Jump to content
DriverRestore

False Positive: Driver Restore and Driver Whiz flagged as PUP.Optional.383Media

Recommended Posts

Hello MB Team,

I am writing you because we have found, through VirusTotal.com, that our software products Driver Whiz (Driverwhiz.com) and Driver Restore (Driverrestore.com) have been labeled as "PUP.Optional.383Media".  We are unaware of why this would happen and believe it to be a false positive.  Can you please let me know what is needed to get this checked out.  We work very hard to make sure our software are safe and compliant products and if we find there are some potential issues/risks we will gladly get to fixing them.  However, at this point we have no information to prove that something is wrong and it seems that we are just being mislabeled.
 

Thanks,
Stephen Genest
Director of Marketing
383 Media, Inc.Driverwhiz.zipDriverwhiz.zipDriverwhiz.zip

DriverRestore.zip

Driverwhiz.zip

Share this post


Link to post
Share on other sites

Dear Stephen and welcome to the Malwarebytes forum.

Upon further review, we have concluded that these detections are in fact legitimate and we will not be removing detections for this software at this time. Please refer to the following list of criteria that was used to reach this conclusion. Note that as the programs are nearly identical clones to one another, I may refer to them interchangeably.

1) Terms and conditions of use include receipt of advertisement and marketing.

TCad1.png.

2)  Terms and conditions of use include requiring agreement to comply with the incredibly ridiculous request to not use your software in "biological, or nuclear weapons."

TCalarmist1.png

 

3) Upon canceling a scan in DriverWhiz immediately after beginning the scan, the program itself reports no out of date drivers, and yet, remarkably, clicking "Register Now" sends me to a page that explicitly states that I do in fact have a driver out of date. The website somehow knows more than the program does and is incredibly misleading. See screenshot for details:

 

fakealert.png

 

4) Clicking "CLICK HERE FOR LIVE TECH SUPPORT!" does nothing to help the user:faketechsupport.png

5) Your privacy policy completely throws users under the bus and leaves them less secure:

privacypolicybs.png

6) Your software is often found bundled on the InstallCore and other bundler platforms:installcore.png

7) Your software is advertised in misleading ways, often with buttons seemingly looking to trick the user into downloading your software instead of their software of interest:

seedyad.png

8) Our PUP detection is consistent with that of other vendors as you can see at VirusTotal.com.

 

Finally, please also refer to our official PUP criteria here... https://www.malwarebytes.org/pup/ ...of which the following criteria apply to your software:

 

 

Quote

Driver Optimizer, Updater, etc.

Similar in scope to the registry cleaners, driver optimizers promise to update the drivers needed for the PC’s peripherals to properly function, such as the sound card, chipset, and USB devices. Many of these are installed as part of “bundlers” or “wrappers” and the end user is left with a program that performs a scan at startup and presents a report in an alarmist fashion, stating that a driver needs to be updated. More recent versions of Windows, such as Windows 7 and up now update drivers through the windows update process, and while newer drivers may be available for your devices they may not yield any noticeable performance improvement. These types of programs ask for payment prior to performing a driver update that is ultimately unnecessary.

Self-explanatory.

Quote

Has a critical mass of users referred to your program as malicious?

Has a critical mass of users referred to your program as malicious, as evidenced by numerous complaints, general dissatisfaction, and removal guides

Many removal guides have been published online (see one example here: https://malwaretips.com/blogs/landing-driverrestore-com-virus/ ) in addition to many users complaining about not having deliberately installed your software and having had great difficulty in removing your software. See some examples of many over the past few years here:

http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/is-driver-restore-a-safe-program-i-cannot-remove/10dfcd18-986d-4c12-8cff-8abf9c4960f0

http://www.2-spyware.com/remove-driver-restore.html

https://community.mcafee.com/thread/72415?start=0&tstart=0

Here you can find a consolidated list of angry users and their experiences: http://driver-whiz.pissedconsumer.com/

 

To summarize, these detections are indeed valid. We will also detect clones rebranded under a different name to evade detection.

Best regards,

Edited by screen317
Edit for clarification

Share this post


Link to post
Share on other sites
Hi Malwarebytes Team,
 
Driver Restore has gone through a transition and we are now working on making sure our application user friendly. 
 
We would like to go through each point noted by screen317. Before we do that, we would like to thank screen317 to for taking the time to review our application. We also decided to respond in the long form, apologies for the wordy response.
 
Responses:
1) We have reviewed our terms and conditions and removed the highlighted section. Thanks for bringing this to our attention. In 2014, we bundled the Yahoo Search Toolbar with our software. It was a great idea in 2014, but not as great of an idea today. We don't bundle anything with our software anymore and there is no need for that paragraph.
 
2) We understand that no one will use our application for biological or nuclear weapons, but its there because our lawyers wanted it there. Our application is sold in multiple languages, and around the world. Since we are US based, we have to comply with the laws where we don't export our software to countries on US no trade list. Along with that, we have to specifically say that you can't use our application to make weapons. We have worked with Norton in the past, they have similar paragraphs in their terms and conditions. In fact, you will this in Apple's terms in conditions too. We hope its ok.
 
3) This is a split brain issue. Our scanner interacts with our server. If a scan is cancelled on the user side, and server has already received the data to analyze the scan, it records what the scan resulted in. Even though a user never saw the scan results, those were in fact generated for the user. When the user clicked on the register link to go to the website, scan information is pulled from the server. So you are right, website knew more than application. We know it can be confusing, but if scan was finished, you will not see this out of sync issue. Its just a corner case, split brain issue, not meant to be misleading at all.
 
4) There are couple of reasons you might have seen a blank screen. We don't have a tech support number or live tech support in every region. However, if you are in most English speaking countries (since this is an English build you tested), you should have received something. Our application does a live query in our server to see which number should be given, depending on the country/region. This is being driven by and image server, which is based on openx/revive ad server. Since you seem like a security expert, you might had ads blocked. Since the number is coming from an image from an adserver, it is most likely getting blocked. However, we are very quick to support. We respond to most of our users within hours. We use Zendesk, and we are about 98% as good as anyone else in the market, according to Zendesk. We are very responsive.
 
5) Targeted Advertisement : 
Our eCommerce platform does wonderful things, just like any other eCommernce platform. It reminds users of cart abandonment. We also do re targeting ads with companies like Google and Bing. We do not sell our user data, we don't send any PII data to any third parties. We are very protective of our customer. These terms are only there to optimize our sales efforts and make sure if someone wants to buy our software, we can reach out to them. As you probably know, google does use almost anything you use from these to track the user around the internet. We use google analytics as our analytics package, much like majority of internet websites these days. Our lawyer had us put that in for those reasons also. Again, we are not trying to be malicious. Just alertings our users. We don't buy user data from anyone, we don't sell user data to anyone, its just good old user tracking for analytics. 
 
6) DriverRestore has done "probably needs based" advertisement with partners who would prompt the user to install Driver Restore. We approve the screens and make sure they are not misleading. We only work with partners who are reputable, and working with groups like Clean Software Alliance. We do checks on these partners to make sure they are not misleading the users. We have been around for many years, and we know there are many partners in the space who will do anything to get an install. We don't work with that type of partners. We have been running DriverRestore for many years. We have seen the good, bad and ugly partners for sure, but we only work with reputable companies, some of which are publicly traded and follow industry practices.
 
7) We are not sure which partner is doing that, but that is not an approved creative from our side. We would like to know which partner it is. After all these months, we are probably not advertising with that partner anymore.
 
8) You guys were the pioneers I would say in PUP detection. We actually think most of the industry follows you guys. We have been working with some of the other AV companies, at least the ones that respond and you can see on virus total that biggest ones have white listed us. There are still some heuristics based guys who might have us listed, but we are engaging with them and pleading our case. We are small software company. DriverRestore is important to us and we are working with everyone to make sure our software abides by the industry standards.
 
We have looked at your updated PUP policy, and here is our response to each point:

Here are some of the criteria we use:

  • obtrusive, misleading, or deceptive advertising, branding, or search practices
    • RESPONSE: We do not use such advertising or branding. We are very clear in telling our customers that we will update their drivers also let them know that they will have to pay before they download. 
  • excessive or deceptive distribution, affiliate or opt-out bundling practices
    • 80% of our advertisment is done on search engines. We only work with top tier affiliate providers which are part of Clean Software Alliance, and App Esteem. 
  • aggressive or deceptive behavior especially surrounding purchasing or licensing
    • We are very clear to tell our customers about what they are buying, and offer a no questions asked 60 days policy. We extend this policy as far as the payment method allows us to do refunds. 
  • unwarranted, unnecessary, excessive, illegitimate, or deceptive modifications of system settings or configuration (including browser settings and toolbars)
    • We do not do any such changes. We install cleanly, and uninstall cleanly.
  • difficulty uninstalling or removing the software
    • We provide a clean uninstaller, which does not even require a use to restart. We are committed to creating quality software and believe that a clean uninstaller is an essential part of it.
  • predominantly negative feedback or ratings from the user community
    • We have looked at our feedback on MalwareBytes forums and noticed that only feedback from your community is about it being a false positive. We also looked elsewhere. Other than spammy SEO websites, we have only seen handful of complaints. We are addressing those complaints actively and reaching out to the customers. We have lacked in reaching out to the customers in the past and we strive to improve on this.
  • diminishes user experience
    • We are never in user's way and user has multiple ways int he settings screen to decide how they want the software to interact wth them. We provide a clean and easy to use UI.
  • other practices generally accepted as riskware, scareware, adware, greyware, or otherwise commonly unwanted software by the user community
    • While we are aware that there are many applications in our space which are not "trustworthy", we believe we stand out of the crowd. We have been around for over 7 years. We were one of the first, and our product has been user driven. We don't hide and always use our code signing certificates when distributing the software. 
We do see some removal guides. Those are the spam search engine optimizers (SEO). They are in business of getting free clicks from users, and then promoting a product themselves. There are many of these even doing it from Malwarebytes and other good companies. In the past, we never responded to these, but we understand our online reputation is important. We have started responding to any users issues online and have seen some positive reviews show up.
 
We also noticed that you said there are many clones. We only have one clone. DriverWhiz. DriverWhiz is only promoted on Google. It has never been bundled, or has bundled anything with it. We don't have any other clones.
 
In conclusion guys, we want to help our users. We do so by providing free information about which drivers are out of date. If they want to use the automated update process, we have to charge them because we are using our servers for bandwidth, and there are other parties involved which need to be paid. We have no malicious intent. If you feel there still are some concerns which we need to address, or believe our software warrants changes, please let us know. We will be happy to.
 
Best,
DriverRestore/DriverWhiz Support

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.