|  | | Antivirus Suites Block DSEO | 
It has come to our attention that several Antivirus suites have listed our Driver Signature Enforcement Overrider (DSEO) as a dangerous file. We originally created DSEO to solve the serious driver signature enforcement problem that appeared after Microsoft removed the permanent command line switch that disables driver signature enforcement in Windows Vista SP1 and Windows 7. Sadly, the only way around this is to press F8 upon startup and choose “Disable Driver Signature Enforcement”, which is temporary and unacceptable. Microsoft has left users without an option to disable the feature permanently.
Driver signature enforcement is indeed a good idea, but it is performed badly. It requires all drivers and system files to be digitally signed with a certificate or they won't run. The problem with signing your files is the fact that the certificate costs thousands of dollars. Of course, that money is not a concern for corporations such as Adobe, but for the majority of developers, which are freeware/open source developers that make no profit, this is simply unforgivable.
Windows is, no doubt, the leading operating system for the personal computer. One of the reasons for its success is the unlimited amount of software available for Windows. These days, you can do anything on your PC, all thanks to software developers. This is one of the reasons why Microsoft is so economically successful.
Most of the software available today is created by millions of non-commercial developers. Most of them are individuals that barely make any money from their software. Instead of getting support from Microsoft for promoting their operation system, now they have to pay for certificates, which they can't afford, to make their software compatible with Windows Vista SP1 and Windows 7. That's why we released DSEO.
One way to make the driver signature enforcement feature into a successful and useful one is to give the consumer the option to disable or enable it. However, a better alternative is to provide free certificates to non-commercial software developers, who deserve special consideration for promoting Windows and boosting its sales. We believe that the second option would be the correct course of action thereby, allowing freeware developers, who can't afford certificates, to receive certificates free-of-charge.
Instead of aiding developers, Microsoft has hindered them! Taking advantage of their authority and power, Microsoft and several Antivirus suites developers have listed DSEO as a virus in their Antivirus suites. Their Antivirus suites are being used as a tool to remove software that Microsoft deems contrary to its outlook, instead of protecting the customer from dangerous files. The consumer is misled. Here is a list of Antivirus suites that being used to mislead the public:
• Avira AntiVir
• Emsi A-squared
• IKARUS Virus Utilities
• McAfee Antivirus
• Microsoft Security Essentials
• Panda Antivirus
• Prevx
We highly recommend avoiding the Antivirus suites listed above. There are many alternatives that do not operate in this manner. In addition, we will introduce a new version of DSEO in the near future to make it harder for these corrupted Antivirus suites developers to blacklist. Antivirus software should protect its users from dangerous files; it shouldn't mislead its users by removing ideologically-incorrect files.
Last edited by Regeneration; September 10th, 2009 at 01:46 AM..
| | | | 28 Comments | | | have you contacted the companies and asked them to remove it? | | | | Yes, I will update if I hear anything. | | | | Avira doesn't give a false positive here.... | | | | AntiVir (79112) reports DSEO as SPR/Tool.Driverunsign. | | | | There is no conspiracy theory involved. SPR means "Security Privacy Risk". Others classify this under Riskware. Not sure what others detect but i'm pretty sure they have a specific name. Meaning they aren't false positives.
Corrupt antivirus companies. Roflmao. You guys are running a computer related website and you're shoting nonsense like this. Your tool opens a possible infection vector and is as such classified under riskware. It's not a malware, but in combination with something else, it can be malicious. In your case, allowing unsigned driver to install. Rootkit galore anyone? I'm not sure why you're all so shocked. mIRC is classified under riskware ever since i can tell by many security companies.
Similar goes to FireDaemon, service manager. Or different kind of tools that are designed to terminate running processes or in any way depply manipulate Windows functionality. So, if you think "evil" security companies target only your product, you're completely wrong.
You have to either add the file into exclusions or disable Riskware/SPR checking.
That's a common practice for years. | | | | I really doubt there is a conspiracy going on, but it does reveal the whole problem who these antivirus softwares operate today. they should be protecting the system itself, not deleting the programs that might be causing the issue if and ever used improperly. It's just lame, that's all that it is.
However, this can only cause problems for DSEO and NGOHQ reputation. | | | | Then why do you think it's named "RISKWARE" ? Because it CAN pose a possible security hole. Some antiviruses have riskware disabled by default, some have it enabled by default (especially corporate versions are very agressive regarding this) and for others you just have to manually exclude these files. Riskware is pretty well established term and when something is flagged as riskware, most of ppl don't cause panic. Antivirus warnings also have descriptions for stuff like that or at least they provide the link for more info on their webpage. I wouldn't really worry much if it's detected like riskware. Face it, this tool is riskware if you like it or not. | | | | Most people? From people I know, when ANYTHING pops up from the AV, they just remove it to be on the safe side. they don't care about risks nor do they care about false positives, they just remove it, many times without even being aware of what they are removing. but I guess your people aren't the same as mine people.
And this stupid riskware label, its risky because someone could abuse it? Well fuck me all over, then IE is the larges piece of shit riskware softwares if I ever saw one. Is it labeled as such?
Also, try reading for a change, where id I refuse to accept DSEO as anything? | | | | Well you can fuck them all over if you want, that will not change anything.
DSEO is riskware by all definitions. And you can't throw IE into that definition.
By that you have clearly show me that you have no clue about this topic.
DSEO disables ALL digital signatures enforcements so ANYTHING can be installed on the lowest level.
Meaning any ring0 malware will be able to install on the system without even notifying the user. Because system doesn't care anymore if the low level driver is signed or not.
Does IE do that? Sure it doesn't. If it's exploited in any way, thats not MS's problem, apart from being obliged to fix the security bug. Because thats just not it's primary function. However only and primary function of DSEO is disabling of signature enforcement. I think i've made my example perfectly clear. | | | | RejZoR you definitely don’t know what you are talking about. It’s been known for decades that Antiviruses are helping anti-piracy too.
I never had seen malware that uses low level driver, those are hard to write. Besides, hackers could use stolen credit card to buy certificate, or alter the boot code to disable driver signatures enforcement like ReadyDriver.
Yes. there should be an option to disable driver signatures enforcement. | | | | Quote:
Originally Posted by RejZoR  DSEO disables ALL digital signatures enforcements so ANYTHING can be installed on the lowest level. | DSEO doesn’t disable driver signatures enforcement. It puts your system in TESTSIGNING mode and helps you to sign your own files by generating test certificate. We picked that approach for security reasons. | | | | "low level driver is signed or not"
Well this is the most interesting part for me. What's the ratio between benevolent and malware drivers out there? Like 1000000000:1 or something like that? And we are back on my previous issue - I don't have an issue with DSEO being a riskware, it obviously is. But someone HAS TO ABUSE it, just like with IE. If MS can wave any responsibility in case of IE, why shouldn't Eran here be free to do the same?
Besides, you are telling me that someone who creates a malware on RING0 level will aim only those computers that had DSEO running in some point in time? You make me laugh, but not in a good way. If I package a malware driver in some installer, I'll make sure to disable the driver policy so that that driver can get installed.
Once again, I understand the riskware label, but I also understand that people are PC illiterate and they don't differentiate one AV pop up from the other.
EDIT:
Doesn't this do practically the same? Is bcdedit a riskware? Code: bcdedit /set testsigning on
|
Last edited by mkey; September 9th, 2009 at 12:35 PM..
| Quote | | | | | Quote:
Originally Posted by DP Expert RejZoR you definitely don’t know what you are talking about. It’s been known for decades that Antiviruses are helping anti-piracy too.
I never had seen malware that uses low level driver, those are hard to write. Besides, hackers could use stolen credit card to buy certificate, or alter the boot code to disable driver signatures enforcement like ReadyDriver.
Yes. there should be an option to disable driver signatures enforcement. | Buahahaha, tell me where i can buy Microsoft Corporation digital signature. Then i'll steal a credit card and buy that one. Roflmao. Low level driver? Ring0 is low level, Ring3 is high level... I never said anything about low level drivers. I just said Ring0 is the lowest level where you clearly get access to every and any resources.
@Regeneration
While that is true, you are still leaving an open hole where anyone can generate fake digital signatures and sign the executables at install time. So in the end it's not much different than ReadyDriver. Which should also be considered as riskware (if it's not already). | | | | Quote:
Originally Posted by RejZoR While that is true, you are still leaving an open hole where anyone can generate fake digital signatures and sign the executables at install time. So in the end it's not much different than ReadyDriver. Which should also be considered as riskware (if it's not already). | So according to your ideology, bcdedit and WDK are also riskware. Hell, let’s take it one step further! Your entire PC is riskware. | | | | If driver signature enforcement is so "important", how come you don't have it in 32bits?  | | | | Quote:
Originally Posted by Hawk If driver signature enforcement is so "important", how come you don't have it in 32bits? | Yeah, how come? | | | | In a way can see why they might mark this as risk ware, dont necissarily agree with it but i can understand why.
Its not really fair for you to say that everything is riskware if this is considered riskware, its like saying that guns are safe because you can kill someone with just about anything.
Anyways, just my two cents, hopefully they'll remove it though as this isnt something that isntalls without your knowladge, you know the risks when you install this so it shouldnt be detected as anything bad. | | | | DSEO should not be classified as a risk or threat of any kind IMO. It's merely a convenience tool for doing the same steps you could do yourself using public instructions from MS: enabling test mode and signing drivers with test certificates.
It's absolutely disgraceful that software developers and users are forced to resort to these steps to be able to use the same software and hardware they can use on other OS's (and 32-bit versions of the same OS). Unless those with power at MS take real steps to change this, they will only stifle innovation further and push people to other OS's more and more as time goes on and more people are affected. Whether it's sheer arrogance or misplaced good intentions trying for better "security" on the part of MS, the actual situation is truly as outlined in the post, and what goes around comes around.
Thank you, Regeneration and NGOHQ, for making it easier for people everywhere to use our computers the way we want to. To those who still believe this program is riskware: well, you're entitled to your opinion, but I urge you to take another look at the full picture. It's a complex situation. Ask some software and/or hardware developers what they think.
By the way, if the definition of riskware is so broad as to include programs such as mIRC, then I think we can probably agree that such classification does more harm than good. A possible exception is if it inadvertently helps shed light on the root problem in this case and results in a better solution than test mode being made available. That would be great. | | | | The fact of the matter is "Driver Signature Enforcement" load of crap. It was really designed to make M$ money, that's it. They can say it is to ensure that the software operates correctly but we all know the truth. Further more I'm waiting for the EU or some other goverment regulator to come out and hit M$ with another fine. This is a clear example of an anti-trust violation requiring companies to again pay to have their software/hardware run on windows. I would hope that some of you remember all the lawsuits back in the day when MS was denying code and trying to charge companies like Netscape for writing programs for windows. Same thing all over again.
If anything should be considered "Riskware" it's WGA! That is basically a backdoor trojan transmitting info back to MS. RejZoR, you don't even have a clue..sad really. |
Last edited by darthcyclonis; September 10th, 2009 at 12:58 AM..
| Quote | | | | | lol. people are so naive.
certificates are all about making money... just good business you know.
of course they blacklist your tool... harmful for their certificates seling business. lol. | | | | Microsoft Security Essentials also flags it as Hacktool:Win32\Driverunsign | | | | Most drivers are signed by verisgn btw, not Microsoft.
Only the Inf and Cab are Signed by MS WHQL labs. | | | | Quote:
Originally Posted by Hawk If driver signature enforcement is so "important", how come you don't have it in 32bits? | RejZoR just got owned. | | | | Hmmmmmm my AV just came up with 3 TROJAN Backdoors from your product along with hacktools. yeah so whats that about? | | | | You could just post source, if you want to ease peoples' fears. FWIW, I downloaded it for the sole purpose of seeing if McAfee VirusScan Enterprise 8.7.0i (eng 5400.1158, dat 5854.0000) would pick it up, and it doesn't, but that detection may simply be turned off, since I'm not running a supported version of Windows. In any case, the exe, downloaded today, MD5 6DDEB31C98A188378F0652CD90FC50FF, is not packed, so it shouldn't be too much work for someone who's actually curious... I'm not sufficiently curious to spend an entire day on it, though, which is what it would take. | | | | Look, rege would not spread infected software and NGOHQ does not spread spyware, trojens, virii or other forms of malware.
Antivirus programs these days pick up so many false positives its not even funny, the reason for the recent increase in false positive detection is up for debate but I think some of it may have to do with anti-piracy or security circumvention.
Regardless of what your antivirus tells you the software is clean. | | | | Ha ha "riskware"... we need to start throwing eggs at companies that make up silly words like "riskware".
But yeah. Unsigned kernel drivers are bad. Driver verification == good. Mostly because poorly written drivers cause almost 100% of end-user blue screens. And poorly written drivers frequently come from good companies... think graphics cards. My x64 stability is sooooo much better than 32bit has ever been. I've gone from infrequent bluescreens, to zero bluescreens. [Except ones I cause when I'm testing drivers I wrote O_o] | | | | Who cares if it is listed as risk ware, either way its a dirty practice.
I would rather have the choice to decide if I want this feature or not. Frankly for some 300 dollars for windows 7 ultimate I expect to run the kind of product I want, not the marketing whore box that microsoft wants in every home.
I want a computer, not a telescreen straight out of George Orwells 1984 to watch my every move to help some corporation make more money and screw honest companies. | |
|
