Jump to content
RepuComp

False positive?

Recommended Posts

Hello,

 

 

i work for koyote and i have noticed that when im trying to download http://www.koyotesoft.com/ a detection by malwarebytes - PUP.Optional.Koyote.A is showing up. 

 

actually you are the only one that mark it: https://www.virustotal.com/en/file/22598cb7498df2ca840240e4ba5b02f7d28fddc5e7431954c6be4d292f848898/analysis/

 

why is that? can you please remove it?

 

 

 

i would like to know also how we can prevent those detections in the future (if there are some actions to do).

 

 

 

thanks!

 

 

Share this post


Link to post
Share on other sites

Hi,

 

We detect as PUP, which means: Potential Unwanted Program.

This because, most of the users end up with installing add-ons/additional software they didn't want in the first place. This is mainly because the opt-out mechanism is being used here.

Most average users don't read install screens and blindly click the accept & install buttons and then they wonder how these additional toolbars and other programs got installed.

These are the screenshots from this install:

 

post-102-0-13782100-1393238502_thumb.png

 

Clicking cancel here aborts the installation

 

Then, when you do proceed (accept & install), it shows this:

 

post-102-0-86522200-1393238537_thumb.png

 

Again clicking cancel here aborts the installation. Ask.com is prechecked by default, so basically forced upon the user to install since the user needs to opt-out here. We all know that most users just leave everything set by default (checked in this case) and proceed with the install.

 

Then, a 3rd screen shows the following:

 

post-102-0-24382300-1393238614_thumb.png

 

Again, same as before, prechecked by default.

 

Why not using the opt-in mechanism instead of the opt-out? And only enable the "accept & install" button when the selection was being made by the user? That way, there can't be any confusion whether the user actually wanted this or not.

If your answer here is: "If we use an opt-in mechanism instead, then users won't install the additional software/addons anymore" - then this clearly shows that it isn't really user choice after all, hence why we detect as PUP since users end up with installing software they didn't want in the first place anyway.

 

What matters for bundled installers is, informed consent. Tell me what it is, ask me whether I want it (opt-in), and then enable to proceed. That way, there can't be any confusion.

 

 

Edited to add, see below attachement for an installer that does it the correct way:

 

post-102-0-25938000-1393239364_thumb.png

 

Opt-in mechanism + Next button (to proceed with the install) is greyed out by default till the user made a decsion. This way, there can't be any confusion, so if the user actually checked the additional software bundle, we can safely assume (s)he did want it.

Share this post


Link to post
Share on other sites

hi,

 

i'm sorry for the late answer and thank you for your imformative answer :)

 

 

what you are saying here got me a bit confused. i have seen and encounter dozens of installers every day that are truly DECEIVING. i am looking at our installer and i'm sure in 100% it is totally clear for the user what he is going to install. 

every single dialog explains to it what the additional offers includes and he can uncheck them in a second. is the fact that the user doesn't read (a very clear disclosers, with logos, so it will be clear that it is a different software now), is that means that my products (that the user clicked download for it) is unwanted? maybe the offers are unwanted and also - they are no unwanted because we are introducing and showing the user every single thing through the installation process.

 

why we used the opt-out mechanism? it is very simple. you sound like a professional person that deals with those things for a long time. as you may know, 2-3 years ago all the installers were opt-out until Google came and said: listen, it's not fair for the users to install things he didn't want to install so stop it, because a lot of REAL unwanted software have been installed. but, a tiny group of trusted companies had a contract with google saying: "you can stay opt-out, because we trust you", we are one of these companies. in a matter of fact google toolbar that runs with amazon sometimes is also opt-out - do you detect google/amazon toolbar as unwanted? i'm sure not.

 

so i am confused. because i am truely believe that we are doing our best for our users, introducing everything so clearly (my job is also to make sure our installers is compliant with google and ask requirements (very strict ones).

 

 

i would love to hear from you again and see if we can solve things out. this is a really imporatant matter for us. 

 

 

thank you very much Mieke for your concern and helpful answers.

 

 

BR'S

 

Adi

Share this post


Link to post
Share on other sites

hi,

 

i'm sorry for the late answer and thank you for your imformative answer :)

 

 

what you are saying here got me a bit confused. i have seen and encounter dozens of installers every day that are truly DECEIVING. i am looking at our installer and i'm sure in 100% it is totally clear for the user what he is going to install.

every single dialog explains to it what the additional offers includes and he can uncheck them in a second. is the fact that the user doesn't read (a very clear disclosers, with logos, so it will be clear that it is a different software now), is that means that my products (that the user clicked download for it) is unwanted? maybe the offers are unwanted and also - they are no unwanted because we are introducing and showing the user every single thing through the installation process.

 

why we used the opt-out mechanism? it is very simple. you sound like a professional person that deals with those things for a long time. as you may know, 2-3 years ago all the installers were opt-out until Google came and said: listen, it's not fair for the users to install things he didn't want to install so stop it, because a lot of REAL unwanted software have been installed. but, a tiny group of trusted companies had a contract with google saying: "you can stay opt-out, because we trust you", we are one of these companies. in a matter of fact google toolbar that runs with amazon sometimes is also opt-out - do you detect google/amazon toolbar as unwanted? i'm sure not.

 

so i am confused. because i am truely believe that we are doing our best for our users, introducing everything so clearly (my job is also to make sure our installers is compliant with google and ask requirements (very strict ones).

 

 

i would love to hear from you again and see if we can solve things out. this is a really imporatant matter for us. 

 

 

thank you very much Mieke for your concern and helpful answers.

 

 

BR'S

 

Adi

 

Hence the name Potentially unwanted program.

 

2 key parts to the naming scheme:  Potentially, meaning it has the capacity of being categorized as an unwanted program by some (not all) users, and unwanted, meaning some users may not want it installed.

 

Going through the same screenshots that miekiemoes posted, I can tell you right now I NEVER want ANYTHING from ask.com installed on any machine I control.  Neither do I need torch browser for any reason at all - I obtain all of my multimedia legitimately and already have all the apps I need for obtaining them, including a browser, a torrent program, and access to several social media sites for sharing.  Finally, I don't use registry cleaners at all b/c they are a waste of time, and I can clean my own registry if I really ever need to manually.

 

HTH

Share this post


Link to post
Share on other sites

Hi Adi,

 

We do not typically detect what it installs, we rather detect the install wrappers - based upon how it is presented to the user. An opt-out mechanism has proven a million times already that people end up with software they don't want - simply because the user doesn't opt-out anything, most don't read the install screens and proceed with the "Accept&Install" buttons after all.

This has been a huge request by our customers - people want to select what they install rather than it being subtle forced (opt-out) to install.

 

If an opt-in mechanism is used instead, there cannot be any confusion - then the user can decide whether he wants to opt-in the additional bundles after reading what they are. So it cannot end up as unwanted - they actually opt-in for it.

Share this post


Link to post
Share on other sites

Ooooh, nice wording - I'm going ot have to quote you on that lol

Share this post


Link to post
Share on other sites

hi,

 

thanks again for your answers.

as i said, we work with google and ask compliance department, and we work with an opt-out mechanism as a part of their requirements.

 

just to clarify - we are detected as Potentially unwanted because of the opt-out method?

 

 

Adi.

Share this post


Link to post
Share on other sites

When we detect something as PUP, Main Checkmarks are:

1) Prechecked offers in install screen
2) Prechecked offers in install screen with no way to opt out
3) Prechecked offers where the wording makes it sound like the offers are recommended to install
4) Install screens, with the offer displayed where it's unclear for the user what action to take. For example, a skip/proceed/cancel or decline button. Users believe that using the skip/cancel button or decline button will just abort the entire installation of the "end software" (as what has been reported many times)
5) Prechecked offers, or install screens, where user opt out or chooses not to install the offers, but the offers get installed anyway (user selection is ignored)
6) Nature of the offers - If the offers are known as PUP already or frequently reported by users as unwanted
7) Nature of the offers - If the offers force the user in a way into purchasing the Software
8) Nature of the offers - If they have been often refered to as malware/virus by the user, where users are stating it clearly that they don't want it
9) Is this software submitted to us as Unwanted
10) How are other Vendors detecting it? Are they detecting it? If so, then this means that it has been reported to them as unwanted as well

 

 

We need at least 4 checkmarks before we classify something as PUP In your case, 1, 4, 6, 8, 9, 10 applies

Share this post


Link to post
Share on other sites

1 - you are right, we are prechecked.

4 - i disagree, we are not deceiving, but ok.

6,8,9 -  seem to be same - the user submitted/reported as unwanted or a virus.. lets consider all three as one thing.

10 - no other vendors except you and dr.web. at least 49 vendors consider us as clean - https://www.virustotal.com/en/file/22598cb7498df2ca840240e4ba5b02f7d28fddc5e7431954c6be4d292f848898/analysis/

 

 

now we are down to 3 applies. 

Share this post


Link to post
Share on other sites

I use MWB all the time. Excellent.

 

I have also noticed this alert and looked it up.

 

I would like to thank RepuComp for pointing out that Koyote are safe. I have added these to my exclusions list.

 

Incidently, he isn't kidding about bundled software being sneeked in. Even Anti-Virus companies are trying this on now.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.