Why are uninstallers so often flagged?

Hi malware fighters,

You could already be aware of the fact that av scanners can consider some uninstaller executables as being trojans. As we update these suspects to jotti there either is no trojan (sign of a FP). Examples DrWebCureIt flags the Democracy Player uninstall.exe from Particapatory Culture Foundation as infected with Trojan.Popuper, when we upload the uninstall executable to Jotti not a single scanner (DrWeb’s included) find anything and the file is flagged as clean.
Another example is the Flock uninstaller.
What is so special about uninstallers that make that some av scanner flag them as infected. Can somebody explain?

polonus

Good question polonus.
I’ve come accross the same thing on more than one occasion.
I just wasn’t smart enough to ask. ;D

I’m curious too… Maybe they have riskware behavior? ::slight_smile:

As Tech says probably because of behaviour after it is deleting lots of files and registry entries, which under certain circumstances might be though suspicious. I guess it would depend on what detected it signature, generic or heuristic detection.

David,
Since in my case the detection was done by avast! and avast! doesn’t use heuristic detection,
I guess we can rule that out.

Heuristics, Generics [gen] or signatures were given so it entirely depends on what the detection was. I was also answering polonus generally as he asked a general question and not one specific to avast.

Hi malware fighters,

How much harm it does depends partly on what you have to do to get rid of this stuff. If you can’t find normal uninstallers, or they don’t work, or they wind up loading more ads on your computer, you’ll call this software malicious. But compared to spyware, its fairly mild. But that will not produce a Trojan FP, would it?
Kaspersky is found to see trojans in uninstallers, while there are not. So clearly
False Positives. But this malware really exists: Emcodec.D for instance works via a bogus installer and drops an uninstaller. There is nothing false about this one.
Identifying and analyzing spyware is a complex challenge. New forms of spyware are constantly under development, and the same technology that can make spyware malicious and unwanted also appears in software that users want to keep and use on their computers, such as antivirus software. It’s not always possible for software to determine whether a program is something the customer wants to preserve or remove.
So the complexity of the thing, and the dual nature would lay at the core of this problem. So one conclusion is with uninstallers flagged, check and double-check before making a decisive decision upon what action to take.

polonus