I was going to download Quickhorse to see what it offered but my on-access scan aborted the download. When I asked a security expert friend of mine why, he analyzed the exe with some of his tools and found a number of trojans and malicious code.







http://www.paceadvantage.com/forum/picture.php?albumid=10&pictureid=78

Ouch! No good software is ever free, especially QuickHorse.

Here is a statement from their website:

Our installation of QuickDog/QuickHorse/QuickDogUK and other products contains no adware and no spyware of any kind and is guaranteed not to harm your computer. You may find our software on other websites, but those websites may have added adware (cnet for example) or their own spyware. These installations are also outdated and the software will not work properly. Therefore download our software from our website only.

In order that products become your Handicapping sidekick it will automatically download data files from the internet for you. It will also "talk" to our registration server on a regular basis to guard against piracy so that you know your subscription remains valuable because others are not using our software for free.

Because of its use of the internet and because our install is a simple "self-extracting zip file installation" our products are a target for anti-virus software programs' WARNINGS about how it might be harmful to your computer. We have a long term users forum where you can see clearly that our product is safe to use. You can go here - http://www.quickreckoning.com/forum.htm

Finally, companies such as Microsoft and other large companies would like small companies like ours to purchase a system from them for about $1500/year which allows our product to be recognized as a "safe download". To keep our pricing low on a yearly basis, we do not pay this bribe. Therefore when you begin the download process your web browser and some anti-virus software will tell you that our product isn't very popular and could harm your computer. Please ignore these messages and understand our position on paying bribes for large companies to call our product safe. For more information regarding this extortion CLICK HERE.

AVG anti-virus software has been known to block our Quickdog's installation entirely. The only way to install our software is to turn off AVG before downloading our software.

AVAST anti-virus software has been known to remove some of Quickdog's conversion routines so if you use AVAST anti-virus QuickDog may not properly convert downloaded data. Avast users should allow QuickDog and all other convert programs in the installation to install and run.

Norton Anti-Virus - We received a report that Comcast users and others who use Norton Anti-virus products are not able to download our software. Norton will report that our software hasn't been downloaded by enough of its users and therefore it will block the download. Since we use Comcast we were able to download Norton and discovered in our installation that by using the Setup, then setting Anti-Virus Auto-Protect to Off the installation went fine. You can then turn it back on. Our products do access the internet for registration and data download along with subscription verification.

http://www.quickreckoning.com/horse_racing_software_trial.htm

I don't think I've ever seen warnings like that on a developer's site telling users in advance their software is going to be flagged for containing trojans and malware but it's all a ruse by big companies like Microsoft to get them to pay a fee to be labeled as virus free.

With all due respect for developers of software, I will trust the makers of (most) anti-virus and scanning engines, and particularly the expertise of someone in the business of IT security, over a small time developer.

So you're saying a small time developer would rather scare potential customers away by deliberately using spyware and/or viruses in their software?

Or that they are some sort of front for a spyware/virus spreading organization (even though no spyware ring in their right mind would waste time on a small-time handicapping program).

There have been MANY commercially available pieces of software, even some from BIG NAMES, that trigger false-positives in anti-spyware, anti-virus programs. It happens all the time.

If the expert engineers said the best way to prevent viruses is to jump off a building, would you jump?

I'm a small time developer. I've been supporting JCapper downloads since 2003. (Fyi, my customers have been supporting Equibase by downloading from Brisnet since 2003 and HDW since 2010.)

If I had to make an educated guess about the number of downloads from my site and installs performed (by both customers and potential customers) I'd have to put the number somewhere around 7,000.

That might not seem like a great many downloads in an internet enabled world --

But I can assure you that's enough first hand experience supporting downloads/installs to be able to say, without hesitation, that the quoted language on the Quickhorse site paints an accurate picture.



-jp

.

I'm a small time developer. I've been supporting JCapper downloads since 2003. (Fyi, my customers have been supporting Equibase by downloading from Brisnet since 2003 and HDW since 2010.)

If I had to make an educated guess about the number of downloads from my site and installs performed (by both customers and potential customers) I'd have to put the number somewhere around 7,000.

That might not seem like a great many downloads in an internet enabled world --

But I can assure you that's enough first hand experience supporting downloads/installs to be able to say, without hesitation, that the quoted language on the Quickhorse site paints an accurate picture.



-jp

.


Just to be clear, are you're implying it's accurate that major companies essentially extort money from developers to be certified virus free, and if they don't pay up, multiple anti-virus engines will show many different viruses, malware and trojans upon examining the downloadable .exe file?


Also, I'm curious if you looked at any of the various trojans and other files in the image and if you, personally, would just go ahead and download a file which an anti-virus program states contains one of those.

I don't think I've ever seen warnings like that on a developer's site telling users in advance their software is going to be flagged for containing trojans and malware but it's all a ruse by big companies like Microsoft to get them to pay a fee to be labeled as virus free.

With all due respect for developers of software, I will trust the makers of (most) anti-virus and scanning engines, and particularly the expertise of someone in the business of IT security, over a small time developer.

Ubbercapper,

:ThmbUp::ThmbUp:

Yup. You nailed it.

I use a similar approach to installing the HSH software.

I do not use the normal installation. For two decades, Microsoft has pushed to "do it their way," at the expense of the user.

I want people to be able to simply copy my software to a 2nd computer, along with the data.

The MS way would have me put the program in the "programs" folder and the data into the "program data" folder. By default, those two paths are not accessible by a user except in administrative mode.

That means you will have a difficult time backing up among other things.

When I asked MS some years ago why they did this the response was that they need to protect people from themselves.

No thanks.

Ouch! No good software is ever free, especially QuickHorse.




lol, really?




ps, 16 hits is a lot. is it the same payload causing all the positives? if so, then they should work around it
I've downloaded many 100's of programs over the years and rarely see a scan like that on ANYTHING

Ellis,

Would I install a piece of unfamiliar software knowing it was flagged as malware by my security software?

Of course not.

However, false positives generated the better known 'names' in security software?...

It's a lot more common than most people realize.

I say that based on my own first hand experience - as well as first hand experiences other developers have written about.

Rick Strahl's Web Log
Dealing with Anti-Virus False Positives:
https://weblog.west-wind.com/posts/2016/oct/05/dealing-with-antivirus-false-positives

MADNESS!

In summary - on its own the Exe is fine. On its own the installer minus EXE is fine. The full distribution zipped up plain without the installer is also fine. All fine, but the combination of installer plus my EXE results in multiple AV hits.

Yup that makes perfect sense. NOT!

This really makes you wonder how much faith you should have in these anti-virus solutions. If the individual parts are clean but the combined parts trigger, something is seriously amiss in the detection process. Further if you look at the original screen shot of the AV hits, every vendor seems to be triggering on a completely different threat. Again how should this be possible if individually the files are fine, but packaged they are not? How reliable is this stuff really?


--and:
Anti-Virus Hell

At the end of the day, this was a major pain in the ass, when essentially it came down to false positive AV scores. But, there's really nothing I could do other than try to work around the issues I mentioned in the end having to completely ditch my perfectly fine installer software for an alternative, just to get a different result. Nothing has changed - the same binaries are deployed as before, the same installation changes are made - one solution flags AV, the other does not. And that is just not cool and leads me to think that much of the AV tracking is not as sophisticated as we'd expect it to be.

To be fair most AV vendors have Web sites to submit false positives and the three I submitted to were responsive to rescanning (and ultimately stating there's nothing wrong with files). But that's not a sustainable solution if you push out new builds that are likely to trigger again in the future.

This is a pain for software vendors to say the least. I'm at the mercy of the AV software that is essentially holding software hostage based on false positives. Nobody wants to install software that is flagged as malware - even if you trust the source.

While searching around and Twittering about the issues I ran into, I got an earful from other developers who've gone through similar pains.


-jp

.

I've sold 100's of software programs...almost everyone gets this message:

https://i.postimg.cc/nVXrC9PN/warning.png




The user clicks "run anyway" and it works perfectly. I've never had anyone have any problem, with the exception of one user whose virus settings wouldn't allow anything through. He simply changed his settings temporarily, and downloaded the program as usual.

No one else has ever had an issue.

-NCG

One of the best solutions is for the developer to create a hash of the file to be downloaded. The user can then compare the developer's posted hash and compare it to the hash of the downloaded file. If the hashes don't match, then the file has been altered. If you use 7-Zip, it already includes the ability to check hashes. Here's a link to an article that explains this better.

What are hashes? (https://www.howtogeek.com/67241/htg-explains-what-are-md5-sha-1-hashes-and-how-do-i-check-them/)

Just to be clear, are you're implying it's accurate that major companies essentially extort money from developers to be certified virus free, and if they don't pay up, multiple anti-virus engines will show many different viruses, malware and trojans upon examining the downloadable .exe file?


Also, I'm curious if you looked at any of the various trojans and other files in the image and if you, personally, would just go ahead and download a file which an anti-virus program states contains one of those.

Ellis,

Re: the bolded part of the above quote --

In a practical sense: Yes.

One way to get the makers of AV programs to not flag your downloads with false positives is to purchase a Digital Code Certificate. (This is what I think the language on the Quickhorse site is referring to.)

Imo, purchasing a digital certificate is not 100% guaranteed but sometimes it does help.

I actually purchased one from HP when they first began shipping win 7 laptops. In return I was given direct access to US based tech support (actual engineers) who in turn walked me through a work-around process while they were logged into the machine remotely in order to grant the purchaser of the machine true admin rights to allow install of third party software (like JCapper) which had been flagged as "a program not normally installed" (their words not mine.)

Without help from HP's engineers I don't think I would have ever been able to get true admin rights on that machine and complete the install.

I guess HP got tired of being contacted by developers like myself. I seem to recall a month or two after those first win 7 HP machines hit the market there was a windows update that quietly gave the owners of those machines true admin rights - which enabled them to install third party software on machines they had paid for (without having to call HP tech support.)

So yes.

Here's a link to a site where you can purchase Digital Certificates:
https://www.thawte.com/code-signing/content-signing-certificates/microsoft-authenticode/

The prices have come down a bit from what I recall seeing a few years ago.

Right now as I type this these are the prices at the above link:
1 year - $299
2 year - $519
3 year - $749



-jp

.

One of the best solutions is for the developer to create a hash of the file to be downloaded. The user can then compare the developer's posted hash and compare it to the hash of the downloaded file. If the hashes don't match, then the file has been altered. If you use 7-Zip, it already includes the ability to check hashes.

Great information but...

Okay, if you aren't a developer, please raise your hand if you would go through this to install software.

:ThmbDown:

If you are a trusted developer that sends install/update packages via a secure, private link then no, you wouldn't need to include hashes. But take the case of QuickHorse. If that developer used hashes people would be more inclined to download it and be less worried about AV false positives.

lol, really?

ps, 16 hits is a lot. is it the same payload causing all the positives? if so, then they should work around it
I've downloaded many 100's of programs over the years and rarely see a scan like that on ANYTHING

I think the answer to your question about payload is yes. All the hits came just looking at the quickhorse.exe file.

This is what my IT friend wrote:

I had to perform this on an isolated virtual desktop so that I did not infect my system. Secondly, multiple vendor security protections I had to disable, one by one, since all of them detected malicious code and software inside this install file.

Once I was able to make my isolated virtual desktop completely naked and bare without any protections (including Windows Defender) I was able to download this malware-laden installation file. I did scan the file with various and multiple vendor security malware software engines. Below is the screenshot that provides detections on this as being a malicious and dangerous code.

I know a lot less about this than you, Jeff, Dave or many others on PA. I get what Jeff and Dave wrote. Still, if you read what my friend wrote me, in addition to sending the screenshot of all the AV hits, my question is "Is this normal?" and if not, I'm curious how far out of the range of normal is it?

This particular download of QH...you downloaded directly from the QH website? Or from one of those "Shareware" websites that offer a ton of "free" software for download?

Given what they have posted on the QH website, this is an important question that I don't think has been definitively addressed.

Years ago I built "Raven" for a now defunct wagering company. When I first built it several AVs flagged it.

Once i found out I submitted it as a false positive and about 2 weeks later it was okay.

If these guys are legit they can easily get the false positive removed. Its not at all rare for unknown legit software to flag AV, but its extremely easy to get it fixed.

This particular download of QH...you downloaded directly from the QH website? Or from one of those "Shareware" websites that offer a ton of "free" software for download?

Given what they have posted on the QH website, this is an important question that I don't think has been definitively addressed.


It was right from the link on this page http://www.quickreckoning.com/horse_racing_software_trial.htm


which goes to http://www.quickreckoning.com/Install_QuickHorse.exe

From Malwarebytes (full version) scan on the Install_QuickHorse.exe fill:

https://i.ibb.co/gwygYwD/quickhorse.png

I was going to download Quickhorse to see what it offered but my on-access scan aborted the download. When I asked a security expert friend of mine why, he analyzed the exe with some of his tools and found a number of trojans and malicious code.







http://www.paceadvantage.com/forum/picture.php?albumid=10&pictureid=78




This is very interesting because my company uses the same VirusTotal Website and I just scanned our "Install_QuickHorse.exe" software and only two sites "Dr. Web" and "Trust Wave" did any flagging of it.

If you wish, you can do the same on your computer by going to VirusTotal.com and naming the URL for our download which is -

http://www.quickreckoning.com/Install_QuickHorse.exe

This is the pure link to our product.

Now I can not read WHERE IN THE WORLD Ubercapper is checking this file from, but it's NOT DIRECTLY FROM OUR WEBSITE as I have indicated above.

Thanks to the many developers of other products who posted here and agreed with me that small concerns are being taken advantage of for simply posting products they've developed.

Mike Groves
Support Manager - QuickReckoning.com
Makers of QuickDog and QuickHorse Software

Norton will not let me load your quickhorse from this site.


http://www.quickreckoning.com/Install_QuickHorse.exe

That's kind of funny because I've dealt with Norton over this issue of wrongly telling users that our product is a virus, and "they fixed it". Problem is they have to "fix it" every time we change that executable.

All I can tell you is to either get another anti-virus that doesn't give you false positives and keeps you from using perfectly good products, or use your interface in norton to say QuickHorse is safe.

Norton is simply one of those large companies that basically hurt the little guys, and nothing sort of suing them right along with Microsoft and the rest of these larger companies is going to make them change.

I would be nice to get with other smaller players and develop a class action suit. One of my customers told me it's like having a guy standing outside your restaurant and telling everybody walking up the door "Hey, you don't want to go in there - there's rats and the food is not cooked and many people have gotten ill".

You know what - that customer is right.

Mike
PS - looks like Norton won't even play along with VirusTotal. It is not listed there which means Virustotal can not send the file to them to have it analyzed as it does with the other providers. So, again, Norton is the problem NOT our software.

Now I can not read WHERE IN THE WORLD Ubercapper is checking this file from, but it's NOT DIRECTLY FROM OUR WEBSITE as I have indicated above.

Mike Groves
Support Manager - QuickReckoning.com
Makers of QuickDog and QuickHorse Software


It was on this page

http://www.quickreckoning.com/horse_racing_software_trial.htm



and from this link

http://www.quickreckoning.com/Install_QuickHorse.exe

That's not what your output shows. It shows that the file tested is in the cache (it appears) of whatever computer it was downloaded to. That is NOT DIRECT. Whoever did your analysis did a FILE rather than a URL according to the displayed output. So, that's not pure simply because once you download our install file to a computer, there is no telling what viruses ALREADY EXIST on that computer. So I can easily say that's not a fair test.

I did the reference by URL and NOT FILE so Virustotal went directly to the file on our website, not indirectly through another computer's cache files which may have been infected.

So, just do as I've asked others to do IF YOU ARE REALLY SINCERE HERE and use virustotal.com on the actual URL and see what it does for you. No since in going backward to something done last fall which was, FOR WHATEVER YOUR REASON IS, the nexus of this post.

As for the few others reading this, our software doesn't contain viruses of any kind and false positives are NOT POSITIVES. We have 100's of happy QuickHorse customers so we're doing fine but I respect someone's choice not to download our software. There is NOTHING WE CAN DO to prevent these companies from falsely listing our product as having "trojans". Because I know our software is free of Trojans then I can only conclude that the process used by these companies is simply a guess and I've already explained the Microsoft DLLS what we tested along with WINZIP which we used to use and which showed that anti-virus software as flagged these products.

That's all folks. I think I've stated my company's position here and nothing more need be said.

Mike

It shows that the file tested is in the cache (it appears) of whatever computer it was downloaded to. That is NOT DIRECT.
Mike, ubercapper mentions that his friend was using a virtual machine so the filename makes some sense.
my question is "Is this normal?" and if not, I'm curious how far out of the range of normal is it?
Yes, it is normal. Antivirus and anti-malware software typically use a 'signature' to spot malicious code. This could be anything from matching a string of characters, heuristics, actual assembler instruction sets etc. to a database of known bad actor code all of which can be innocently created in any software. The premise being that it's better to be overcautious.
I've used Mike's software in the past with no issues.