Thursday, April 25, 2013

Recovering From Accusations of Malware


Here is the story of my 8 year battle against false reports of malware in my software, how I eventually won that battle, and how you can ensure the same thing doesn't happen to your website or products.

The Beginning: Can one person make an effective anti-spyware product?

In 2005 my software company was two years old, I had a good number of customers, and people were hungry for more private label software.  The economy was great and I had a lot of requests to create new private label applications.

In particular, there were many requests for anti-spyware and anti-virus products.  However, I always turned them down citing the inability to maintain a good definitions database.

Eventually, I found a way that I could maintain a definitions database for spyware (not antivirus) by creating internal software that sourced information about files from the web, meaning I didn't need a team to maintain definitions.

With that, I created what I think was a fairly good and safe anti-spyware product that I called Ad-Purge.    Upon release it sold well and people seemed to like it for a light-weight spyware solution.  However, because of the crowd sourced definitions it was prone to false positives: if a lot of websites thought a file was spyware then Ad-Purge did too.

The Spyware Warrior on the Offensive

Within a few months of release Ad-Purge was labeled as a "rogue anti-virus product" by a person who called himself Spyware Warrior.  I, of course, was appalled.  I wrote to him trying to clear my name; I made changes to the software to make it more consumer friendly; I kept a close watch on the definitions to avoid false positives, but Spyware Warrior was determined that I created the product with bad intentions.

I eventually decided that Mr. Spyware Warrior was simply a jerk and went back to what I enjoyed: writing software instead of spending time trying to appease him.  This was a mistake, for the spyware community took his opinions as fact causing Ad-Purge, and worse my website, to show up on many different blacklists and malware sites.

In 2008 I was forced to simply discontinue Ad-Purge in order to avoid being caught up in any more of these false accusations.  Eventually the false positives went away for the most part and business resumed as usual.  I continued to sell the private label version but made sure my customers could not repeat my mistakes.  In particular, I turned down many requests from my customers to make the demo version detect spyware but not remove it until the software was purchased in full.

Five Years Later

Recently, in 2013, I became aware that my website and business had extremely negative reviews on a crowd sourcing security website called Web of Trust (WOT).  Upon closer inspection I discovered that we had some good customer reviews but the vast majority listed us as a malware website!

Here is our current Web of Trust page:

I began by replying to each of the user reviews that cited malware and asking them to reevaluate their ratings.  They were helpful but reluctant to change their rating unless I had my software removed from various website reputation scanners, for example:

URL Void:
Virus Total:

These tools list scan results from various security software vendors.  If any of the vendors think your website is malicious then it is a bad sign. was listed by over 20 different vendors as being a distributor of malware.  When I contacted some of the vendors they made circular references: we can't take you off our list because you're listed on URL Void.  Obviously I couldn't get removed from URL Void without them first taking me off their list.

The Solution

What I had to do was track down every suspicious file or URL that was being tracked by these vendors, make sure it was actually safe, and use all of their false positive reporting tools to contact them individually.

I noticed when scanning my software executables that thought many of my programs written in Visual Basic 6, our older programming language, were spyware.  As a simple test I recompiled the software on an updated system, resigned our executables and installers, and uploaded the new copies to our website.  This took care of about 75% of the false positives.  I don't know what they were keying on, maybe an old VB6 .dll file, but I suspect that those files are used by potentially millions of applications written in the early 2000s that are also being falsely accused of being spyware.

Next, I went through all the URLs on our site that were flagged as malicious.  Many of them were old URLs that are not even in use, pointing to blank pages or error messages.  It seemed that many of the vendors never bothered to check what was actually at the URL they were condemning, they simply found it listed by other vendors and added it to their own database.

Armed with the knowledge that everything on my website was safe I began submitting false positive reports to the antivirus vendors.  Sometimes you have to sign up and post on a forum, sometimes there is a false positive submission form, and sometimes you have to download the company's product and register your email address (sketchy).

Most vendors removed the false positives right away, but many took no action or used more circular logic.  I wonder if they actually look at the content of files and URLs or they just crowd-source their definitions like I did... lesson learned.

When it came down to only 4 or 5 websites reporting malware I resolved to contact them every day, repeatedly, until they responded.

I have also been tracking down blog posts which list us as a malware distributor and leaving comments that explain what my company does.  A quick look at my website shows that my apps are highly rated on places like the Mac App Store and the Windows Store, meaning they have been scrutinized and vetted by companies who hopefully would never let malware into their systems.

Are My Customers Malicious?

I wonder how, after the 2008 incident, all this started up again and I suspect that I have a small number of customers who are actively using my rebranding services to create fake programs and distribute viruses with them.  I rebrand our software for other companies to sell, and I suspect that some of my customers must be modifying the executables after I deliver them.

I don't have a good way of knowing whether it is deliberate or not.  It's certainly possible that one of my customers had an infected computer, purchased clean software from me, downloaded it, it was infected on their computer, and then they tried to distribute it.  Obviously this is a bad practice and all software should be verified clean before distribution.

One sure indicator of a fraud is when I am paid hundreds of dollars for a product and the purchaser seems to take no interest in their final product's quality.  They will upload poor quality images even though my artist can create professional graphics for them for free.  Sometimes they provide URLs which are dead or point to an unregistered domain.  Then their payment will be charged back and I know the whole thing was a ruse.  Was this someone with malicious intent or just someone trying to use a stolen credit card?  Maybe both?  I don't know.

I've learned to spot those obvious cases, but I certainly can't tell a person's intentions from their normal transactions with me.  It is against our terms of service for our customers to do anything illegal with the software purchased from us, including distribute malware or engage in scamming.  The vast majority of my customers are people interested in making money with shareware or trying to offer a bonus product to their customers.  Having software with your name on it can impress clients, make your website more legitimate, create more sales for other products when packaged, etc.

I don't think it's up to me to judge people's intentions.  All I can really do is respond to any inquiries by anti-virus vendors.  

The number of anti-virus vendors who have contacted me in the past 10 years about my software or my customer's?  Zero.

In the end I simply decided to discontinue the anti-spyware product entirely.  I will continue to update the definitions database for the legitimate customers who vastly outnumber the potentially bad ones.

My Name Is Cleared, Kinda

Now, finally, I have been removed from every major website credibility reporting tool and most anti-virus vendors.  One vendor, AlienVault, responded to my technical support request with a phone call from a sales rep.  When I asked him if the support team knew how I could report a false positive he asked them and responded "They don't know but they're looking at like 7 monitors right now."  Ugh.

I have bookmarked my WebOfTrust, URLVoid and VirusTotal pages and intend to check them frequently.  If you have websites or distribute shareware I highly recommend you do the same.  These anti-virus vendors are not going to contact to you if your site or products get falsely accused.  And worse, if any false positives start making the rounds they are sure to be amplified by security vendors copying each other's records.  It's something that has to be stopped immediately or it spreads out of control.

Web of Trust currently reports that my website is trusted, but only barely.  My hope is that their users will reevaluate my website and change their scores.  I'm also going to start promoting Web of Trust on my website so that my actual customers can report their good experiences.  If you have a moment, I sure would appreciate a positive rating there:

Now, hopefully, I can get back to what I really love: writing apps!

Thursday, February 28, 2013

Losing Weight With Easy Calorie Counter: Part 1


I've been developing and using my app Easy Calorie Counter (available for Windows and Mac) for about a year now and using it in conjunction with running and exercise to lose weight.  You can see a screenshot of it below:

I'm male, 34 years old, 5'8", and I brew my own beer which makes it particularly easy to go overboard on calories if I'm not careful.

In the Summer and Fall of 2012 I managed to lose 13 lbs, moving from 165 lbs. to 152 lbs, and have kept the weight off since then.  I've learned a lot about what works so I'll be posting a series of tips for others who might be struggling.

Tracking your calories is the key.  During my first cycle of P90X I actually gained weight, going from 162 to 165 over a period of three months.  I was so hungry from all the extra exercise that I ate a lot of high calorie foods, and I didn't track what I ate.

You don't have to use Easy Calorie Counter for this to work, but it's only a few dollars and there's a free demo available here.  You could even start tracking what you eat with pen and paper, that's what I did and what prompted me to write the app in the first place.

Tip #1 - Finding your target calorie level

Losing weight is all about math.  The bottom line is that you have to burn more calories than you take in and your body will do the rest.  Easy Calorie Counter has a built in calculator to help you find your target fat loss calorie level.  Here's a screenshot:

Here you can see I've selected Lightly Active.  I work at a computer all day but I exercise every day of the week, which would probably make me Moderately Active.  

I think that this calculator, which uses either of two respected formulas for calculating fat loss calories, gives results that are a bit on the high side.  My sweet spot seems to be 1600 calories per day.  With that amount I tend to lose a little bit more than 1 pound per week.  But everyone is different, and a computer can never give a perfect number for something like this, so here is how to find your real fat loss calorie level:
  1. Run the calculator to get an estimate of your fat loss calories
  2. Weigh yourself on an empty stomach (try it right after you wake up and use the bathroom)
  3. Use a calorie calculator to eat as close to your target calories as you can for 1 week
  4. At the end of the week, weigh yourself again on an empty stomach. Did you:
  • Maintain your weight?  Consume 500 fewer calories per day and repeat step one
  • Gain weight?  Consume 500 fewer calories per day and repeat step one
  • Lose 1-2 pounds? Perfect!  Maintain to reach your target weight!
  • Lose 3 or more pounds?  Consume 300 more calories per day and repeat step one*
*People who are heavier are likely to lose 3+ pounds per week, which is ok

Repeat those steps until you find your real number for fat loss calories that causes you to lose 1-2 pounds per week.  It might take a few weeks, it took me 2 or 3, but once you know that number you'll be armed with all the information you need to really lose weight and keep it off.

In the next installment I'm going to show some examples of ways to shave off calories without being hungry all the time.  There are some nice substitutions you can make in your diet that make it easy.  You might even still have room for a beer if you're careful!

Getting my apps on the Windows Store requires... a Mac?!

It seems that Microsoft is intent on turning me against them.

First, they don't allow my Desktop Apps to be truly listed on the Windows Store.  They link to my app's external website instead.  Not that there's anything wrong with the homepage for Easy Password Storage, the app I'm trying to register, but I wish customers could use the payment information they have already entered into the Windows Store and directly rate my app.  Apparently that is only possible with Metro style* apps, despite the fact that my apps run great on everything from Windows XP to Windows 8.

Next, in order to get my app certified I have to have a $99 signing certificate from Symantec and only Symantec will do.  What's wrong with my industry standard Comodo certificate which have already paid for and jumped through many hoops to obtain? My guess is nothing...

So, eventually, I received my Symantec wonder-certificate and my MS developer account and had my Windows App Certification Kit software installed.  When I ran it I was informed that reports generated with Remote Desktop were invalid for some reason that is not made clear.

Luckily, I managed to find a workaround which allows me to connect remotely and still certify my apps, essentially proving that either Remote Desktop is a crappy application or there is no reason to refuse a Remote Desktop application when certifying apps.

I finally ran the certification kit, got a result of "Passed", and was ready to submit my app!  Hooray!

Not so fast!  When I uploaded my certification XML file to the Windows App Certification page, I was informed that:

* The submission package is invalid as this was generated using an invalid toolset architecture. This website accepts submissions from 64 bit toolset architecture only.

Ok, no problem, I purchased Windows 7 a few years ago and my current hardware supports 64 bit architecture: I'll just upgrade to a 64-bit version, right?  Wrong.  You can't update Windows from 32 bit to 64 bit without wiping your machine, reinstalling all your software and restoring all of your backed up files.  It's possible but risky, not to mention a huge waste of my time.

So what is my solution?  Use my Mac.

I'm currently installing a copy of my Windows 7 64 bit using VirtualBox on my Macbook Pro.

Then I can use my virtual copy of Windows on my Mac to complete the Windows App Certification.

Ah, the irony.

*I know Microsoft has tried to ditch the name "Metro" but it's burned in my brain and I like to tease them with it.

How to use the Windows App Certification Kit through Remote Desktop

In the past few years I've become a Mac lover dispite decades of Windows use. I work primarily on my Macbook Pro and have disassembled my old home office in favor of an all-mac, all wireless environment.

About a year ago I moved my Windows XP and Windows 7 machines into the "server room" where they run without monitors, keyboards or mice.  I use Remote Desktop from my Macbook to connect to them so now I can work from anywhere in the house or on the patio wirelessly.

Recently I decided to get my apps listed on the Windows Store.  This week I've been paying a lot of attention to Easy Password Storage, one of my most highly rated apps on the Mac App Store, and the fone I want to get posted on the Windows Store first.  To get it approved I have to run the Windows App Certification Kit.  It installs my app, checks that all the files have a digital signature, runs diagnostics and gives a report which can be uploaded to Microsoft.

There's one hitch, though: Remote Desktop is not allowed!  I assume it has something to do with video benchmarks, but it's a major annoyance for me.  Surely there is someone else in this situation, which is why I decided to write about it.

Imagine my surprise when I found out that to get my app certified I would need to get a monitor, keyboard and mouse, hook them into my old Windows box and sit on the floor next to a cat litter box.  Yes, it's true, the "server room" is really a closet where cats poop all day.  That is the extent of my disdain for those old windows boxes.

If you try to certify your app over Remote Desktop your app is immediately rejected.  I gathered my old monitor, keyboard and mouse but could not find a cord for my monitor.  After two years of almost all wireless the ordeal seemed particularly archaic.  Shouldn't I be able to stream an HD version of my monitor?  I can stream HD movies from Netflix... Why would app certification require a physical monitor?

It turns out my distress was for naught because I have found a simple workaround: as of this writing the Windows App Certification Kit doesn't realize the connections using are remote desktop connections.  The workaround will probably work with other remote login services as well but I have only tested with

The results: Passed with Warnings.  Here's a screenshot:

The warnings are unrelated to using a Remote Desktop agent: it says my app didn't properly respond to system restart notifications.  I think it's safe to ignore, but it could certainly be the topic of a future blog rant.

The real victory: I won't have to endure the "server room" any time soon!

Thursday, February 21, 2013

Tips for external links and social media within apps

I've been trying to link to social media sites within all of my apps.  Within each app you can do the following things:

-Click to Rate (this either brings you to our website's rate page, or the Mac App Store)
-Click to Tweet (composes an example tweet that links to the proper app)
-Click to Follow (launches my twitter page)
-Click to Like (launches the appropriate facebook page for the app)
-Click to Friend (launches my facebook page to friend or follow)

If you click any of the links above you'll see that they're not actually linking to Facebook or Twitter, but to my own website,  From there, a page on my website redirects to the actual Facebook or Twitter page.

I never know if/when I might have to change my Facebook URL or my Twitter handle.  This way, all my apps are pointing to a page on my website instead of directly to Facebook or Twitter. I can change that page to redirect to a new URL at any time.

I will never have to change the URLs within my apps again.  If my Facebook or Twitter URLs change I can update the pages on my website, instead of rebuilding and redistributing all of my apps.  Even customers using old versions will be brought to the correct URL without having to update first.

I think this lesson applies to any time you're linking to an outside source: keep control of the links by sending them through your own server first to redirect to the proper URL.  It's also a handy memory tool:
is much easier to remember than

Saturday, January 26, 2013

Going live with a new website!

It's been many months in the making and today I'm going live with a complete redesign of

There is an overwhelming amount of legacy data and services that we have to continue supporting through the merge:

-Existing customers, usernames and passwords
-Services that our software depends on
-Existing sales
-Integration with

So I've tried my best to make sure everything will work with only minor interruptions.  Let's hope for the best and email me at if you're having any issues!