Carlos' concerns about false positives of AntiVirus software in his recent thread ...
... make me write some sentences about the VirusTotal links of CONVERTCP.
- I wrote the code and hence I already know that the program isn't malicious. Users that don't trust me can read the source code and compile it by their own. But there are plenty of people who neither understand the code nor are able to compile it. They have no other chance than using the uploaded binaries. However the only result of the ViruTotal scans in this case is to see if some engines report a false positive for a harmless program.
- I discovered some possibilities how to avoid false positives. Adding extended file properties is one, having plain-text sequences in the binary file is another, also changing variable types to those with a higher width works every now and then *)
. I could have signed the tool using a bought certificate. But firstly I'm not willing to spend money for a certificate and secondly I don't understand the sense in terms of AV perception. Even malware could have been signed that way.
- In the end VirusTotal is more of a service to test the AV engines. And in case of CONVERTCP it's a service to test the engines against false positives. Don't rely on VirusTotal if you don't trust me.
The reason why I
do the tests on VirusTotal is because I want to get an idea of how many times the users will be bothered by their antivirus software. If it'll be too many times then I'll try to write the source code in a slightly different way and try again.
So you are wondering why I always post the links? Um ... because I want to wrap you up in a warm and fluffy blanket? Haha, no that's not the reason. As I said - I didn't use code signing. The actual purpose of code signing would have been to confirm that I'm the author and that the tool wasn't changed when you downloaded it. The links point to the analysis sites where I uploaded the binaries. That means if you upload the tool to VirusTotal and you get redirected to the same site then you know you got the unchanged tool where I'm the author
. Thus, it's just to make it easy for you to validate your downloads.
It might be worth to hold on a second at that point. The techniques I was talking about don't change the behavior of the program in any way. They don't make a malicious program harmless and they don't make a harmless program malicious. They just make a nervous AV to calm down in that case. If I can use these thechniques to avoid false positives what about developers of malware? Wouldn't they be able to prevent their malicious programs from being detected to a certain extend? If you think about that how much do you still trust AV software? By far the best Antivirus is that between chair and keyboard! No 3rd party AV will ever help if you thoughtlessly click on any available link or email attachment, if you download programs from suspicious sites, if you always choose the "default" installation or you click on "Next" without reading what it means ...