internet, security, software, software development

My high risk blog reader

I posted yesterday about the report from PC Tools saying that Vista is more prone to malware than Windows 2000.

The company kindly sent me its press release on the subject and is promising more information. According to the release, the figures are based on a tool called ThreatFire, available in free and commercial editions, which by default reports threats discovered back to PC Tools for analysis and statistics. ThreatFire is a behavioural tool; that is, it does not rely on signatures of known malware, but detects suspicious behaviour.

I thought I should try this tool on my own machine. I probably count as a high-risk user, since I frequently browse the web and download and run software, sometimes unsigned software. Would ThreatFire find any malware?

It did not take long:

The application is my own custom blog reader, a simple .NET app which calls the common feed list API and renders blog posts in the WebBrowser control.

Looks like a false positive to me. Still, I poked around in the dialog. The risk level is supposedly high. The Technical Details link does not tell you any more about what the app did that was suspicious, but identifies the files I can choose to quarantine. The link that says “Learn more about this threat” does a Google search on the file name.

By the way, doing a random web search on what is potentially malware strikes me as poor practice. Here’s what online help says:

Click the Learn more about this threat link to launch a quick web search on the threat.  In most cases the result of this search provides a clear indication of how to proceed.

Ever tried searching for the name of an executable or process? The bad guys and the scammers know we do this; and you will be offered all manner of “security” products some of which are likely spyware or malware themselves. A foolish thing to encourage. Further, how will a random web search provide “a clear indication of how to proceed”? It’s the wild web, no more, no less.

My blog reader is not very famous, so in this case Google found nothing. I’m puzzled that ThreatFire doesn’t tell you more about the supposedly malicious activity, like what data was sent and where, so that the user would have more chance of judging whether this is really a dangerous app.

I guess the “threat” is now in the PC Tools database, and my machine marked as Vista with malware. I’ll be interested to see what else it finds.

Technorati tags: , ,