reply (even so giving my e-mail to them is mandatory).


Ridiculous, isn't it? 

Thanks Alexey,

I know it must be frustrating for you, especially given that you provide AZSlow as free software to the public!

I've no doubt it will be safe and am hoping to install it again but without wanting to be disrespectful, is there any way for users to be confident that the software is safe to install? For example, more reliable malware detection services than Virus Total? Or do we just have to decide for ourselves whether we feel it's safe or not to install (and I do trust you!)

Thank you, and again I'm in no way suggesting there's anything unsafe about AZSlow, it just looks daunting to someone who doesn't program software to see so many warnings on Virus Total!

Many thanks

Quote from: tbm72 on Yesterday at 10:21:13 PMI've no doubt it will be safe and am hoping to install it again but without wanting to be disrespectful, is there any way for users to be confident that the software is safe to install?

No. The only way a user can be confident a software has no "side effects" is to use exclusively open source software, combined, compiled and packed by someone they trust. Major Linux distributions is relatively safe way, there are many people which track the software they are providing ist produced from (public and so known) source code. And so any single report the binary was "manipulated" will spread and ruin corresponding company. So far I can't remember a single case.

When you are using Apple/Windows/Google, you in fact have "malware". Sometimes people find parts of it and companies are forced to make them "optional" (require confirmation from the user they are happy with it).
But since the source code is not known, it is impossible to find everything 

The last time I was looking into my home router, I have found several "management daemons" in the "branded" firmware.

Even so "build-in" side effects are not known as something harmful, no one really knows what they can do...

QuoteFor example, more reliable malware detection services than Virus Total?

Microsoft default "defender" is relatively conservative with "false positives". I personally don't install other. At work we use more "advanced" solution, with more false positives. But there we have people which have time to analyze what is real and what is not, send reports, white-list, etc.

----

Note it can happened someone hack my site and upload malware. What is really uploaded by me is cross-compiled under Linux, the probability of infection at that stage is very small.
Certificates theoretically can help, but in practice:
do you check the content of the certificate every time you install something?
or you think hackers don't know how to use valid certificates?
You can google for cases when certificates was not helping...

BTW, when using VirusTotal, look at the names of "found" problems. Everything with "Gen"/"Heu"/"AI" or without distinguishable name at all is 99.9% false positive. Real known malware and viruses have distinguishable names you can google easily. Not yet known malware will not be reported (not all malware developers are idiots, I mean they check with VirusTotal that what they are going to inject is not reported... lol).

Thanks for the honest answer Alexey. I know we shouldn't take things like ChatGPT as 100% accurate but it said:


*****************************************************************************

"If 37 out of 71 engines on VirusTotal are flagging a file, that's quite a high number. While VirusTotal does generate false positives—especially for utilities from small independent developers—37 detections is enough that I'd want to investigate further before running it.

Look at which vendors are flagging it

The details matter:

If only obscure engines are flagging it as "Generic", "Suspicious", "AI.Malware", etc., while major vendors like:

Microsoft
Bitdefender
ESET
Kaspersky
Malwarebytes

are clean, it may well be a false positive.

If several major vendors detect it, I'd be much more cautious."

*****************************************************************************

I have used older versions of AZ before and I know you only have good intentions but this version flags up a lot more reports like:

Google: Detected
Avast: Win32:Malware-gen
Microsoft: Trojan:Win32/Suschil!rfn

I know I'm just being overly cautious and no disrespect is intended!

Sorry to keep coming back to this but I downloaded the installer from your site and scanned it with Windows default Microsoft Defender.

Windows won't let me run it saying it found this threat and marked it as severe:

Trojan:Win32/Suschil!rfn

Do you know why it shows that alert? (this isn't VirusTotal but Windows Defender)

Ok... I have re-compiled and re-uploaded. At least on my VM defender let it run.

BTW: Trojan:Win32/Suschil!rfn is MS heuristic (as easily seen in Google).

And yes, the situation is getting worse every year. I guess certificates sales and not so good, so they rise the "severity" of unsigned executables.

In fact, as you can see in VirusTotal details, they check DEEPLY what the file is doing. And they have NOT found anything unusual (that is an installer, which unpack temporary files, install at final place, register the DLL, register uninstaller).
So, they do complete check, not finding anything suspicious, but still declare the file as malware just because it is not signed

Defender has a list of "stamps" for known malware. But they don't check what these stamps really are... as soon as the stamp is in common code (NSIS installer, GCC compiler, etc.), any package based on the same code is declared "malware".

That is what I was writing at the beginning: "a man in black hoses has committed a crime -> all people in black hoses are criminals" is not allowed declaration, "malware software was compiled by GCC v 5.xxx -> all software compiled by GCC v 5.xxx is malware" IS allowed. It is over my head why that is still allowed, the problem is known more then decade.

Thanks so much Alexey for your quick response and fixing the Defender issue. I've just installed it with no problems now! I know that there's nothing harmful in your software and it's just Windows being over-protective but I just wanted to be 100% safe on my new PC!

I sent a small donation just to say thanks for your help (wish I could give you more). I really appreciate the help you give the community and thank you for providing AZ Controller!