Nirsoft publishes antivirus list of shame

Martin Brinkmann
Oct 19, 2015
Updated • Oct 19, 2015
Security
|
27

If you are using tools from Nirsoft, and you should if you are running a flavor of Windows on a machine, then you may have ran into issues before when an antivirus solution notified you that the program you were about to run was malicious in nature.

Nirsoft has been fighting with false positives for a long time, and I can only imagine how many support requests Nir Sofer gets about that.

What makes this even worse for him is that companies may blacklist his website or pages on it because of these false positives.

Google's SafeBrowsing service for instance blocked Nirsoft tools from being downloaded in 2014, and since it is being used by Chrome, Firefox and other browsers, it was certainly devastating at that time for Nirsoft.

Nir Sofer tried to make changes to some of the programs but the result, as of today, is still the same. He then decided to create a report about the issue by scanning all of his programs on Virustotal and ranking antivirus engines based on false positives.

Virustotal scans files that you upload to the service against 56 different antivirus engines. The ranking calculation is simple: each antivirus engine starts with a score of 100 points. Negative points are awarded for alerts which vary depending on whether it is a generic alert or one that points to malicious code in particular.

The results

Only 12 of the 56 antivirus solutions did not report a single false positive while the remaining 44 antivirus engines did report at least one.

The engines with a perfect score are: AegisLab, Alibaba, ALYac, ByteHero, ClamAW, Emsisoft, Panda, Qihoo-360, Tencent, Total Defense, VBA32, Zoner.

Many popular antivirus solutions did not rank well. TrendMicro got a score of 67 and 24 alerts, Nod32 a score of 57 and 26 alerts, Symantec a score of 71 and 20 alerts, and Malwarebytes a score of 83 and 11 alerts.

Three antivirus engines ended the test with negative scores: Antiy-AVL with -6.5 points, TheHacker with -230.5 points and Bkav with -1280.5 points.

You can check the full listing over on the Nirsoft blog for additional details.

Conclusion

False positives are a big issue for Nirsoft and -- likely -- other software developers -- and users on the Internet.

The ranking does not reflect how effective an antivirus engine is as a whole and one at least has to wonder whether the good placement of certain antivirus engines is due to them being really good at avoiding false positives or other factors.

Nirsoft could use the findings in several ways. First, it is shaming companies who report false positives even though it is clear that Nirsoft programs are not malicious in nature. Second, by informing security companies about the results and hoping that they will do something about it.

Considering that these companies had years to fine tune their engines, it seems unlikely that this is going to happen though.

Now You: What's your experience with false positives?

Summary
Nirsoft publishes antivirus list of shame
Article Name
Nirsoft publishes antivirus list of shame
Description
Nirsoft published an antivirus ranking based on the detection of false positives of Nirsoft applications.
Author
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Yamee said on June 28, 2016 at 2:49 pm
    Reply
  2. gentlemanplease said on May 12, 2016 at 9:40 pm
    Reply

    I’m pretty uninformed regarding pc, MS and AV. I thought Kapersky was the ultimate since its creator was ex-KGB. I simply adore Theremin and The Thing! I BOUGHT Symantec and thought it was the cat’s meow until Symantec pop-upped a message that said something like: ‘We could not stop the trojan from invading your pc.” Then Symantec listed erroneous information about what the trojan was and how to get rid of it. I was very disappointed. I reformatted my pc and never installed another AV. My latest infection came from Gunbroker.com and the trojan used all pc memory and slowed my pc down to a crawl. When I rebooted I received pop-ups from obscure magazines and fashion pics just as the pc shut down. I used a camera to video tape the process. Using this site I noticed a huge memory fill and a MS pop-up stating that I lost ghacks’ site. My pc froze. Gunbroker.com supposedly had a trojan that would replicate itself when boxed in or deleted.

  3. Jacob Lageveen said on December 15, 2015 at 5:57 am
    Reply

    And customers pay big money to use some of these virusscanners. And the best software is still free software like hitman pro.

  4. PJ in FL said on October 27, 2015 at 6:18 pm
    Reply

    There are some utilities from Nirsoft that could be misused by a malicious person (password viewers, etc.), but the tools themselves are harmless.

    That said, the “security uber alles” mindset is the rule of the day.

    Alas, it seems my company has now also blocked Nirsoft.net, a recent development but not surprising…..

  5. chesscanoe said on October 20, 2015 at 7:44 pm
    Reply

    Windows Defender under Windows 10 caught a q-dir problem that looks valid to me.
    {I replaced user info with xxxxx.}
    __________________________________________
    Category: Trojan

    Description: This program is dangerous and executes commands from an attacker.

    Recommended action: Remove this software immediately.

    Items:
    file:C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{314D9BA4-7AFC-407D-8F39-79B1192135E4}-Q-Dir_Installer_x64 (3).zip
    file:C:\Users\xxxxx\Downloads\Q-Dir_Installer_x64 (3).zip

  6. Decent60 said on October 20, 2015 at 12:39 am
    Reply

    Bkav had a mighty score of -1280.5 xD

    TBH, in a way, false-positives are great because they are seeing the program has characteristics that a virus could have.
    However, after this many years, major companies should have reviewed the software and found it to fine and added to a white list by now….

  7. webfork said on October 19, 2015 at 10:15 pm
    Reply

    Stories like this make me wonder if antivirus companies are unintentionally pushing the idea of an app store on Windows so that programs have a vetting process and can’t get viruses. This idea is of course littered with problems, among them a false sense of security as you hear about programs that squeeze through the analysis and cause problems for users.

    Regardless, Nirsoft has been doing some excellent work for free for many years and constantly adding to a useful catalog of tools. Although he could easily include adware/bundleware and undoubtedly make some cash, it remains free. Not only that, but the list of programs he’s giving away continues to grow over time. He’s doing a public service, as are many freeware developers. Thanks for highlighting this.

    In the mean time, users can combat this phenomenon by checking programs on VirusTotal to see if the threat is real or the result of a lazy/underfunded antivirus program.

  8. Roman Podolyan said on October 19, 2015 at 7:43 pm
    Reply

    False positives and problems with overriding them was the first main reason why I stopped to use any proactive antivirus where it was not enforced by company I’m working with since 2009. It was not only about Nirsoft, other tools also, sometimes compiled myself with less-known tools.
    I use ClamWin sometimes and Virustotal where I have suspicions, but no proactive monitoring.
    The other reason was performance: with my habits I had more slowdowns with antiviruses than any good results.

    1. Abdul Hamid Malik said on October 19, 2015 at 9:35 pm
      Reply

      The same problem with very old Apps (From the everything free and before the birth of Virus) Standalone; are now blocked and cleared by long discussion ( AV programs has no such option of telling about false positives).

  9. Robert said on October 19, 2015 at 7:31 pm
    Reply

    My antivirus (Vipre) disinfects Nirsoft and also GPG4win. GPG4win has a hash that can be verified so ya I suspect false positives in both cases. I have to shut off my antivirus to use both of these handy programs.

  10. A different Martin said on October 19, 2015 at 6:26 pm
    Reply

    I use NirSoft tools from time to time. I keep them up to date (and often launch them) via WSCC (Windows Security Control Center). Avast used to flag certain NirSoft tools (and a couple of Sysinternals tools) every time I updated them, and I used to report them to Avast as false positives every time they got flagged. Avast has finally quit bugging me, but I don’t know if it’s because Avast listened to me or because I finally succeeded in excluding all of the locations the tools end up getting saved or copied to (the system-drive folder they get downloaded to, the clone-drive folder they get automatically synced to, the clone-drive folder old versions get backed up to, and the system-drive folder my backups get automatically synced to). I strongly suspect it’s the exclusions. I also periodically run on-demand scans with Malwarebytes Anti-Malware, and I had to set up exclusions on that, as well. The exclusion process is such a hassle — in Avast, I’m pretty sure there are separate lists for real-time detection and on-demand detection — that on other people’s systems, I don’t even bother with exclusions until I actually need one of the flagged tools. I just let Avast flag and zap the false-positive tools.

    (By the way, I uninstalled Avast’s “Web Shield” component quite some time ago, because I expect they’re going to market the resulting tracking data just like AVG has announced it’s going to do … that is, if Avast isn’t doing it already without telling anyone.)

  11. Leandro said on October 19, 2015 at 6:24 pm
    Reply

    Although I don’t use antivirus at all, this article is very interesting.
    I only install Kaspersky right before when I’m about to format C: and reinstall Windows (~ every 6 months).
    I haven’t seen a virus/trojan in almost a decade.
    Antivirus is a wate of resources if you ask me.
    Now for regular layman users it is something to consider.

  12. privacy rights said on October 19, 2015 at 4:10 pm
    Reply

    I’d rather have a false positive than a false negative.

  13. Steve said on October 19, 2015 at 3:39 pm
    Reply

    I got tired of the false positives and uninstalled my AV program. I use Windows Defender and an AntiMalware program that allows me to identify a program as a none threat permanently.

  14. Yuliya said on October 19, 2015 at 3:12 pm
    Reply

    “What’s your experience with false positives?”

    None, as of lately. I haven’t used any antivirus program for like three years, and the switch was for this very reason. However, I’m very cautious with what I install (read: I only download software from the official page and read what actualy gets installed) and I also use a hosts file and filter in ABP which should block malware-related stuff. I never had any problem of any sort, be it having access restricted because of the said filters or any virus-related issue.

    However, I do not recommend this to anyone. Whenever I get asked by a friend about what av I use, I tell them either MSE or Avira, as I know they’re asking me what I use so they can do the same.

  15. Joker said on October 19, 2015 at 2:43 pm
    Reply

    Breaking: Antivirus-Programs considered snake-oil, news at 11.

  16. KnowCaller said on October 19, 2015 at 12:21 pm
    Reply

    Hahaha i am happy with kaspersky :D

  17. Dave said on October 19, 2015 at 10:38 am
    Reply

    I have Kaspersky and it claims the Nirsoft tools are threats but not viruses. It has a way to make exceptions, but it’s a rubbish way. I compained to them twice, and I got lengthy responses (not copy-pasted) but they failed to understand the problem. I concluded that the program is for computer newbies, not for people who know what they’re doing.

    That said, the engine is good. It’s just their front-end and addtional mandatory tools that are poor.

    1. beachboui said on October 19, 2015 at 4:22 pm
      Reply

      “I compained to them twice, and I got lengthy responses (not copy-pasted) but they failed to understand the problem.”

      Then, you failed in your attempt to communicate the issue effectively. But, at least you tried. Points for that. ;-)

  18. anon said on October 19, 2015 at 10:36 am
    Reply

    Relying on antimalware is a mistake in the first place. I just use Windows Defender because I already have other measures in place and proactively try to avoid shady stuff.

  19. coco said on October 19, 2015 at 10:13 am
    Reply

    A very bad antivirus will discover nothing….and in this case will pass the test with success…
    I rather have some fals-positives among the true virus situations instead of having nothing ever…and getting infected…

    1. Martin Brinkmann said on October 19, 2015 at 10:23 am
      Reply

      The purpose of the test was not to convince users to switch to one of the engines that scored perfectly, but to raise awareness. No single test should stand on its own when it comes to selecting your antivirus solution, and this is no different from that.

  20. fakeuser said on October 19, 2015 at 9:46 am
    Reply

    This is a nonsense… probably those antivirus solutions, the ones that score 100 point, does not detect the most basic pieces of malware on the web. Let me give a basic example:

    1. Create a piece of software that does nothing.
    2. Register that software as Antivirus

    Now you have 100 points on the Nirsoft scoreboard because… you are doing anything!!!

    I know that being detected as malware is a really bad thing for Nirsoft and other security tools but I learned how to deal with that… I prefer this situation over another where my nirsoft collection is safe but no malware is detected.

    1. Nebulus said on October 19, 2015 at 11:27 am
      Reply

      This is a false positive test, not a test of how well an AV detects a real threat. Of course that any program that does not have a detection function would score 100% on any FP tests :)

  21. Peter said on October 19, 2015 at 9:28 am
    Reply

    Wish he’d open source his programs, it would certainly resolve this issue.

    1. Nebulus said on October 19, 2015 at 11:25 am
      Reply

      Open sourcing the tools wouldn’t solve anything; he would still have to distribute some binaries, because not everyone can or want to compile a set of sources, and the binaries will still be flagged by the AV.

      1. Abdul Hamid Malik said on October 19, 2015 at 9:26 pm
        Reply

        Are nirsoft and sysinternals not collaborating; and sysinternals was taken-over or (else) by Microsoft?
        I am the old fan of them both for longtime and have not got some problem from my AVs .

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.