Your Shiny New Product and Reputation-Based Security

A few days ago a participant of our non-commercial licensing program wrote in:

Some people have also told me that the installer has been caught by their antivirus product, as it’s new and hasn’t been seen by many of their customers so far.

“No, not again,” thought I.

We went through a spike in the number of false positive virus detections reported by the end users of Java applications optimized and packaged with Excelsior JET back in 2010. Sometimes our product itself was categorized as malware.

One of the main reasons was our use of LZMA for compression. Not only LZMA the algorithm delivers very good compression rates, but also the LZMA SDK is in the public domain, and is hence utilized in several setup authoring tools. Unfortunately, for the same reasons LZMA is also popular among malware authors, so the inclusion of its implementation in virus signature databases was inevitable…

Since then, we have been reporting such incidents to antimalware vendors and participating in their whitelist programs. That does not always help, especially if the end users do not update their virus definition lists, but the situation has improved substantially.

However, it turned out that the problem has another facet: reputation-based security.

As usual, I have suggested the author to upload his installer to VirusTotal to see which scanners would trigger alert. Here is what he had to report:

I’ve just uploaded the file and it’s actually passed all 39 packages! On further investigation the reports I’ve been getting appear to be mainly related to Norton and its reputation based assessment. Being a new app it hasn’t seen before, it understandably has some concerns. I’ve signed up to Tucows (as recommended on your site) so I can purchase a signing certificate and I’m also submitting my website for evaluation by Norton. So hopefully these two will give enough credibility to not get caught in the future.
   .  .  .
I can imagine a lot of small developers could be caught by the reputation based checks now.

If you are in the same boat — your domain is fresh, your Web site is new, and so on, you’d better take preventive measures before your first product hits v1.0. Specifically, sign your executables and installers, and register with major antimalware vendors that track website and file reputation before someone submits yours as threats.


Categories: Excelsior JET


Comments are closed.