Why Small Developer Tools Get Flagged as Malware and How to Safely Use Their Software

Recently, a reader of our newsletter called me to task for recommending software that Malwarebytes tagged as suspicious or a PUP. Rightly so, I think. I should have given a warning. We have written about PUPs and False Postives detections sometime ago, but this is an excellent time to discuss how tools from small developers often face an uphill battle regarding being recognized as safe.

Understanding why false positives happen from the perspectives of both the author and the antivirus company can help you make better, more informed decisions.

This is especially true for utilities from companies like NirSoft, Nirsoft Launcher is what I mentioned. Nir Sofer has been creating free utilities since 2001 and has published many excellent tools, almost all of which I use. Despite his long track record, antivirus programs often flag his software as malware or viruses. So much so that he and others have started locking their software behind password-protected zipped folders to help avoid initial detection, which doesn't make for a good user experience.

Let's look at the reasons behind these mislabeling issues, why these tools are generally safe to use, and uncover some lesser-known facts about small developers and false positives.


Top Reasons For Flagging

Software Heuristics
Antivirus programs rely heavily on heuristics to detect potentially harmful software. Heuristics are sets of rules or patterns used to identify malicious behavior. Tools from NirSoft, for example, often interact with system internals in ways similar to how malware operates. These utilities might access low-level system information, modify system settings, or extract passwords—actions that, while legitimate in the context of system diagnostics or recovery, resemble malicious behavior to heuristic-based detection systems.

Heuristics are designed to catch novel threats, but the practice has drawbacks. For instance, while testing a well-known antivirus program a few years ago, it used heuristics and detected my ntuser.dat as a virus trying to access my system. (Yeah, you read that right.) For those unfamiliar with it, ntuser.dat is part of the system registry -- Windows doesn't work without a registry. Fortunately, I have backups, but the incident highlighted the fine line that antivirus programs walk between protecting users and disrupting legitimate operations - in this case, fatally.


I am still a bit pissed about that, but here is one of the funnier false positives from a couple of years ago.



Lack of Code Signing
Code signing is where developers digitally sign their software with a purchased certificate verifying its integrity and origin. The price of a code signing certificate can range from $100 to over $500 per year. This cost can be prohibitive for small developers, freeware, and open-source guys. Small developers often must complete this step due to the cost and complexity involved. Antivirus programs are more likely to flag the software as suspicious without a digital signature. This lack of code signing doesn't mean the software is unsafe; rather, it has yet to undergo a verification process from a 3rd party.

Potential for Misuse
Many powerful tools can be misused, and NirSoft utilities are no exception. For example, his password recovery tools are invaluable for someone who has lost access to their accounts but can also be used maliciously to extract passwords from a compromised system. Antivirus companies tend to err on the side of caution, flagging these tools to prevent potential misuse by malicious actors. However, these tools are handy and safe for knowledgeable users.

Further, the dual-use nature of software tools is a common issue in cybersecurity. Tools like key recovery or network scanners can be essential for administrators. Attackers can also use them to find vulnerabilities and steal your software. This causes a tough choice of how to label these types of software for the antivirus company. Sometimes, it is right on their end to assume the user knows nothing and to err on the side of a warning/blocking.

Aggressive Behavior Patterns
Antivirus programs are designed to detect aggressive behaviors often associated with malware. This includes things like keylogging, network sniffing, and memory scraping. Tools from small developers that perform deep system-level tasks may exhibit these behaviors, even if they're intended for legitimate purposes. Some advanced tools, like those used for system monitoring or penetration testing (e.g., Wireshark), often get flagged because they can be used for legitimate and malicious purposes. Therefore, it is doubtful that you will ever be able to download a product like this without some warning.

Reputation and Trust
Software from well-known companies often benefits from an established reputation and is generally allowed out of the box. Small authors have different levels of recognition, making their software more likely to be flagged and often viewed as suspicious by default. When releasing a new version, News and Software Updater or MajorGeeks Windows Tweaks, we are permanently flagged as a virus and must write each company to get cleared before releasing it to the public. It's an arduous process. But this is why you often get some browser warning when downloading some sweet open source that we list that is hot off the presses.

More Reasons Why Small Author Tools Get Flagged by Antivirus

Infrequent Use: Antivirus programs also rely on community data to determine the safety of a program. If software is rarely used, it might be flagged simply because it needs more users to establish a trustworthy reputation.

Rapid Development Cycles: Small developers often release updates more frequently than larger companies. Each new version needs to be re-evaluated by antivirus software, which will have a unique hash (digital fingerprint). This constant stream of updates changes the hash and can lead to temporary flags as the antivirus software catches up with the latest version.

False Positives from Similarity: Antivirus programs use pattern matching to identify malware. A legitimate tool with code or behavior closely resembling known malware can be flagged as a false positive. Small developers, who might use common libraries or code snippets found in open-source libraries, can inadvertently trigger these false positives if a legitimate virus actually used that same library.

Why You Should Consider Tools from Small Authors

Niche: Small and hobbyist authors fill an important role in the software market and have niche software that you typically can not find anywhere else.

Price: Generally, software from small authors is either free, open source or very cost-conscious, especially for the quality.

Transparency: Many small developers are highly transparent about what their tools do and how they work. NirSoft, for example, provides detailed descriptions and documentation for each utility, explaining its purpose and functionality.

Community Trust: Tools from small authors often have a dedicated user base and receive positive reviews from tech communities. These endorsements can be a good indicator of the software's reliability and safety.

Updates and Support: Active development and regular updates are signs of a committed developer. Small developers frequently update their tools to fix bugs, add features, and ensure compatibility with the latest operating systems. Most times your request actually goes TO the developer and not some support queue.

How to Safely Use Tools from Small Developers

Download from Official or Trusted Sources: Always download tools from the developer's official website or a trusted source like MajorGeeks. Not to toot our own horn, but we have decades of education and experience in the area, which gives us unique insight into many of the tricks that suspect authors try to pull. We also set higher standards for what we publish.

Verify Checksums: Remember that "hash" number we talked about earlier? The hash function applies a series of mathematical operations to each chunk of data, designed to ensure that even a small change in the input data results in a significantly different hash value - making each file unique. Some developers provide the checksums (MD5, SHA-1, etc.) for their downloads. Verifying these numbers with a tool like Chk Hash Tool https://www.majorgeeks.com/files/details/chk.html can ensure that the software hasn't been altered.

Read Documentation: Familiarize yourself with the tool's documentation to understand its functionality any potential risks associated with its use. Decide if you genuinely want to keep it on your machine or want it for a single use.

Get Informed: Keep up with community discussions and reviews about the tools you're using. Other users' experiences can provide valuable insights and tips for safe usage. So, reading the comments of other users on the download page, or asking in the forums can offer great insight.

Know your software: Not all antivirus software is created equal. Each product balances protection and usability. Defender, for example, is tuned more for usability. On the other hand, apps like Sophos, Malwarebytes, and Eset are tuned for higher user protection and are, hence, prone to more false positives. So get used to double-checking if u are in that camp. Further, know what your software is reporting; if it uses a term like "generic" or "GEN.xx,x,". It is typically a heuristic hit. "Riskware" or "PUP" -- is typically a warning.

Double check with VirusTotal: Virus Total allows you to upload any file for scanning by multiple antivirus engines, which gives you a better look into what you are dealing with from broader perspective. It s also a great tool to show how common false positives actually are. However, keep in mind that if you download a legit hacking tool and it is detected as a hacking tool -- you have a hacking tool, not a virus.

Use Antivirus Whitelist: When your antivirus program flags a legitimate tool, and you are certain you want the software, consider adding it to the whitelist after verifying its safety. Whitelisting is offered by all antivirus apps and prevent future false positives without turning off your antivirus protection. Each software is different. Check the documentation, but usually, it's just a few clicks.

Conclusion
Nothing is perfect in this world, which also applies to antiviral products. Sometimes, we still need human intervention to keep the machines in line. We have no issue with an antivirus product tagging a risky product as risky or erring on the side of caution. Taking preventive measures by antivirus programs to prevent misuse by malicious actors is a very reasonable position. Still, it does not mean the software is harmful if used responsibly and for legitimate purposes. You do not blame the paintbrush for the painting, right?

Our beef is tagging a known-good product as "malware" just because some knucklehead theoretically could use it for a bad reason. Doing so unjustly damages the author's reputation, unreasonably scares a user, and eventually trains people to ignore legitimate threats. Antivirus companies need to improve their reporting in this regard. If you want to read more on the topic chgeck out Talkin’ SMAC: Alert Labeling and Why It Matters at Radid7

Feel free to add your thoughts or experiences with these tools in the comments section below!

comments powered by Disqus