Issues with antimalware false-positives

[kirb]

Unfortunately I have to post again about Legacy Update being incorrectly blocked by ISPs.

On the 11th of June, we received a phishing report from a contributor to abuse.ch, a crowdsourced database of websites that are hosting malware. You may know that sometimes websites get hacked and end up being part of a malware campaign. Malware actors leech on the good reputation of genuine websites, because it buys them some time before they get caught and need to move somewhere else.

The alert we received claimed that the download for version 1.0 of Legacy Update is a phishing program. First - Legacy Update has not been compromised. This isn’t the first time I’ve been in a privileged position on users’ devices - I also run Chariz, a store that hosts “tweaks” for jailbroken iPhones, and I was releasing tweaks myself all the way back to 2011 (yeah, I’m old). Trust is an important feature of what we’re doing here, and I take the security of my work very seriously.

Since platforms like abuse.ch want to stop the spread of malware as quickly as possible, their reports also get sent to the “abuse” email of the web host, and to other antimalware databases. Our host (or rather, proxy/CDN) is Cloudflare, who automatically added a phishing warning page when attempting to download LegacyUpdate-1.0.exe.

We were in contact with the abuse.ch contributor within a few hours, who confirmed the flag was in error and removed it. (I don’t blame them for anything - they’re doing important work, but there’s a never-ending list of threats to sift through, and mistakes are inevitable.) We also contacted other antimalware vendors that added a block due to this, and most removed it within 48 hours.

Despite our best efforts trying to reach out to have these false-positive flags removed, and those of some of our users who contacted their ISPs (thank you), Cloudflare is continuing to block this file, and other antimalware/firewalls are blocking the entire content.legacyupdate.net domain. This has been preventing people from downloading Legacy Update, or downloading updates through it. While you might not use a firewall yourself, your ISP may provide one on their end to protect you on their network. Your school or job probably also runs one.

If you get this when checking for updates through Legacy Update, you’ll see error 8024402F, with an error page titled “Windows Update may be blocked by your firewall or proxy server.”

Part of this is on Cloudflare - I requested a review indicating the flag is in error, but two months later, they still haven’t responded. I also contacted their Trust & Safety team by email on the day this happened. I opened another ticket today, hoping they might escalate and resolve this as soon as possible.

I’m also working on contacting the 7 vendors who are currently flagging the domain. It’s usually the same few suspects… I’ve had to contact some such as CyRadar and alphaMountain.ai multiple times over the years. They usually don’t even bother to send a reply.

It hurts to do this when our whole mission is preservation of data, but in desperation of trying to move this along, today I deleted the LegacyUpdate-1.0.exe file from our server. It’s still available from the GitHub releases, or from Wayback Machine. (Not that I recommend using it - 1.0 was very early and primitive.)

But why this file in particular? After releasing the first version of Legacy Update in 2022, I got a good reminder of how heavily antimalware relies on complete wild guesses. Sure, it’s better to be safe than sorry, but sometimes they use very incorrect speculation that casts a very wide net.

To set the scene, here’s the VirusTotal results page for 1.0. The issue seems to be that it uses IExpress and Advpack .inf files for installation. These are old features of Windows that can create a “self-extracting” .exe - IExpress extracts files to a temporary folder, and then Advpack runs a set of commands to complete the installation. There’s nothing inherent to either that implies it’s malicious, but perhaps they often get used by malware to install evil files on the victim’s computer. Microsoft used IExpress/Advpack to deliver almost every update released for Windows 98 through Windows XP, and it still gets used for some updates since Windows Vista (hopefully they’ve retired it these days).

Partly because of the false-positives, and partly because I wanted to create a more useful setup program anyway, Legacy Update 1.1 switches away from IExpress/Advpack to NSIS, a well-recognized installation system used by tons of apps you’ve heard of, like VLC, Notepad++, and TeamViewer. It worked - the detections basically went away.

That said, it didn’t fix everything. The latest version, 1.11, does have a few weird detections. This increasingly seems to be because antimalware platforms are adding AI heuristics systems, which in my experience, hallucinate threats where there are none. Anything can look like a threat if you‘re a computer that looks at program behavior without having the full context, built on technology that can veer in the wrong direction if the input data is incorrect or not specific enough.

I’m doing my best to squash these false detections by filing reports with vendors, but that’s the limit of what I can do. I don’t expect this problem to ever truly go away. We’re currently planning a future project that will host many thousands of official and unofficial updates from our domain, and this isn’t inspiring confidence that we can pull that off. Switching away from Cloudflare also won’t help - that creates new problems, and they’re only one of the problematic parties here anyway.

Sorry this post is a downer. This is frustrating. Just wanted to post an update because this has been increasingly reported by our users.