Window Defender
Erroneously Reports
Rawether for Windows Drivers
as Potential Malware

Remarks

A PCAUSA driver user sent an email reporting that his copy of the Microsoft Windows Defender product made the following report about a PCAUSA NDIS protocol driver:

On April 19, I posted a note letting others know about this this potential issue and sent an inquiry the Windows Defender team about this message. I wasn't pleased with the canned response from the Defender team.

However, now that I have had some time to actually examine the interaction between of Windows Defender and the PCAUSA Rawether for Windows drivers I can say that

I was very pleased with Defender's behavior!

Discussion

Testing at PCAUSA used the recent version of Windows Defender that was available as of April 24, 2006. Defender was installed on a clean copy of Windows XP SP2, and was setup to include the Tools Option to "Join SpyNet". Joining SpyNet is an important step in this test because this step also turns on features that detect changes to system settings.

The tests involved two users of the Windows XP host: myself and George Bozo. I have Administrator privileges and George is an ordinary user with no special priviledges.

The tests used the standard Rawether for Windows single-image signed installer from this URL:

http://www.rawether.net/product/moreinfo1.htm

Normal Installation and Usage

The Rawether for Windows product installs one or more device driver(s). The Rawether installer is designed so it will not actually install unless the user has Administrative privileges.

The normal steps for installing and using Rawether are:

1. An Administrator runs the Rawether for Windows installer.
2. An Administrator runs NDIScope and Opens an adapter using the Single-Packet Read driver selection.
3. An Administrator runs NDIScope and Opens an adapter using the Multi-Packet Read driver selection.
4. An Administrator optionally runs the PCANUser application, which changes a security DACL to allow non-Admin users to use the Rawether drivers.

If these steps are followed, then Windows Defender does issue warnings the first time each PCAUSA NDIS protocol driver is run (Steps 2. and 3.). These warnings identify the device driver being installed and the application that is trying to run it. Defender points out that installing a driver is always a potential problem unless you trust the publisher, and offers the user the option of allowing or preventing the operation.

Here is a sample Windows Defender notice:

In my opinion, these are reasonable warnings and Defender presents enough information for the user to make an informed decision about allowing or preventing the driver installation.

The Windows XP Windows Defender action notices are
remarkably similar to
warnings built in to Windows Vista.

After running each driver once as Administrator and running the PCANUser application nothing more is heard from Defender. Non-admin users (George Bozo) can run the NDIScope application without any problems.

Abnormal Installation and Usage

An abnormal installation scenario for Rawether for Windows is for a non-Admin user (George Bozo, in this case) to attempt to install the Rawether package. Here the install is completely prevented - as it should be.

The notice may differ on different machines by referencing other PCAUSA NDIS protocol drivers, including:

These drivers are licensed by PCAUSA for distribution by a variety of 802.11 and powerline adapter vendors. The PCAUSA drivers are used by these OEM customers to control various aspects of the operation of these drivers.

Note to PCAUSA OEMs

If you are a PCAUSA OEM you might notice something that may confuse your customers. In particular:

If your company is "XZYLink Adapter Co." and your product is "DaBestAdapter", your customers will probably not associate the PCAUSA publisher and the Rawether for Windows product with your company or product. In some cases, your customer may elect not to install the driver because of this misunderstanding.

If you are a OEM using a PCAUSA driver:

PCAUSA OEM customers should consider getting a private-labeled version of PCAUSA drivers to eliminate customer confusion.

Yes, there is an additional cost involved, but is should improve the customer experience.

In addition PCAUSA OEMs should consider the following:

It is very important to design their product installers so that the need for Administrator privileges to install the product is clear to the user.

It is also important to test product installers in environments that include Windows Defender and similar protection suites.

Possibility of Unintended Unacceptable Use of PCAUSA Products

At this point it is wise for me to say that there is some possibility that PCAUSA products could be misused. Over the years some copies of PCAUSA software have been stolen and may have ended up in less than desirable products. So:

It is wise to at least think about all warning issued by Windows Defender before allowing an action to be taken.

Summary

I want to personally reinforce this message:

Rawether for Windows is not malware!

Warm regards,

Thomas F. Divine

President, PCAUSA

Status

Mailing Lists  · PCAUSA Newsletter · PCAUSA Discussion List
· Privacy Statement · 

WinDis 32 is a trademark of Printing Communications Assoc., Inc. (PCAUSA).
Rawether for Windows and Rawether .NET are trademarks of Printing Communications Assoc., Inc. (PCAUSA).
Microsoft, MS, Windows, Windows 95, Windows 98, Windows Millennium, Windows 2000, Windows XP, and Win32 are registered trademarks and Visual C++ and Windows NT are trademarks of the Microsoft Corporation.
Send mail to rawether-webmaster@pcausa.com with questions or comments about this web site.
Copyright © 1996-2008 Printing Communications Assoc., Inc. (PCAUSA).
All rights reserved.
Last modified: December 31, 2007