UltraVNC vs. Microsoft Forefront

[maser]

Hi all...

I run UltraVNC on two of my digital sign kiosks so I can control them with Apple Remote Desktop.

We moved our Windows Anti-Virus product that we licensed from McAfee VirusScan to Microsoft Forefront. At some time in the recent past, Forefront is now complaining that the UltraVNC installer (1.0.9.6.1 -- but also 1.0.9.5) -- are "potentially unwanted programs".

Is there some way that the devs can contact Microsoft about this to get the UltraVNC programs put on a white list?

[B]

Actually, you're their customer, so feel free to report the false positives at http://www.microsoft.com/security/porta ... dorFP.aspx

Rudi properly signs his executables so I'm not sure what other Microsoft-sucking actions would be required to avoid their incorrect reporting.

(As a side note, if you're the only one updating these kiosks, why do you need antivirus?)

[maser]

I'll report the false positives. I think this has been a recent change in Forefront as when we installed it a while back, it didn't complain about 1.0.9.5 that I had installed (but it complains about the 1.0.9.5 installer I have...)

As to why do I need it? That's probably a good question, but it's just something we put on all the Windows machines as a practice.

[maser]

Just FYI...

This is the reply I got when I filed the false positive:

Thank you for your recent inquiry regarding a potential false positive. Please note that this mailbox is actively monitored, but due to the volume of inquiries we cannot send individual replies when the issue has not been raised by the software vendor affected.



I don't know if that means that because I'm not the software vendor, it's not looked at more rapidly. Or if it just means I will never get another reply from Microsoft about this...

[B]

Sounds like the typical "screw you, just wait" response typical of Microsoft and many other big companies.

But they do make it sound as if there might be a faster response if the UltraVNC team (which as far as I know is really just Rudi) contacted them.

Thanks for following up. Good luck.

[maser]

As of today (8-25), Forefront still complains about the 1.0.9.6.1 installer.

Maybe it might get more action if you contacted them about it?

[B]

Rudi, if you're listening, please consider maser's request.

Honestly, though, their classification isn't inaccurate. Like ANY remote control program, UltraVNC is "potentially unwanted" if the user isn't expecting that functionality.

For kicks I just ran the file through the multi-engine scanners at Jotti and VirusTotal, and here's what they report:

[Ikarus]
2011-08-15 not-a-virus:RemoteAdmin.Win32.WinVNC
[Kaspersky Anti-Virus]
2011-08-15 not-a-virus:RemoteAdmin.Win32.WinVNC.kq
[Dr.Web]
2011-08-15 Program.RemoteAdmin.418
[Emsisoft Anti-Malware]
2011-08-15 Riskware.RemoteAdmin.Win32.WinVNC!IK


Emsisoft 5.1.0.10 2011.08.25 Riskware.RemoteAdmin.Win32.WinVNC!IK
Ikarus T3.1.1.107.0 2011.08.25 not-a-virus:RemoteAdmin.Win32.WinVNC
Kaspersky 9.0.0.837 2011.08.25 not-a-virus:RemoteAdmin.Win32.WinVNC.kq
Microsoft 1.7604 2011.08.25 RemoteAccess:Win32/UltraVNC

MOST of the engines do NOT flag the file at all, but I can still see the point in flagging it as a remote control vehicle. It's a judgment call.

But I guess traditionally they HAVE all whitelisted it?

Come to think of it, I first found the original AT&T VNC when I was looking for a free remote control program that wasn't picked up as a virus like BackOrifice was.

So yeah, I think Rudi et al. should report the unwelcome false positive / bad classification.

[maser]

by any chance -- is there any way to find out if "Rudi, et. al", reported this issue?

I don't (personally) have Microsoft Premiere Support to open a ticket (somebody probably does around here, but it's next to impossible to find out who actually has that ability) and I'd rather not be charged anything to call them to file a request to have them reconsider a false positive report.

[B]

Sure, you could PM him right here. I can't promise he'll respond though. User is Rudi De Vos.

[supercoe]

Or you could just change your practice and not install crappy AV software.

[B]

I wonder if MS Security Essentials is doing this too.

[supercoe]

I didn't notice this on the new UltraVNC_1.0.9.6.1_Setup.exe but I did get this the other day.

Category: Remote Control Software

Description: This program has potentially unwanted behavior.

Recommended action: Review the alert details to see why the software was detected. If you do not like how the software operates or if you do not recognize and trust the publisher, consider blocking or removing the software.

Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the Allow action and click Apply actions. If this option is not available, log on as administrator or ask the security administrator for help.

Items:
file:C:\Users\ThaChunk\Desktop\ChunkVNC Dev\UltraVNC_1.0.9.4_update.exe

Get more information about this item online.

[B]

Gotta love these guys. I was just start buying into the conventional wisdom about how Security Essentials is finally a good antimalware product from Microsoft, and that it's lighter weight, etc. And yet personally I've seen it weird out (refuse to update, among other things) on several different machines.

The truth is there is no such thing as a good antimalware product. (And these kind of sorta-false-positives are just unavoidable.) I would say VNC developers should just live with the "potentially unwanted" label, but.... the other AVs aren't complaining!

[supercoe]

Don't kick it out the door yet, MSE is the best AV that I've seen and I thoroughly hate AV software. The only reason I have it on this machine at all is because I use it as a tool to scan customer hard drives.
Like I said it didn't detect the new executable and by default it enrolls you into Microsoft SpyNet so they can see what default actions (in my case allow) people take.

[maser]

You aren't seeing this with the 1.0.9.6.1_setup.exe?

I just tried it again -- with the 9/19 definitions for Forefront -- and it's still flagging the installer as a "medium" alert.

And Forefront is just the enterprise version of MSE -- it's otherwise identical (or at least it should be...)

[supercoe]

maser,

It's possible I may have allowed the setup files before but both UltraVNC_1.0.9.6.1_Setup.exe and UltraVNC_1.0.9.6.1_x64_Setup.exe downloads are not being detected for me now with Security Essentials.

[B]

Unfortunately, independently CONFIRMED at VirusTotal. An IDIOT user there even tagged UltraVNC as "malware" !! I posted a rebuttal.

File name:
UltraVNC_1.0.9.6.1_Setup.exe
Submission date:
2011-09-19 17:01:40 (UTC)
Current status:
queued queued analysing finished
Result:
3/ 44 (6.8%)

VT Community

malware
Safety score: 0.0%
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.09.19.00 2011.09.19 -
AntiVir 7.11.14.233 2011.09.19 -
Antiy-AVL 2.0.3.7 2011.09.19 -
Avast 4.8.1351.0 2011.09.18 -
Avast5 5.0.677.0 2011.09.18 -
AVG 10.0.0.1190 2011.09.19 -
BitDefender 7.2 2011.09.19 -
ByteHero 1.0.0.1 2011.09.13 -
CAT-QuickHeal 11.00 2011.09.19 -
ClamAV 0.97.0.0 2011.09.19 -
Commtouch 5.3.2.6 2011.09.19 -
Comodo 10170 2011.09.19 -
DrWeb 5.0.2.03300 2011.09.19 -
Emsisoft 5.1.0.11 2011.09.19 -
eSafe 7.0.17.0 2011.09.19 -
eTrust-Vet 36.1.8568 2011.09.19 -
F-Prot 4.6.2.117 2011.09.19 -
F-Secure 9.0.16440.0 2011.09.19 -
Fortinet 4.3.370.0 2011.09.19 -
GData 22 2011.09.19 -
Ikarus T3.1.1.107.0 2011.09.19 -
Jiangmin 13.0.900 2011.09.19 -
K7AntiVirus 9.113.5160 2011.09.19 -
Kaspersky 9.0.0.837 2011.09.19 not-a-virus:RemoteAdmin.Win32.WinVNC.kq
McAfee 5.400.0.1158 2011.09.19 -
McAfee-GW-Edition 2010.1D 2011.09.19 -
Microsoft 1.7604 2011.09.19 RemoteAccess:Win32/UltraVNC
NOD32 6476 2011.09.19 -
Norman 6.07.11 2011.09.19 -
nProtect 2011-09-19.01 2011.09.19 -
Panda 10.0.3.5 2011.09.19 -
PCTools 8.0.0.5 2011.09.19 -
Prevx 3.0 2011.09.19 -
Rising 23.76.00.03 2011.09.19 -
Sophos 4.69.0 2011.09.19 -
SUPERAntiSpyware 4.40.0.1006 2011.09.19 -
Symantec 20111.2.0.82 2011.09.19 -
TheHacker 6.7.0.1.300 2011.09.19 -
TrendMicro 9.500.0.1008 2011.09.19 -
TrendMicro-HouseCall 9.500.0.1008 2011.09.19 -
VBA32 3.12.16.4 2011.09.19 -
VIPRE 10523 2011.09.19 -
ViRobot 2011.9.19.4676 2011.09.19 RemoteApp.WinVNC.2291768
VirusBuster 14.0.221.0 2011.09.19 -
Additional information
Show all
MD5 : cd2b75598f37ca33c4bb3a4abd5b2270
SHA1 : 58957a07ccfa37c839ab2c238b53149551b53a7c
SHA256: e27852df7cc05c97f55d901bdf69e45ea1aebffd18a3cace41d88c0f5ff96c3b
ssdeep: 49152:OjM5lvcI19oeDjxakm244yRjTXkHtFNJ1xZsJPcBM:NZ19oAjXf4/RjTctvxKJPc+
File size : 2291768 bytes
First seen: 2011-06-06 18:38:37
Last seen : 2011-09-19 17:01:40
TrID:
Win32 Executable Generic (58.3%)
Win16/32 Executable Delphi generic (14.1%)
Generic Win/DOS Executable (13.7%)
DOS Executable Generic (13.6%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE structure information


VT Community

1

User:
Xylitol
Reputation:
13214 credits
Comment date:
2011-08-30 09:45:52 (UTC)
Tags: Malware, winvnc, ultravnc, remoteapp

Was this comment helpful? Yes (0) | No (0) | Report abuse Reported as abuseful

He or she has tagged UltraVNC as "malware", which is untrue and ridiculous. As accurately reported by your virus engines, it is a remote control tool with a LONG and reputable development history. It's open source and based on the original AT&T / Bell Labs VNC project.

It is completely irresponsible on "Xylitol's" part to label it "malware". This comment should not stand.

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 1 VT Community user(s) with a total of 13214 reputation credit(s) say(s) this sample is malware.

[supercoe]

Solution:
Don't use the installer, use the bins until Forefront can come to its senses about this software. The server executable is not detected as a threat.
Fill out the false report form. http://www.microsoft.com/security/porta ... pform.aspx


Even funnier, Antiy-AVL and VIPRE will detect an unmodified winvnc.exe as VNC software (nothing bad) but won't detect my modified winvnc.exe that I use in ChunkVNC.
Kaspersky always seems to detect it as "not-a-virus:RemoteAdmin.Win32.WinVNC.kq"

[B]

So Antiy-AVL and VIPRE (whoever they are) can't even detect a "reshacked" version of a remote control app that they otherwise consider worth flagging? That's pretty bad, if to be expected -- the antivirus software industry has ALWAYS has sucked.

Yeah, Kaspersky is about the best there is. Out of everything, I have had the most luck with their freebie disinfector when trying to help out badly infected people. (This happened twice on systems already "protected" by Microsoft's mediocre AV.)

[OSEOS]

I have had many problems with AV software, not just with uVNC but many other well known and very safe programs too.
Mcafee is the worst for false reports, they even have codes for unknown definitions. I get these for my php scripts just purely because it does not understand what they are.
I found that nod32 is one the easiest to deal with as it has a very simple exclusion section so you can just ignore the files you know are safe. I use this with Malwarebytes and Mamutu and they would definitely let me know if something was really going to be a problem to my security.
Half of the AV companies on Virustotal I have never heard of, are they really any good and should they be listened to? The unknown companies always seen to spit out warnings about everything that behaves even a little bit suspicious.

[aegrotatio]

I wonder if MS Security Essentials is doing this too.

Yes, MS Security Essentials is reporting the same thing. I have never used MS Forefront but I know for a fact that MS Security Essentials is directly derived from Forefront. Whether they use the same definitions files or not I cannot say.