Resolving Virus Scanner False Alarms

Background

While our tools (GPass/GTunnel/Freegate/Ultra Surf/FirePheonix) helped users in closed societies to access censored information on the Internet freely, the authorities in some places (e.g., China) found a way to block us through anti-virus scanners. They just reported our software as virus or mal-ware. Some of these anti-virus companies are not responsible enough in their classification. It seems they just labeled our software as backdoor if enough people reported us that way.

In the past, we interacted with some of these anti-virus companies (including Symantec and Kaspersky), and upon close examination of our software, they reverted their signature database. But there are too many anti-virus companies for us to deal with now to clear all the record.

To our users: We are sorry for the inconvenience. But GPass/GTunnel/Freegate/Ultra Surf/FirePheonix are definitely not virus or backdoor. However, please download them from our official websites or reputable download sites such as download.com or Tucows.com, and check the digital signatures before running. In the past, in China, some evil guys added virus to our software and emailed it to many users. Please be alert and do not just run any file your download before verifying the signature or source.

Letter Sent to Kaspersky Lab

Dear fellow professionals at Kaspersky Lab,

Our software packages are repeatedly mis-detected by your virus scanner as malware.
An example is http://gpass1.com/download/OldVersions/GPass-3.3.0.exe
which contains a file scap.dll which can also be downloaded at
http://gpass1.com/download/OldVersions/Scap.dll
This is file is identified as Backdoor.Win32.Delf.hnt. But it is absolutely not. It a socksifier similar to SocksCap by the former NEC.
Another example is GFltDrv.sys explained below.

Detailed Information:

We are writing you regarding several of our software applications being mistakenly blacklisted by Kaspersky virus scanners as viruses or backdoors. This has had an adverse impact on our users, especially those who are also users of various Kaspersky antivirus products.

In responding to the call for Global Internet Freedom Act from US Congress, the Internet Freedom Consortium develop and operate a full breadth of products to help users in authoritarian regimes, such as China, Vietnam, and Iran, to communicate and share information freely and securely on the Internet. In these countries, the Internet is censored for the sake of political control in violation of universal values of human rights, freedom, democracy, and the rule of law. Millions of users rely on our software products to access the otherwise blocked websites such as voa.gov, cnn.com, some US government websites, falundafa.org, and the uncensored version of google.com.

At the Internet Freedom Consortium we value these responsibilities and have delivered free and secure Internet access solutions that bring absolutely no harm to a user’s computer or computing environment in general. Take GFltDrv.sys as an example. It is a software driver used in our security software GPass (Refs. 1 - 5) that gets mislabeled by Kaspersky antivirus software as a backdoor. This driver is based on an analysis published by Richard Clayton et al of Cambridge University (Ref. 6). It is completely harmless. Our technical staff looks forward to meeting their Kaspersky counterparts in reviewing implementation details, on a case by case basis and at source code level if necessary, to agree upon the fact that none of our software should be blacklisted.

As a pioneer in facilitating millions of users in authoritarian regimes access and share information freely, our products have achieved distinctive recognition. People from around the world seek advice from us as to meet their Internet security needs. We know firsthand that it is these freedom-loving, aspiring people who are shaping the future of the Internet. We take pride in being part of their pursuit in extending the frontiers. In so doing, we are also able to offer valuable input to public policy formation (Ref. 7) while actively working with commercial companies and other organizations in continuously enhancing software security solutions.

It is our understanding that by joining us in recognizing and embracing this growing challenge for free, secure Internet access, Kaspersky’s primary corporate responsibility as well as its long term interests in solidifying its existing industry leadership role will be best served.

Best regards,

Peter Li
Head of Technology
Internet Freedom Consortium

References

[1] FreeGate software can be downloaded for examination at
http://dongtaiwang.com/loc/download.php
[2] UltraSurf software can be downloaded for examination at
http://www.wujie.net/download.htm
[3] GTunnel software can be downloaded for examination at
http://gardennetworks.org
[4] GPass software can be downloaded for examination at
http://gpass1.com/download
Old versions, including scap.dll and GFltDrv.sys can be downloaded at
http://gpass1.com/download/OldVersions/
[5] FirePhoenix software can be downloaded for examination at
http://firephoenix.edoors.com/
[6] Ignoring the Great Firewall of China
http://www.cl.cam.ac.uk/~rnc1/ignoring.pdf
[7] Global Online Freedom Act of 2007
http://thomas.loc.gov/cgi-bin/bdquery/z?d110:HR00275:@@@L&summ2=m&

Reply from Kaspersky Lab

A reply was received from Kaspersky Lab within a day:

-------- Original Message --------
Subject: RE: Virus misdetection issues [KLAB-4516973]
Date: Tue, 1 Apr 2008 21:52:37 +0400
From:

False alarm fixed. Please update local bases.

Please quote all when answering.

-----------------
Regards, Kirill Erakhtin
Virus Analyst, Kaspersky Lab.

Ph.: +7(095) 797-8700
E-mail: newvirus@kaspersky.com
http://www.kaspersky.com http://www.viruslist.com