Anti-Virus Company Says PeerGuardian is Malware

Written by Ben Jones on February 24, 2008 

Over the past week, some servers used for updating the anti-virus software NOD32 were labeled as anti-p2p by a popular list maker for PeerGuardian. In response, NOD32’s company, ESET, has categorised PG2 as malware in some of its latest updates.

It started off with Bluetack adding some IP addresses to its “Level 1 blocklist” that belonged to ESET (NOD32) update servers. “Level 1” is the term that Bluetack use for their lists containing (according to site admin ‘monk’):

  • Companies (Or organizations. I won’t repeat orgs. over and over) who are clearly involved with trying to stop filesharing.
  • Companies which anti-p2p activity has been seen from.
  • Companies that produce or have a stong financial interest in copyrighted material.
  • Government ranges or companies that have a strong financial interest in doing work for governments.
  • Legal industry ranges.
  • IPs or ranges of ISPs from which anti-p2p activity has been observed.

The IP addresses added were 89.202.149.32 to 89.202.149.63, 89.202.157.88 to 89.202.157.95 and 89.202.157.128 to 89.202.157.159, according to this forum post on the NOD32 support forum. These blocked IP ranges contain many of the servers used to provide anti-virus signatures for NOD32. These were added to the blocklist for alleged anti-p2p activities. However, what kind of anti-p2p activity was taking place is unclear.

Bluetack administrator ‘m00re’ told TorrentFreak that the IPs were added because “someone noticed them on a torrent”. ‘m0nk’, another administrator later told TorrentFreak that he noticed an IP belonging to ESET on a private tracker’s movie torrent that he was on. “It was only 1 IP, but since they’re a commercial software company with a strong financial interest in copyrighted material, they go on level 1 regardless”.

However, ESET didn’t take too kindly to this disruption of its business. A representative from ESET tried to contact Bluetack, to see about the removal from the list. He later posted a screenshot of the discussion to the ESET support forum.

This was the same kind of attitude experienced by Ludvig Strigeus almost exactly two years ago, after utorrent.com was added to the Bluetack lists. Similarly by the Opentracker people, and the German Chaos Computer Club.

Based on the feedback from Bluetack, ESET added PeerGuardian to their anti-virus updates. Two signatures called Win32/PeerGuardian were added in update number 2894 on the 21st of Feb, with another 5 added in update number 2895 the following day. These updates identify the PeerGuardian application as malware, and offer the user the ability to deal with the ‘infection’. Those that do, have been unable to use PeerGuardian afterwards.

Phoenixlabs, which makes PeerGuardian, put out this statement in response. Their representatives would not comment further on the subject, referring only to the statement. Bluetack, on the other hand, have been very vocal about it. ‘m00re’ said “whomever the person/persons are that made the flawed decision to maliciously target a non threatening application like PG2 is clearly a moron.” whilst ‘firstaid’ suggested that “people call them and have them stop having their product remove PG2 from their systems.”

ESET defended the addition, “By blocking update and threatsense servers detection of PeerGuardian as potentially unwanted application is fully justified as it could disrupt normal operation of NOD32 and or ESS.”

However, ESET has now changed it’s mind, saying “We have reconsidered detection of PeerGuardian and it will be removed in the upcoming update. However, we will actively continue protecting our users from blacklists that contain the IP addresses (ranges) of our update servers and thus preventing our paying or trial users receiving updates and keeping their computers protected.”

Previously: Mininova: Serving Billions of Torrents and Buying Bugattis

Next: Oscar Winners 2008 Popular on BitTorrent

215 Responses (Add yours or TrackBack)

Pages: [1] 2 3 4 5 6 7 8 9 » Show All

1 Feb 24, 2008 at 13:20 by santoscrew

what if i use both of the apps all the time? will they try to block each other? :P

2 Feb 24, 2008 at 13:23 by Damn

Norman also detects Peer Guardian as malware.

3 Feb 24, 2008 at 13:24 by Hulk

Actually I prefer to block within an application, i.e. adding a IPFilter.dat (or similar) to Amule/Ktorrent/Qbittorrent/whatever instead of using PeerGuardian. Why should I block all access to a certain range, if I’m only concerned about anti-p2p activity in that range?

4 Feb 24, 2008 at 13:26 by Fragy

Well, that all looks pretty screwed up!

5 Feb 24, 2008 at 13:27 by Damn

hmm.. Forget it.

I tried installing Peer Guardian, but this time Norman didn’t detect it as malware.

Maybe Norman was detected as malware in an earlier version of Norman. Well well..
All good now :)

6 Feb 24, 2008 at 13:27 by Anonymous

Because someone noticed them on a torrent? You call that a reliable justification to add IPs that can change anytime on a blocklist?

7 Feb 24, 2008 at 13:28 by Damn

“Maybe Norman was detected as malware in an earlier version of Norman. Well well..”

ehm.,. :p
I guess you can see the mistake there.
I meant Peer Guardian and then Norman

8 Feb 24, 2008 at 13:33 by Norman

Norman says, PeerGuardian is spyware.

9 Feb 24, 2008 at 13:38 by Redundant

Just a thought, but isn’t Peer Guardian entirely redundant? I mean any serious Anti-P2P activity, i mean the stuff designed to get people in court, is usually carried out by people that are reasonably savy.

PG2 and its blocklists are in the public domain, so any serious anti-P2P agent is going to ensure the IP address they are opperating from isn’t on that list before even starting. We all know that fresh IP addresses and sets aren’t hard to come by. Just a thought and MHO

10 Feb 24, 2008 at 13:48 by Rapper Alliance

I keep a blue flag hanging out my backside
But only on the left side, yeah that’s the Crip side

11 Feb 24, 2008 at 14:12 by Robin

Whatever

12 Feb 24, 2008 at 14:19 by Santa

Oops, bad PR for ESET!

13 Feb 24, 2008 at 14:45 by anonymous

blocklist bastards do it again lol

14 Feb 24, 2008 at 14:58 by MLx

[quote comment="297004"]Oops, bad PR for ESET![/quote]
More like bad PR for Bluetack.

Seriously, these dimwits need to get of their high horse. Putting in IPs of anti-p2p/investigative companies is one thing, IPs of entertainment mafiaa is another, and IPs of software mafiaa is yet another. How many people actually mess with peerguardian settings? If I used PG2+NOD, I’d sure be pissed if I found that I wasn’t getting updates because of it - ESET had all the right to do what it did.

Put another way - how is this different from TPB blocking Tele2 when Tele2 blocked allofmp3? If ESET makes the signatures temporary, it only serves to get the message out which seems to be their goal.

What is even more annoying is that this wouldn’t happen if Bluetack actually made more sensible blocklists instead of putting everything into level1 - see my first paragraph.

That said, are there any other blocklist providers out there?

15 Feb 24, 2008 at 15:01 by DarK

use ubuntu, no need of nod32, for like ever!

16 Feb 24, 2008 at 15:07 by anonymous

it is extremely lame to label peerguardian as malware when it clearly is NOT.

it will drive more confusion and maybe some people realy believe pg is infected… :S

Stupid companies

17 Feb 24, 2008 at 15:10 by =]

ohh demonoid come back :(

18 Feb 24, 2008 at 15:21 by Darth_yoda

2 days ago:
http://www.virustotal.com/analisis/b3fb9400909ca3f61b0750501d31ac24

Today:
http://www.virustotal.com/analisis/edfafa71189a764e950254a147b95052

19 Feb 24, 2008 at 15:25 by MUSHROOM77

ESET wankers!

20 Feb 24, 2008 at 15:50 by cc

no problem with me .
usually i turn off my auto update on my anti virus. when i need to update , i turn off pg and manually update my virus list.

i don’t see any problem here, why need to make into such big issue here

21 Feb 24, 2008 at 16:01 by Skriblez

Peerguardian is just a falls sense of security. no point having it installed. ESET should just leave them blocked.

22 Feb 24, 2008 at 16:18 by Breeze

Peerguardian is my favorite example of “snakeoil”.

How much do they block currently? 50% of the internet?

So stupid to block universities and such stuff, because they have good connections.

And of course useless (for security) because anyone can collect the IPs on a torrent from a dial-up connection. And injection of bad data is not a problem. (Only reduces speed a little)

23 Feb 24, 2008 at 16:22 by Ben Jones

[quote comment="297018"][quote comment="297004"]Oops, bad PR for ESET![/quote]
More like bad PR for Bluetack.

Seriously, these dimwits need to get of their high horse. Putting in IPs of anti-p2p/investigative companies is one thing, IPs of entertainment mafiaa is another, and IPs of software mafiaa is yet another. How many people actually mess with peerguardian settings? If I used PG2+NOD, I’d sure be pissed if I found that I wasn’t getting updates because of it - ESET had all the right to do what it did.

What is even more annoying is that this wouldn’t happen if Bluetack actually made more sensible blocklists instead of putting everything into level1 - see my first paragraph.[/quote]

This is all down to a lack of accountability on bluetacks behalf. I did also write a personal opinion on this - http://neuron2neuron.blogspot.com/2008/02/eset-nod32-is-malware.html - It’s seperate because TF is not the place to mix opinion and news.

24 Feb 24, 2008 at 16:29 by just another one

why no one is questioning how did that ip got blacklisted? why did some update server connected to torrent?

25 Feb 24, 2008 at 16:38 by siof

Something to remind ourselves of here also is that PeerGuardian is OpenSource.

The source code clearly has no malware or other malicious stuff in there. Anyone who needs to is very able to check this for themselves, Norman, ESET, whoever included.

Pages: [1] 2 3 4 5 6 7 8 9 » Show All

Add your response

It takes approximately 1 minute for your comment to appear on TorrentFreak after it's posted.