Google's Anti-Malware Detection Gives False Positives
log in

Advanced search

Message boards : News : Google's Anti-Malware Detection Gives False Positives

1 · 2 · Next
Author Message
Profile Slicker
Volunteer moderator
Project administrator
Project developer
Project tester
Project scientist
Avatar
Send message
Joined: 11 Jun 09
Posts: 2525
Credit: 740,580,099
RAC: 1
Message 21585 - Posted: 22 Oct 2015, 14:22:30 UTC

For the last several months, Google has identified the Collatz apps as "having an unknown virus". I have asked Google for specifics since their scan states that Collatz has "Undetermined malware" and all virus scans I have done show no issues.

Because other sites relay on their security tools, I have not been able to update the expired SSL certificate. Since the BOINC client will not fall back to HTTP if there is an issue with the SSL Certificate (e.g. it is expired), I had to remove the certificate. That means that logins are no longer encrypted. Thanks, Google, you've accomplished the exact opposite of what you intended and all attempts to get you to rectify the situation have fallen on deaf ears.

Proof?
The applications that Google complains about are exactly the same as the ones created several years ago (before the suspected trojan even existed).

I can compile the application on a clean machined (fresh install of everything from DVDs direct from Microsoft) and the applications match the supposedly infected ones byte for byte.

The issue is that in order to scan the files quickly, Google uses a "thumbprint" of each virus and if the application happens to have any code that matches the small snippet in the thumbprint, Google deems it to be infected. Google __should__ check for the real virus instead of a thumbprint when it finds an initial match. That would avoid false positives. Instead, they assume they are correct and ban the site. Hmmmm... I thought we were supposed to be innocent until proven guilty, not just suspected of being guilty. But, I guess that's what happens when you become the 800 lb. gorilla.

Katherine
Send message
Joined: 7 Mar 11
Posts: 1
Credit: 13,062,826
RAC: 6,059
Message 21588 - Posted: 22 Oct 2015, 19:07:57 UTC

Ok, that explains why my Norton Security suite wouldn't allow me to proceed to the website, I went anyway and it doesn't argue with me about it now. I thought it might be something like this.

Profile NullCoding*
Avatar
Send message
Joined: 6 Oct 10
Posts: 12
Credit: 52,880,684
RAC: 0
Message 21589 - Posted: 22 Oct 2015, 20:00:17 UTC

I assume you are registered with Google Webmaster Tools (for site analytics and the like)? If so, you ought to file a request for review through the Webmaster Tools dashboard. Even if it's just Google blacklisting the site, you can also try filing a review request at StopBadware, especially if Google seems to be giving you the "cold shoulder," as it were.

Effectively removing encryption seems drastic and potentially (as you mention) counter-productive and downright dangerous. I don't think that's the best approach at all, so somebody's really messed up - and I sincerely doubt it's you.

I assume you've checked and quadruple-checked the certificates and all. I know some BOINC projects have used self-signed certificates for various reasons, but you don't, if I recall. I also assume SSL (and everything else crucial to system security) is up-to-date on your server.

When I was trying to figure out why IMAP suddenly broke on my server, I realised it was due to various SSL and SSL-related packages being out-of-date (and the fact I was not using a current distro apparently was a red flag as well). That said, Google hates my site because I have a Java applet on one page. Oh well.

Clearly, Google has changed its heuristics ever-so-slightly. My guess is that it's got to do with requiring a certain low level of access, specifically hardware-related. Why needing access to GPUs would suddenly be a red flag now is beyond me. I've never known a rootkit to hijack a GPU, but perhaps Google knows something I don't.

Plenty of white hats would be happy to help you clear your site's name, and the avenues are available. Why Google isn't replying to you remains to be seen, I guess, but it's sadly not terribly uncharacteristic. The bigger the gorilla gets, the harder a time it has turning its head about to see and hear what's going on.
____________
I'm Jaska
It's a tarp!

Sir Thomas W. Kilburn
Send message
Joined: 10 Oct 15
Posts: 3
Credit: 15,574,569
RAC: 0
Message 21590 - Posted: 22 Oct 2015, 21:31:06 UTC - in response to Message 21585.

I use mozilla firefox and mcfee software. no problems so far. try using them.

Rymorea
Send message
Joined: 14 Oct 14
Posts: 100
Credit: 200,411,819
RAC: 4
Message 21591 - Posted: 22 Oct 2015, 22:19:40 UTC

I set antivirus to exclude boinc and boincdata directories. So no false virus and no check every DL wu. Less hdd and cpu use :)
____________
Seti@home Classic account User ID 955 member since 8 Sep 1999 classic CPU time 539,770 hours

Dr. A
Send message
Joined: 23 Sep 10
Posts: 1
Credit: 75,969,778
RAC: 19,685
Message 21592 - Posted: 23 Oct 2015, 7:58:11 UTC

maybe there is a relation with http://www.google.com/patents/US20130108038

BORG315
Send message
Joined: 18 Nov 14
Posts: 1
Credit: 4,254,545
RAC: 0
Message 21594 - Posted: 23 Oct 2015, 12:13:15 UTC - in response to Message 21585.

How about using a different antivirus?
I have been using ESET with no issues.

o.g.richter@gmx.net
Send message
Joined: 26 Mar 13
Posts: 1
Credit: 1,333,221,389
RAC: 1,322,404
Message 21596 - Posted: 23 Oct 2015, 14:33:40 UTC - in response to Message 21585.

So, is there a work-around so that one can start computing Collatz workunits again? I haven't been able to for several weeks now even though it is my highest-priority project ...
____________

Profile Dune Finkleberry
Avatar
Send message
Joined: 18 Mar 10
Posts: 370
Credit: 140,385,033
RAC: 656,561
Message 21597 - Posted: 23 Oct 2015, 15:04:20 UTC - in response to Message 21594.

How about using a different antivirus?
I have been using ESET with no issues.


As am I. I love ESET Smart Security, and have been using it for years.

But using a different security software is unrealistic. Most us don't have that kind of money sitting around.
____________

Profile Dune Finkleberry
Avatar
Send message
Joined: 18 Mar 10
Posts: 370
Credit: 140,385,033
RAC: 656,561
Message 21598 - Posted: 23 Oct 2015, 15:07:30 UTC - in response to Message 21596.

So, is there a work-around so that one can start computing Collatz workunits again? I haven't been able to for several weeks now even though it is my highest-priority project ...

As "Rymorea" said... I set antivirus to exclude boinc and boincdata directories. So no false virus and no check every DL wu. Less hdd and cpu use :)
____________

daveandton
Send message
Joined: 20 Aug 09
Posts: 1
Credit: 376,360,491
RAC: 0
Message 21599 - Posted: 24 Oct 2015, 9:02:21 UTC

I've used linux for many years now ( Ubuntu ) and thankfully don't have any of these stupid Microsoft problems
Dave

Helix Von Smelix
Send message
Joined: 2 Aug 10
Posts: 43
Credit: 10,193,908,278
RAC: 1,520,741
Message 21603 - Posted: 24 Oct 2015, 20:36:25 UTC - in response to Message 21599.

Typical reply from a "Linux" user. Brings nothing to the table, and comment not relevant at all. Guess what, it is nothing to do with Microsoft!

Michael
Send message
Joined: 31 Oct 10
Posts: 10
Credit: 65,246,034
RAC: 99,627
Message 21604 - Posted: 24 Oct 2015, 23:59:11 UTC

Try using Avast-free for personal use. Never had a problem

woohoo
Send message
Joined: 2 Oct 15
Posts: 8
Credit: 1,739,300,411
RAC: 1,616,364
Message 21605 - Posted: 25 Oct 2015, 1:23:47 UTC

Wait, so Microsoft isn't the cause of every problem? I want to blame them for my laziness.

I was not aware that Google had an anti-malware package. I'm fine with Windows Defender.

Profile robertmiles
Send message
Joined: 8 Oct 09
Posts: 45
Credit: 15,071,562
RAC: 46,008
Message 21608 - Posted: 26 Oct 2015, 3:22:49 UTC - in response to Message 21594.
Last modified: 26 Oct 2015, 3:50:52 UTC

How about using a different antivirus?
I have been using ESET with no issues.


Should work if Google can be persuaded to use the different antivirus.

Unlikely to make much difference if only Collatz Conjecture uses the different antivirus.

Profile robertmiles
Send message
Joined: 8 Oct 09
Posts: 45
Credit: 15,071,562
RAC: 46,008
Message 21609 - Posted: 26 Oct 2015, 3:50:30 UTC
Last modified: 26 Oct 2015, 3:56:24 UTC

An idea on how the project can stop the false positives without very much effort:

Many BOINC projects have each workunit run from a script rather than starting the application program directly. If the project does this or can be changed to do this, just add a first step to allow sending the same information, but not the thumbprint of bytes that Google marks as a possible virus.

Write a server program to quickly change the pattern of bytes. For example, make it invert every other bit. Write a corresponding program for every type of client supported to reverse this change. Make this corresponding program the first item in the script that runs on the client.

First, apply these changes to the application programs, so that only the changed versions of the application programs can be downloaded from the server. The changed version of the application program needs a new version number, even if it has no other changes, to insure that every user will get the new version.

Modify the workunits to run the script that starts with running the corresponding programs.

If this doesn't stop the false positives, then some other file used by most workunits should get the same type of changes. Repeat as often as needed to stop the false positives.

With these changes, getting Google to tell you if you've stopped the false positives would help you determine how soon you can stop applying more of these changes, but really isn't required if you keep trying longer.

Profile robertmiles
Send message
Joined: 8 Oct 09
Posts: 45
Credit: 15,071,562
RAC: 46,008
Message 21612 - Posted: 26 Oct 2015, 23:36:32 UTC - in response to Message 21597.
Last modified: 26 Oct 2015, 23:37:51 UTC

How about using a different antivirus?
I have been using ESET with no issues.


As am I. I love ESET Smart Security, and have been using it for years.

But using a different security software is unrealistic. Most us don't have that kind of money sitting around.


Only if you insist on using paid antivirus programs. Some are free, such as the Microsoft Security Essentials I use under Windows Vista, and the Microsoft Windows Defender I use under Windows 10.

However, Google appears to change their anti-malware detection more than users need to change theirs, since only Google is finding the suspected virus.

Note - having more than one antivirus program installed on your computer at the same time often causes problems when one of them decides that the files the other uses to identify a particular virus are enough like that virus to treat the file as infected.

Profile Slicker
Volunteer moderator
Project administrator
Project developer
Project tester
Project scientist
Avatar
Send message
Joined: 11 Jun 09
Posts: 2525
Credit: 740,580,099
RAC: 1
Message 21616 - Posted: 27 Oct 2015, 13:17:05 UTC

The anti-virus used on the Collatz server isn't the problem. It's the version running on the Google servers that is the problem and that I can't control. Google obviously can't be bothered to check the correct way for a virus so they continue to use the thumbprint. So, if your application happens to have 20 or 30 characters that match some known virus, it is assumed you must have the virus. That's the issue here. I have now removed all 6.xx and earlier apps from the server even though they weren't affected and the Collatz server has now been cleared. Now I just have to get the SSL cert updated and everything will be back to normal until the next time the 800 lb. gorilla named Google decides to block the site again.

David A. Dutton [TopGun]
Send message
Joined: 16 Oct 11
Posts: 16
Credit: 109,325,124
RAC: 0
Message 21685 - Posted: 9 Nov 2015, 21:18:26 UTC - in response to Message 21585.

screw google.. get a cert from verisign... unless google owns them now too.... :/
____________
Box 1:
* Intel i7-2600K OCed to 5GHz, H20
* Win 10 X64 - 16GB DDR3 RAM @ 1666Mhz
* 2, NV Titan Z cards in Quad SLI mode
* C:1.5TB,D:7TB,F:24TB

Box 2: GTX 680 X2 SLI
Box 3: GTX 580X2 SLI
Box 4: GTX 780TIx2 SLI
Box 5: Older Laptop 8800Mx2 SLI

numbermaniac
Send message
Joined: 26 Jul 14
Posts: 30
Credit: 6,014,522
RAC: 15,884
Message 21936 - Posted: 12 Jan 2016, 3:01:43 UTC - in response to Message 21588.

Ok, that explains why my Norton Security suite wouldn't allow me to proceed to the website, I went anyway and it doesn't argue with me about it now. I thought it might be something like this.

Norton still tells me that this website has malware. I have to click the "continue to site anyway" link on each visit.

1 · 2 · Next
Post to thread

Message boards : News : Google's Anti-Malware Detection Gives False Positives


Main page · Your account · Message boards


Copyright © 2018 Jon Sonntag; All rights reserved.