show all comments

General

Guilty until proved innocent? Flagging unrecognized downloads as malicious

February 27, 2012 19:07:43 +0200 (EET)

Google Chrome's "this file appears malicious" warnings are false and unfounded in too many cases. Similar problems exist with IE, and some anti-virus software. Their tests include two factors that have nothing to do with whether the code is malicious: packed executable, and low number of previous downloads.

Packing an executable is good practice: they take up less space and bandwidth, and are faster to start up from hard disk. Like including some form of software protection or obfuscation, packing may make it harder to recognize or analyse the program, but that does NOT mean it appears malicious.

Software downloads follow the law of the long tail: things like Flash and Adobe Reader installers are frequently encountered, but there is a massive amount of software not commonly used, but which may be very useful to some. Recognizing something as a common download tells you its non-malicious, but not recognizing something does NOT mean it appears malicious.

Both packing and infrequent downloads simply mean that you can't say much about that software. In that case, the principle must be 'innocent until proven guilty'.

If you see someone on the street with a black mask and knife in his hand, he appears malicious; if you see a friend you recognize, he doesn't appear malicious; but if you see someone you don't recognise, and who is mostly obscured by a crowd, you can't go around shouting to everybody that he's malicious.