PhotoDemon and VirusTotal.com

April 6, 2015


Security Tanner (PD developer) 3 Comments

Every now and again, someone will email me about the results they receive after passing PhotoDemon through an online scanner like VirusTotal.com. For those who don’t know, VirusTotal allows users to submit a file, and VirusTotal will pass that file through dozens of virus scanners, and return the results of each.

Often, these users are nervous about PhotoDemon because 1 or 2 of VirusTotal’s ~50 scanners think the project is some kind of malware. This happens frequently enough that I thought a permanent article on the subject might be helpful.

While there are benefits to VirusTotal’s approach, it is not without its problems. VirusTotal’s current scanner selection includes a number of low quality virus scanners from very small companies. These low-quality scanners are prone to false positives, which is probably why you have never heard of most the scanners on VirusTotal’s list. In fact, VirusTotal explains this potential right there on the About page of their website:

Very often antivirus solutions and URL scanners will produce false positives, i.e. detect as malicious innocuous files and URLs. These erroneous detections may severely hinder the business activity/popularity of third party products (e.g. refrain access to a given site, disuade users from downloading and installing a given application, etc.).

VirusTotal simply acts as an information aggregator and cannot and will not be held responsible for these false positives. VirusTotal will not whitelist any files or URLs and will not remove any detections resulting from the normal operation of the products it makes use of. False positives should be dealt with the developer/company that offers the product generating the erroneous detection. Links to the sites of the developers/companies of all products/tools used used in VirusTotal can be found in the credits and collaboration acknowledgements section.

Big companies like Microsoft or Apple or Adobe have whole teams of people who communicate with virus scanner companies, to make sure the scanners don’t raise false positives on their products. I am an individual developer who provides PhotoDemon for free. I work on it in my spare time, and every second spent dealing with low-quality virus scanners is a second spent not improving the program. I find this immensely frustrating.

To further demonstrate how poor some of these virus scanners are, here is a link to a totally blank project, made using the same programming language as PhotoDemon:

100% Blank Project (3 kB)

This program contains zero custom source code. (I have included the source code files so you can see for yourself – open them up in a program like Notepad to view them.) All this blank project does is display an empty window, using the default project template.

If I run this totally empty project through VirusTotal this morning, here is what I get:

Avira and DrWeb are typically the worst offenders for false-positives.  Trend Micro is a close 3rd, although it actually gets this blank project right.

Avira and DrWeb are typically the worst offenders for false-positives. Trend Micro is a close 3rd, although it actually gets this blank project right.

Two false-positives for a totally blank project. Pretty silly, right?

Despite my endless frustration with these low quality virus scanners, I still do my best to contact companies that incorrectly mark PhotoDemon as malware. Here is how these email exchanges usually go. This is the actual text of a recent exchange with a virus scanner company, with the company and support individual’s names removed, for privacy reasons:

Dear Tanner,

Your request has been analyzed. It was a false alarm. The error was
fixed.

Thank you for the cooperation.


Yours sincerely,
[Employee name]
[Company name]

Category: FALSE ALARM LINK
——————-Request————————————-

User sent us a suspicious file.
User ip: [IP removed]
User agent: [User agent removed]
User comment: Hello. I am the developer of an open-source
editor called “PhotoDemon”. Your scanner falsely identifies the PhotoDemon
download as a BACKDOOR.Trojan virues. I know this is not the case as I
am the software developer, and I have validated the checksum of the file
available online, and a freshly compiled copy of the source code.

Thank you for taking a look at this false positive.
http://photodemon.org/downloads/PhotoDemon_6.4.zip
User language: en
Original file name: SYSTEM:nofile
File size: 10
File time: 2015-02-28 17:47:46
File mime type: text/plain
MD5: 2da3830a9987dab01efea739e1232d22
SHA1: b14942eb1cfc0fa193fad2e6ef5f186ff1198219


= [website link], send-suspic-file.pl v2

—————————————————————

The problem with many of these companies is that even when they are notified of the false-positive, all they do is add that file signature to their whitelist. As soon as I release a new version of PhotoDemon – or if I change the current version in any way, like fixing a typo or removing a bug – the file signature changes, and I have to go through this whole rigamarole again. If sophisticated companies ever produce a false-positive, they will actually sit down and re-code the faulty heuristics that led to the false-positive, which is great, because I only have to contact them once. But low-quality scanners simply amass an ever-larger whitelist of false-positives. This solution is stupid, and it explains why the problem is never permanently fixed.

To that end, I am greatly appreciative of anyone who can contact these companies for me, and mention the likelihood of a false-positive. That frees me up to actually work on making PhotoDemon better, instead of fighting with low-quality virus scanners.

The take home message? VirusTotal is most relevant if many scanners find an issue with a download. If only a small number detect a problem, it generally indicates a problem with those scanners. Because PhotoDemon is a lesser-known program, some scanners will simply flag it just for being uncommon.

As an additional precaution, remember that PhotoDemon is 100% portable. It does not need to be installed. It does not touch your PC registry or install any files on your PC, aside from its own PhotoDemon folder, of course. (You can verify before- and after- registory snapshots with software like RegShot if you are curious.) PhotoDemon does not require admin rights to run, and in fact – like all software – I strongly recommend using it on non-administrator accounts. This provides a system-level failsafe against any dangerous behavior.

Additionally, if you’d like to inspect PhotoDemon’s source code yourself, all of the program’s source code is available online. There is literally nothing to hide in an open-source project. Here is the source code link:

https://github.com/tannerhelland/PhotoDemon

Finally, if you remain concerned about safety, you are always welcome to download the file from a 3rd-party site that performs their own analysis and security guarantee. These 3rd-party copies may not be as up-to-date as the latest copy on photodemon.org, but perhaps they will help you feel more comfortable. For example, here is a link to Softpedia’s PhotoDemon download, which they certify as 100% free of spyware, adware, and viruses:

http://www.softpedia.com/get/Multimedia/Graphic/Graphic-Editors/PhotoDemon.shtml

Of course, with anything security-related, I should always add a caveat. PhotoDemon is distributed under a BSD license. This popular open-source license means you can use the program however you like, even in a corporate environment, but it is strictly “use at your own risk.” Like most open-source developers, I do my very best to keep the program bug-free, but I am just one guy. I rely on users to let me know about problems, including issues with malware, so if a time ever comes when many VirusTotal scanners report malware with PhotoDemon (or any other open-source project), that would be a great time to let me know about the problem.

But if the same old low-quality scanners show a problem on VirusTotal, there is not much I can do besides send out yet another round of emails to those companies. Some companies do not even have websites that allow developers to submit false-positives, so I have to use their default customer service accounts, and I’m fairly certain they just ignore my emails. (Or if they do fix the problem, they do so silently, without ever getting back to me.) As I mentioned earlier, I also greatly appreciate any kind PhotoDemon users who can contact these companies, to save me the headache!

I hope this information is helpful. If you have any additional questions about virus scanners, feel free to contact me directly. You can also leave any questions in the comment section below.

Tagged with:

3 Comments
  • Bhaka Apr 07, 2015

    yeah….i believe you sir…..i just download and run your software and sure i love it….badly i cant found stamp/clone tool and some tool like that into this app
    i love ur polygonal laso tool, very nice…..

    btw sory for my bad english coz im from Indonesia

    Reply
    • Tanner (PD developer) Apr 07, 2015

      Hi Bhaka. Thanks for the kind words. Stamp/clone tool and other paint tools are coming in the next release. Sorry that it has taken me so long to add them!

      Reply
  • Bhaka Apr 07, 2015

    well for a while …. if i want to improve my photo , I just copy the source and paste it into a new layer and drag it to the targets that i want to fix it and playing a litle gausian blur and opacity to make it looks ok ….. well its tricky….:(
    but i’ll be wait the next release……if it done….i think want to say good bye to Ps….
    wait…wait…wait….patient…patient……patient…..lol

    good luck sir

    Reply

Leave a Comment

(Note: comments are moderated and rel="nofollow" is used for website links.)