Anti-Virus Company Says PeerGuardian is Malware

Written by Ben Jones on February 24, 2008 

Over the past week, some servers used for updating the anti-virus software NOD32 were labeled as anti-p2p by a popular list maker for PeerGuardian. In response, NOD32’s company, ESET, has categorised PG2 as malware in some of its latest updates.

It started off with Bluetack adding some IP addresses to its “Level 1 blocklist” that belonged to ESET (NOD32) update servers. “Level 1” is the term that Bluetack use for their lists containing (according to site admin ‘monk’):

  • Companies (Or organizations. I won’t repeat orgs. over and over) who are clearly involved with trying to stop filesharing.
  • Companies which anti-p2p activity has been seen from.
  • Companies that produce or have a stong financial interest in copyrighted material.
  • Government ranges or companies that have a strong financial interest in doing work for governments.
  • Legal industry ranges.
  • IPs or ranges of ISPs from which anti-p2p activity has been observed.

The IP addresses added were 89.202.149.32 to 89.202.149.63, 89.202.157.88 to 89.202.157.95 and 89.202.157.128 to 89.202.157.159, according to this forum post on the NOD32 support forum. These blocked IP ranges contain many of the servers used to provide anti-virus signatures for NOD32. These were added to the blocklist for alleged anti-p2p activities. However, what kind of anti-p2p activity was taking place is unclear.

Bluetack administrator ‘m00re’ told TorrentFreak that the IPs were added because “someone noticed them on a torrent”. ‘m0nk’, another administrator later told TorrentFreak that he noticed an IP belonging to ESET on a private tracker’s movie torrent that he was on. “It was only 1 IP, but since they’re a commercial software company with a strong financial interest in copyrighted material, they go on level 1 regardless”.

However, ESET didn’t take too kindly to this disruption of its business. A representative from ESET tried to contact Bluetack, to see about the removal from the list. He later posted a screenshot of the discussion to the ESET support forum.

This was the same kind of attitude experienced by Ludvig Strigeus almost exactly two years ago, after utorrent.com was added to the Bluetack lists. Similarly by the Opentracker people, and the German Chaos Computer Club.

Based on the feedback from Bluetack, ESET added PeerGuardian to their anti-virus updates. Two signatures called Win32/PeerGuardian were added in update number 2894 on the 21st of Feb, with another 5 added in update number 2895 the following day. These updates identify the PeerGuardian application as malware, and offer the user the ability to deal with the ‘infection’. Those that do, have been unable to use PeerGuardian afterwards.

Phoenixlabs, which makes PeerGuardian, put out this statement in response. Their representatives would not comment further on the subject, referring only to the statement. Bluetack, on the other hand, have been very vocal about it. ‘m00re’ said “whomever the person/persons are that made the flawed decision to maliciously target a non threatening application like PG2 is clearly a moron.” whilst ‘firstaid’ suggested that “people call them and have them stop having their product remove PG2 from their systems.”

ESET defended the addition, “By blocking update and threatsense servers detection of PeerGuardian as potentially unwanted application is fully justified as it could disrupt normal operation of NOD32 and or ESS.”

However, ESET has now changed it’s mind, saying “We have reconsidered detection of PeerGuardian and it will be removed in the upcoming update. However, we will actively continue protecting our users from blacklists that contain the IP addresses (ranges) of our update servers and thus preventing our paying or trial users receiving updates and keeping their computers protected.”

Previously: Mininova: Serving Billions of Torrents and Buying Bugattis

Next: Oscar Winners 2008 Popular on BitTorrent

215 Responses (Add yours or TrackBack)

Pages: « 1 2 3 [4] 5 6 7 8 9 » Show All

76 Feb 25, 2008 at 05:05 by Andrew Norton

[quote comment="297436"][quote comment="297414"]what i wonder is how many comments on torrentfreak threads and sites like it are from anti-p2p companies or people working for them spreading bad propaganda about blocklists for there interest[/quote]

You may wish to ask the same of the bluetack editors who repeatedly block various ranges that contain trackers and seedboxes. Would the antip2p lot simply mention that blocklists do not offer the protection claimed, or would they block trackers and the fastest seeders?

But then again, most of the pro-bluetack comments are coming from the army of fanboys they told to come here.

As to other comments about why an update server was using p2p, nobody knows what it was doing because bluetack seem reluctant to say anything other than they noticed the IP. They wont say whether it was seeding/leeching, simply listed by the tracker or involved with bittorrent at all (as opposed to some other form of p2p).[/quote]

Something I for one have been wondering, is if Bluetack is working for someone like the BSA, FACT, BPI etc.

After all, what does anyone know about the bluetack people? Do you know who they are, who they work for. People want to be paranoid about things, why don’t they start at the beginning, and wonder who exactly is making these lists.

77 Feb 25, 2008 at 05:14 by stfu

Seedboxes get blocked because the asshats that rent them do so from dubious companies that have dealing with anti p2p who also use them to run fakes server farms and trackers. Its not bluetacks problem your server IP happens to sit in a range used by MediaDefender or Safenet is it? No, its yours for trying to be ’special’ and renting a server from a company known to have dealings with anti p2p.

78 Feb 25, 2008 at 05:30 by Brick

also NOD32 pwns other anti-virus progs!

79 Feb 25, 2008 at 05:34 by funchords

Jesus, people!!?? You’re throwing the baby out with the bathwater!!

Level1 lists software companies — including companies like BitTorrent and Vuze. People that use their lists know this, and it’s one a right-mouseclick to permanently verify that you want to allow a connection.

You’re worried about your AV program not getting updated? How many of you have noticed that Level1 blocks “Limelight Networks?” If you haven’t, better check — because that’s Windows Update!

Level1 is designed to put the users back in control — you had to install Peerguardian — did you really think you would never have to adjust it???????!!!!!!******

80 Feb 25, 2008 at 05:46 by Anonymous

PeerGuardian does not make any fucking sense. I can change my IP address in 10 fucking seconds. Why couldn’t the RIAA. MediaDefender was even about to use employee’s home lines. PG IS FOR RETARDS WHO DO NOT KNOW HOW THE INTERNET WORKS AND LIKE TO GIVE POWER TO MORONS LIKE THE BLUETACK ADMINS

81 Feb 25, 2008 at 06:04 by barca007

I often guess Anti-virus companys hope there are more Malware.
http://www.highlasers.com

82 Feb 25, 2008 at 06:08 by for the last post

you’re obviously extremely ignorant, to the point that I don’t even feel like explaining anything to you, just do everyone else a favor and reframe from posting comments on the internet, forever.

83 Feb 25, 2008 at 06:09 by Anonymous

“Something I for one have been wondering, is if Bluetack is working for someone like the BSA, FACT, BPI etc.”

Who ever they are working for, I pity the company because they are completely incompetent maniacs.

“Antivirus PROTECTS people’s machines from malware that is in P2P networks, PG opened the door for newer malware and viruses to infect a user.”

How many copyright infringing filesharers get caught? Maybe 0.0001%? How many file-sharers have infected machines? Easily 20%. So indeed, the latter problem is more severe by several magnitudes. Too bad nobody gets sued for spreading spam with their crap infested machines. I really wonder why because even pissing in public can get you into jail and that’s much less of an issue.

“I would like to know also why someone from this company was connecting to a .torrent file.”

I’m sure your ISP would like to know as well why you have to fetch a Hollywood movie from TPB each day. In other words, it’s none of your business. Using BitTorrent is neither illegal nor dubious. If even the readers here don’t know that little, I really wonder whether there isn’t some really big fucking bug in the matrix. Maybe someone there was fetching some updates via BitTorrent or whatever, it doesn’t matter and nobody cares.

“Especially when P2P is supposed to be responsible for spreading viruses, trojans and malware.”

That statement is so full of shit, it can be reduced to “Bullshit.”. No fricking idiot notices when he gets infected via Internet Explorer, Outlook or some “codec update”. All these idiots realize later is that they were using file-sharing, so it has to be the fault of file-sharing because the RIAA says so. The RESPONSIBILITY for an infection is YOURS until proven otherwise. If it is was caused by one of the million bugs in Windows, then it might not *entirely* your fault. It’s your goddamn job as a user to use your rotten braincells, just like you do when driving a car. Just because the PC doesn’t kill you as easily, you can’t use it like an uneducated, illiterate monkey.

NOBODY gets infected by DOWNLOADING anyway. You get infected because you’re so dull to expect a movie in a tiny ZIP file and then click on “Setup”. Or you think you’re so INCREDIBLY smart that you could get expensive professional software without paying for it through file-sharing. Or you’re such a moron that you believe if the AV scanner finds nothing that there IS nothing.

You see whether you get a computer virus or AIDS, it’s the same cause: Lack of functional brain-cells.

84 Feb 25, 2008 at 06:30 by Ande

[quote comment="297492"]PeerGuardian does not make any fucking sense. I can change my IP address in 10 fucking seconds. Why couldn’t the RIAA. MediaDefender was even about to use employee’s home lines. PG IS FOR RETARDS WHO DO NOT KNOW HOW THE INTERNET WORKS AND LIKE TO GIVE POWER TO MORONS LIKE THE BLUETACK ADMINS[/quote]

Get a clue snowflake. PG2 is a deterrent. Bluetack is a community. You are a failure.

85 Feb 25, 2008 at 06:34 by Superior1

[quote comment="296962"]Actually I prefer to block within an application, i.e. adding a IPFilter.dat (or similar) to Amule/Ktorrent/Qbittorrent/whatever instead of using PeerGuardian. Why should I block all access to a certain range, if I’m only concerned about anti-p2p activity in that range?[/quote]PG2 does a much better job at it, memory footprint and admin-time wise. If you config PG the right way, you’ll rarely if at all, need to look at it. It has not failed me once, ever.

And frankly, I side with bluetack on this all the way. How ESET is selectively posting a chat is even more reason for distrust. It’s a freaking choice to use PG. I’d never use NOD32 either way.

86 Feb 25, 2008 at 06:41 by Superior1

[quote comment="297505"]You get infected because you’re so dull to expect a movie in a tiny ZIP file and then click on “Setup”. Or you think you’re so INCREDIBLY smart that you could get expensive professional software without paying for it through file-sharing.[/quote]Hmm.. I agree with you on much of what you write here, but really have to disappoint you;
I never get infected, yet I’ve been trying out full versions of expensive professional software without paying, without fail, thanks to file sharing. And yes, it’s easy if you know what to scan, what to check, where to look, where to read. Many people luckily ARE that incredibly smart. Smarter than you, it seems ;-)

87 Feb 25, 2008 at 06:46 by IPv6 Revolution

[quote comment="297492"]PeerGuardian does not make any fucking sense. I can change my IP address in 10 fucking seconds. Why couldn’t the RIAA.[/quote]Oh maybe because, you know, we’re running out of IPv4 address space real fast? Trust me, it ain’t that easy to change entire blocks. You can only change your IP-address within a range, it won’t differ much from what it was before. IPv4 addresses are an expensive commodity real soon.

88 Feb 25, 2008 at 06:51 by IPv6 Revolution

[quote comment="297378"]While they’re at it why don’t they remove every firewall as well? You know they could be infected by these dangerous blocklists blocking the update servers…[/quote]
EXACTLY!
Each and every Billion ADSL modem blocks ESET requests at default installation. Do we see them sueing Billion, or malware-flagging firmware updates for Billion modems? Of course not.

And that’s just ONE firewall type in one brand of modem/router. There are millions out there.

I’m sorry, but ESET is really in the wrong here.

89 Feb 25, 2008 at 06:59 by r00t

[quote comment="296979"]PG2 and its blocklists are in the public domain, so any serious anti-P2P agent is going to ensure the IP address they are opperating from isn’t on that list before even starting. We all know that fresh IP addresses and sets aren’t hard to come by.[/quote]They ARE hard to come by! And, what’s most important here: It takes time to obtain them and put them in use! Of course, it’s a cat-mouse game all the way, but I’d rather be a few hours late than not safe at all. Which is exactly what PG2 is good at doing:
Providing a better safe than sorry shield.
And this is also exactly WHY Bluetack responds as fast and sensitive as they do; in order to safeguard its users from people who think they’re smart, but mistakenly reveal what side they’re on. You NEED to be a little paranoid if you are relied on by so many trusting users. Strike 1 is for Bluetack.

90 Feb 25, 2008 at 07:05 by r00t

[quote comment="297082"]this is the standard argument that bluetack makes when it adds a block, swapping PG with nod32 and bluetack with ESET - why doesn’t the same arguments work the other way?)[/quote]Well take a guess! Because the one yields a very expensive and considered illegal act, punishable by law, very unfortunate for the user, and the other doesn’t.

I’d know which one to choose if I was working for a site called “torrentfreak”. Apparently I’m wrong.

91 Feb 25, 2008 at 07:23 by r00t

[quote comment="297469"]Something I for one have been wondering, is if Bluetack is working for someone like the BSA, FACT, BPI etc.

After all, what does anyone know about the bluetack people? Do you know who they are, who they work for. People want to be paranoid about things, why don’t they start at the beginning, and wonder who exactly is making these lists.[/quote]LOL, that’s probably why it’s freeware, right? I don’t think you understand: We, the users, the people, KNOW how good this list is, because they’ve often added OUR requests, visibly did so, in the open.

This time is a good example. Who are the assholes out for legal threat and thus money-wolves? ESET, not bluetack. Who do I trust? Take a guess…

92 Feb 25, 2008 at 07:27 by Anonymouse

[quote comment="297064"]This is all down to a lack of accountability on bluetacks behalf.[/quote]Lack of countability my ass. It’s called staying safe from scary moneygrabbing corporates, my friend!

93 Feb 25, 2008 at 07:29 by Alky

[quote comment="297374"]Just wondering - does NOD32 automatically “call home” to verify that it’s not a pirated copy?

I always hate that sort of thing.[/quote]

No. In fact, pirated versions of nod32 don’t even use Eset’s servers for updates.

94 Feb 25, 2008 at 08:42 by rjflskda

lol. people actually think that Bluetack’s blocklists keep them safe? There’s a better chance of you winning the lottery than getting caught by the “scary” MAFIAA. Besides, Bluetack blocks a lot of legit IPs. GG ESET.

95 Feb 25, 2008 at 08:44 by Ben Jones

[quote comment="297531"][quote comment="297082"]this is the standard argument that bluetack makes when it adds a block, swapping PG with nod32 and bluetack with ESET - why doesn’t the same arguments work the other way?)[/quote]Well take a guess! Because the one yields a very expensive and considered illegal act, punishable by law, very unfortunate for the user, and the other doesn’t.

[/quote]

Punishable for what? Libel? Yeah, Were Eset to act like Bluetack, they’d have been sued many times over for Libel. Bluetack, well, i’m guessing thats why no-one actually knows who they are.

[quote comment="297545"]LOL, that’s probably why it’s freeware, right? I don’t think you understand: We, the users, the people, KNOW how good this list is, because they’ve often added OUR requests, visibly did so, in the open.

This time is a good example. Who are the assholes out for legal threat and thus money-wolves? ESET, not bluetack.[/quote] Really? you check every IP added to the list? all what, 150,000 of them, each week? Are they still valid? If not, why are they still in the list? Have they provided to you, or anyone else, the evidence behind the block? I remember that Slyck went to test the quality of the lists, by checking the MD-D provided IP addresses. There were so many, it was impossible to do a comprehensive check, but of the ranges tested, only a 2% block rate, and this was after the IPs had been public for more than one update cycle.

You also say ESET are ‘money wolves’ because of a legal threat. Legal threat is a bit strong of a term for a letter from the companies attorney, requesting clarification for the block entries, and to warn that spreading false info may be litigatable. Lawyers are the prefered agent of choice for contacts such as these between two companies (and yes, despite their claims, bluetack is a company)

How do I know this? It’s called research, and it’s called verification. According to bluetack themselves, in discussion with our researcher, the extent of bluetack investigation is who an IP block is registered to. Not ‘who is actually using it’, not what they are using it for, nor ‘who else may be included in that block’.

96 Feb 25, 2008 at 08:46 by XahXhaX

Damnit, I use both of these programs and got the NOD32 alert last night. I thought something had infected PG2.

I see where they’re both coming from, but PG2 shouldn’t block the definitions update from ESET. If you want to talk about problems for filesharing, what will outdated definitions do to the user?

97 Feb 25, 2008 at 09:02 by dar

turn PG off when it stops you from doing something.

98 Feb 25, 2008 at 09:15 by wut.

Do you pay for pg? You choose to have it on your computer, so that kind of agreeing to just about whatever it does. Besides that you can alter the lists yourself. I don’t see any harm done here. They are just trying to lookout for you.

99 Feb 25, 2008 at 09:20 by r00t

[quote comment="297577"]How do I know this? It’s called research, and it’s called verification. According to bluetack themselves, in discussion with our researcher, the extent of bluetack investigation is who an IP block is registered to. Not ‘who is actually using it’, not what they are using it for, nor ‘who else may be included in that block’.[/quote]Hehe, and you call YOUR type of verification more valuable? Don’t make me laugh. I’d rather rely on an anarchist list from paranoids like MYSELF at bluetack than on your verifications and research. They both look way too cold, official and biased to be trusted. Before you know it, you’ll be the kind to try and ban anarchism simply because you disagree with their policy of acting on instinct and better being safe than sorry.

I’ve been in discussions with bluetack people way longer than you are (obvious to me, at least), on their forums and in IRC. I know exactly who to trust and why. I don’t trust Eset, for the same reasons why I don’t trust you, or my employer, or the state, or THIS website.

Oh and for the other idiots posting against the use of PG; Do you know the actual stats on PG usage and the amount of PG users caught in one way or the other by anti-p2p groups/the law? I do. None of them were using PG, ever.

100 Feb 25, 2008 at 09:21 by slogger

I don’t really get this… don’t most people usually set up their blocklists so that it is only getting applied to p2p traffic? I just don’t see what the god damn issue is.

Pages: « 1 2 3 [4] 5 6 7 8 9 » Show All

Add your response

It takes approximately 1 minute for your comment to appear on TorrentFreak after it's posted.