BitDefender did something quite worrying the other day

[mikeymikec]

I was installing a wireless adapter on a customer's computer the other day, and I went here to download the driver:

https://www.netgear.com/support/product/A6210#Software Version 1.0.0.36 (Supports Win10)

I downloaded the current version of the software (1.0.0.36), unzipped the file, and ran the standalone driver install program. It installed the driver and the adapter started to work.

Then BitDefender deleted/quarantined the standalone driver installer and threw up a warning saying it was infected with a virus.

In case anyone misses the point: A program that the anti-malware scanner considered as dodgy was allowed to run (!), installed a driver (!!), was allowed to close normally, and then the anti-malware scanner tried to do its thing.

I strongly suspect that it's a false positive, but false positive or not, that's worrying behaviour from an anti-virus program that's supposedly scanning every file that gets read or written to the file system.

 

[Mike64]

that's worrying behaviour from an anti-virus program that's supposedly scanning every file that gets read or written to the file system.

That would be true if the program worked only by scanning for malware code/signatures, but then it would also be useless against any number of possible exploits. Its "Active Virus Control" functionality (apparently) constantly scans for "malware-like behavior" and kicks up when that activity rises above above some (presumed) tolerable threshold, however that "threshold" might be defined. But on the micro-level, there really is no clear "malware behavior" - it's not a "fault", it's an action performed by software you don't want performing that action in that context. (Kinda like the common definition of a "weed", as basically any plant you didn't plant yourself and don't want growing where it happened to sprout...)

If it is in fact a false positive, which I agree seems very likely, it just means BD was a little hypersensitive in this specific instance. Or maybe "appropriately sensitive". That's really subjective and depends on one's tolerance for potential malware trouble versus the annoyance and inconvenience of false positives...

 

[Billb2]

The driver nay have been a trojan. When it threw the virus BitDefender acted.

 

[mikeymikec]

The driver nay have been a trojan. When it threw the virus BitDefender acted.

By deleting the original installer... nope. That makes no sense (as it would accomplish nothing). Disabling the driver, sure, but that didn't happen.

@Mike64

It didn't say "suspicious behaviour detected", it ID'd the malware.

 

[DaveSimmons]

By deleting the original installer... nope. That makes no sense (as it would accomplish nothing). Disabling the driver, sure, but that didn't happen.

@Mike64

It didn't say "suspicious behaviour detected", it ID'd the malware.

It displayed some kind of ID, but that ID might just name the set of rules for identifying the suspicious behavior. What is the exact ID, and what's the link to a description to the possible malware?

This may still be a false positive, especially for network software. It connects to the LAN and web, that triggers some over-aggressive rule, bitdefender acts.

A college student contacted us at work a few months ago. He was scanning online installs for a class project and the online malware scanner he used detected "malware" in a 7-year old patch for one of our applications that they found online. It was not infected: the zip and contents exactly matched the version I pulled from our archive (comparing hashes), and up-to-date Windows Defender scanned it as clean. The online scanner's ID was one of the heuristics-based ones, i.e. it was just guessing. And guessing wrong.

 

[Mike64]

It didn't say "suspicious behaviour detected", it ID'd the malware.

Do you in fact know that BD kicks up a differently phrased "alert" when its "Active Virus Control" functionality is triggered, versus finding code/signature-based evidence of malware? Every time I've had to deal with an AV program's false positive (as confirmed either by the AV manufacturer or the relevant program's publisher), the AV program has simply announced - with great apparent assurance - that "ABC" executable file is the source of "XYZ 'malware' " when in fact it was no such thing at all.

And if it's not in fact "malware" then you're basic premise itself - that because it was identified "as malware", there must be code-based evidence that it is malware rather than that is seemed to "behave like malware", is flawed. Everything else aside, good old "Occam's Razor" strongly suggests that it's an overreactive heuristics analysis rather than that some bad actor went to the trouble to, and succeeded in, planting some really sneaky zero-day exploit into the installer for a driver for a consumer-oriented USB wifi adapter on Netgear's own website and/or that Bitdefender is so badly flawed that it missed obvious malware until the very last moment...

 

[DaveSimmons]

AV programs have also deleted stock, unmodified Windows system files multiple times in the past, after being "sure" they were malware.

 

[mikeymikec]

Do you in fact know that BD kicks up a differently phrased "alert" when its "Active Virus Control" functionality is triggered, versus finding code/signature-based evidence of malware? Every time I've had to deal with an AV program's false positive (as confirmed either by the AV manufacturer or the relevant program's publisher), the AV program has simply announced - with great apparent assurance - that "ABC" executable file is the source of "XYZ 'malware' " when in fact it was no such thing at all.

Yes, that's the nature of a false positive you've described. So?

It displayed some kind of ID, but that ID might just name the set of rules for identifying the suspicious behavior. What is the exact ID, and what's the link to a description to the possible malware?

I didn't take it down, sorry. The computer was a Atom-type Pentium and had already taken about half an hour longer than one of my builds normally would to install a wifi driver, and I was starting to get impatient

 

[Mike64]

Yes, that's the nature of a false positive you've described. So?

So... the message you saw doesn't necessarily mean it found actual code that's the same as or similar to XYZ malware's code. If it's heuristics engine saw some amount of "behavior" its reference data suggests correlates to XYZ, it would give the same message.

 

[Ketchup]

I see people saying malware (a general term) but mikeymikec said virus, much more specific, and a little less likely to be wrong (a little).

As to why it wasn't detected at first, it's probably because it was in the compressed file. Most malware detectors don't look inside compressed files, by default, unless you are doing a scan (for the sake of speed). And even then most don't look inside for a full scan unless you tell it to.

Did the driver, by chance, give you a warning about not being digitally signed when you installed it? I remember Netgear drivers doing that a lot, but that was years ago.

 

[mikeymikec]

Did the driver, by chance, give you a warning about not being digitally signed when you installed it? I remember Netgear drivers doing that a lot, but that was years ago.

Nope.

 

[DaveSimmons]

Nope.

99.9% chance this was a heuristic-based false positive based on behavior then. If a Netgear code-signing certificate had been stolen and misused to plant tainted downloads on their site that would definitely have made the news.