Re: McAfee VirusScan vs Metasploit Framework v2.x

[Fyodor <fyodor () insecure org>]

On Fri, Dec 09, 2005 at 01:17:30PM -0600, H D Moore wrote:
> Looks like some overzealous idiot at McAfee added "Trojan" signatures for 
> 202 files in the latest version of the Metasploit Framework.

Hi HD.  I know the feeling! Their "VirusScan" have been improperly
labeling Nmap for years.  When naive users have their download blocked
or a virus alert show up, they regularly send me complaints accusing
me of trying to infect their system or distributing spyware.  Of
course Nmap is free, open source, and contains no spyware, phone-home
code, or advertisements of any sort.  It is not bundled with anything
else, and doesn't even offer an executable installer.  So it is hard
to imagine someone installing it by accident. I asked McAfee why they
would possibly flag Nmap in their virus scanner.

McAfee responded that they never called it a
virus/trojan/adware/spyware/etc. Instead, they describe it using the
weasel-words "potentially unwanted application".  In mail to software
authors like me, they act like this is a benign and rather
meaningless designation that few people would enable.  After all,
anything can be "potentially unwanted".  But what they tell their
users is a whole different story!

You can see the VirusScan checkbox for enabling "PUP protection" on
page 22 of their User Guide[1].  It says:

  "Potentially Unwanted Program (PUP) protection quickly detects and
  removes spyware, adware, and other malware that gathers and
  transmits your private data without your permission"

The screen then notes that enabling this "protection" is
"recommended".  How does Nmap possibly fit that description?  A few
months ago we added a clear warning to the Nmap download page, urging
users to steer clear of McAfee's so-called virus scanner.  That has at
least reduced the number of flames I get from people after bogus
McAfee alerts.

Competitors such as Trend Micro and Norton seem to focus on actual
malware.  But while McAfee wastes their time pestering legitimate free
software authors, they kowtow to the rich companies that make millions
infecting PCs with malicious spyware.  The scummy spyware company
Claria/Gator even issued a press release this year [2] praising McAfee
VirusScan.  That isn't a good sign for an anti-malware product!  The
release was titled "McAfee finds Claria's GAIN ad-supported software
does not present a malicious threat to consumers".  According to the
release, McAfee had made a mistake and "inadvertently labeled Gator
software" as #2 in their "top 10 threats in 2004" alert.

I certainly support and wish you luck in your campaign to educate
McAfee/Avert in the difference between malicious spyware that covertly
infects millions of PCs, and legitimate security tools that users
desire and manually install.  Unfortunately, my 2 years of discussions
with McAfee have been fruitless.  They just don't seem to care about
accuracy in their product.  So instead, I try to spread the word about
how useless and inferior VirusScan is.  It often seems that the only
people who like that product are the Spyware companies themselves!

Cheers,
Fyodor

[1] http://download.mcafee.com/products/manuals/en-us/VSH_UserGuide_2006.pdf
[2] http://www.claria.com/companyinfo/press/releases/pr050425.html


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev