8

RAT (Remote Access Tool, e.g. Sub7) are considered malicious by Antivirus software. How can it distinguish between such patches and a client application for commercial software like NetSupport School?!

TildalWave
  • 10,801
  • 11
  • 45
  • 84
HSN
  • 1,188
  • 12
  • 23

4 Answers4

11

Despite outrageous marketing claims to the contrary, antivirus software is not smart. Antivirus does not recognize "types" of software, as in "mmh... this looks like a tool for RAT". There are strong theoretical reasons why this sort of detection is, in all generality, impossible to achieve, and correspondingly very hard to do in practice.

What antivirus does is to look up the software they see (which is, ultimately, a sequence of bytes) in a big database of "known evil software". The antivirus vendor works hard, every day, to include in that database malware which has been observed in the wild -- i.e. most malware you are likely to encounter, but not Net support school software, which the human antivirus vendor are deemed "not evil".

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • To add to this, sometimes they may recognize common methods to try and hide from antivirus. If you had benign software, but wrapped it up in a way that virus's usually do, it may be flagged. – Peleus Apr 19 '13 at 04:50
3

Most of the time the vendor who develop the IT support tools work with the AV companies in order to white list their remote administration tools.

The behavior detection a.k.a the hueristic engine of AVs are marketed by the antivirus companies as a super genius mechanism of detecting trojans and other malware even if there is no signature available. Technically hueristic engine is nothing more than DLL hooking for detecting when processes call VirtualAlloc(), VirtualProtect(), GetProcAddress(), LoadLibrary() etc.

Therefore, from an antivirus point of view, there is no difference between a legitimate remote administration tool or a malicious one. The code for both of them is almost the same. The only thing the AV looks for is to see if the software is in the allowed application list. If it is, then it is allowed. Otherwise, the tool will be flagged as suspecious/malicious.

void_in
  • 5,541
  • 1
  • 20
  • 28
1

Afaik based on whitelisted signatures. I hazard a guess based on Teamviewr (they like to know pretty much about the manufacturer of the AV).

Dr.Ü
  • 1,029
  • 8
  • 16
1

Some anti-virus will distinguish RAT from NetSupport tools. It depends of the type of the detection mechanism that the anti-virus is using.

If the anti-virus is using a signature-based detection, it should distinguish a RAT from NetSupport since it is looking for specific lines of code. This type of protection depends on the quality of the signatures in the database. If the virus is not in the database, the virus won't be detected.

If the anti-virus is using a heuristic-based detection it will look for suspicious application behavior, thus it may not distinguish a RAT from NetSupport tools.

Francois Valiquette
  • 347
  • 2
  • 9