Slashdot Mirror
Are AV False Positives Hurting You?
Gerald asks: "After the most recent Wireshark release a certain AV vendor's product started warning users that the installer contained adware. Since then, I've spent several hours verifying this isn't the case, trying to get the AV vendor to fix their stuff, and reassuring affected users that we do not ship adware with our product. Unfortunately, this isn't an isolated case. I've had to do this
several times over the past few years, and each incident uses up time that could have been better spent elsewhere. It's even worse for other projects. If you produce software, have you ever suffered collateral damage from AV false positives?"
Had to say it... ;)
D
My God! It's full of Voids!
I've had false positives from AV software before thanks to my use of NSIS as an installer. Apparently it's also a favorite of malware creators. I don't blame Nullsoft, but instead lazy AV makers who should know about NSIS by now and should test their signatures against it before publishing them.
Every time I use WPA-kill my AV tells me that file contains a virus. MS marketing tactics?
The virus scanner installed at the secretary's machine at the company I worked for fell for a false positive in december last year (that glitch even received some coverage by meainstream media in Europe, as Trend Micro - or whatever, personally I don't know any anti virus software package good enough to tell them apart from each other ;) - identified some Windows-specific and viable system file as a malicious stub of bits), and our CTO immediately erased the installation.
If I had come to work a few hours earlier, I probably would already have propagated the info about the false alarm I got from colleagues on irc, and we'd be running Windows XP on her box, still.
This way though, it's running Ubuntu 6.10, and everyone's happy with that. So I find i hard to say that this false positive actually hurt us. Somehow, I'm glad it happened - another system that's easy to admin and use added to our network, one of the few giving me headaches removed. Win-win.
:%s/Open Source/Free Software/g
YTARY!
have you ever suffered collateral damage from AV false positives?"
Just before, i had this totally awesome reply, but it was *falsely* identified by the Slashdot junk filter and i couldn't post it.
Avira AntiVir complains about one of our old DOS tools. Not a serious problem, as we don't release this particular executable, but annoying. :-(
Avira AntiVir also complains about some other files I'm pretty sure are harmless... maybe I need another scanner
C - the footgun of programming languages
In general I plan to give up on AV in the near future because (for the most part) it doesn't work well enough ...
My plan is to buy a system that is fast enough that everything (except for games) will be run on a virtual machine
I've seen distributed.net's processing client flagged as spyware or a virus on a few occassions.
This has been enough of a problem for the Nmap Security Scanner that we warn about McAfee specifically and suggest better alternatives on the Nmap Download Page (See the Windows section). More details about the problems we've encountered are posted here. I've spoken with McAfee executives at conferences and they say they want to fix the problem, but then it just gets lost in their bureaucracy. Sigh.
Also, it is annoying when free software gets wrongly listed on spyware databases. For example, check out the "Spyware Encyclopedia" entry on Nmap, which says "NMap belongs to the Port Scanner spyware category. It's[SIC] presense[SIC] means that your computer is infected with malicious software and is insecure." WTF? Similarly, Nmap has an entry in the "CA Spyware Information Center". If they want to warn about Nmap because it can be used for network discovery, fine. But it shouldn't be called spyware, adware, or anything like that.
-Fyodor
Insecure.Org
It's the HIV false positives that are really bothering the hell out of me!
Right now, an antivirus company may list your software as adware because it matches some other software's behavior too closely or because your software was mistakenly classified as adware. Other malware detection systems may even start to classify your software incorrectly, taking their cue from their peer. So what can you do? You can write to the antivirus company(s) and ask them to fix their signatures. You can complain on forums and the like, especially informing your users that the antivirus is defective, hurting the reputation of that company and possibly driving users to better coded alternatives. This is far from ideal, but it could be worse.
MS has included and antivirus solution (defender) with Windows Vista. Since it is bundled with Vista and everyone who buys a new computer will find Vista pre-installed and with it Defender and they will have already paid for it by the time they find out about it, Defender will almost certainly become the most widespread solution, possibly completely taking over the home market, regardless of how good it is (failed to be certified due to too many incorrect classifications). This means within the next few years, it may be only one company you have to go to to get the signature fixed. That's the good news. The bad news is that they won't have any reason to respond quickly and won't have any motivation to not have false positive and negatives since they get paid when Windows is purchased and even if users abandon it and buy something else, they don't lose any money.
Now I'm not entirely opposed to MS providing a free anti-virus solution, but to comply with the law they have to bend over backwards to provide other companies the same access so as not to destroy the competitive market and create another situation like IE where the worst solution on the market is paid for and used by 80% of the populace and the state of technology advances only at a snail's pace.
From what I've seen, MS has not done that, so you can look forward to more false positives in the future with less chance of those classifications ever being corrected.
I know they want to get your attention, but DAMN that noise is obnoxious!
From my experience I can tell you that enabling heuristic detection increases false positives for a lot of AV software.
I can't recall how many times I had to exclude some Javascript files I wrote from virus scanning because those we're reported as exploits.
But I don't mind manually enabling access to the trusted files as long as I also have protection for the real malicious files.
What's a "virus"? Does it run on Linux?
I've been running XP SP1 with only two other patches. That along with Opera, F-Prot, and BlackICE and I haven't had problems since.
Soooo either they're working perfectly or aren't catching anything.
We've had multiple clients configure their database servers to virus scan all file changes. If you're ever looking for a way to tank your database performance, try this one.
Ceci n'est pas une signature.
Subject line is what the article should have been called. Can't you do some pre-release testing in a few likely scenarios, such as that your program might be getting installed on systems equipped with various AV products? Then you have the chance to spot and fix problems, either on your side or working with the AV vendor BEFORE you let your repuation get ruined.
After all, it has an editing process which means that editors can edit the story to give a useful context and make things clear for the wide audience they have. Of course in this case there was no need for editing as the story was perfectly clear, and anyway, everyone already knows AV=audio-visual.
Doesn't it make you feel good to know that our freedoms are protected by politicans, lawyers and journalists.
'am working on a Web project fixing glitches in one of the crappiest Webapps I've ever seen. A obscure PHP Framework (SmartMVC) so crappy it's unbelievable.
.as Source in such a way that Special Characters come out broken in the Flash Applet and I'm good and fast enough to pinpoint the problem with Adobemedia and a broken/buggy flash compiler with 1/2 an hour then my client trusts me more than Adobemedia or any other vendor on that judgement. If your an expert in comp-security and your clients know that, they'll trust you if you tell them that AV vendor is wrong in saying that your tool is malware.
Aparently the guy who built it told the customer that 'it's a CMS' - which is total BS. It happend today. This proves once again that technical stuff that's so close to the enduser and yet so obscure as software and anything IT have that problem of 'opinion monopoly' or 'short-term opinion overhand'.
People think Windows is a good OS - which it isn't - and that Outlook == E-Mail or at least Outlook == good mailer - which both is false. The think if Google doesn't list it it doesn't exist and if Google doesn't keep the site on top the webmaster did a mistake. Just look at you people struggle to get SEF URLs. Which is - in my opinion - stupid. It's up to the search engines to get their stuff in line. Me just has to see to it that im standards compliant.
Opinions spread fast in cyberspace, no mattter how far from reality they are. We - the IT freaks - have to deal with the problem. If an AV vendor says your software is malware and it isn't, then you have to be good enough to be able to convince your customers that Av-Vendor is wrong. If you are good enough in your field then you'll be able to display the competence needed to emphasise your judgement in most cases.
Point in case: If Flash 8 on OS X compiles an utf8
Bottom line:
This problem won't go away, as it is the nature of all things Interweb. Deal with it.
Look for the mistake on your side but don't hesitate to name the one that is wrong. Like, for instance, when an AV-Vendor claims your Secscanner is malware.
We suffer more in our imagination than in reality. - Seneca
I used to use an mIRC script religiously... McAfee labelled it as a Trojan, and wouldn't let you run it, PERIOD, no way to get around it, no way to whitelist it, NOTHING. Had to go pay for something else over McAfee's inability to compromise.
Of note, if you attempt to contact McAfee, they won't re-test individual software. I was screwed out of my money.
I do IT consulting for small businesses, and I can tell you that bad AV software has cost the companies I work for thousands of dollars in lost productivity, and in troubleshooting costs.
One particular product that got installed by another consultant was BitDefender. It caused at least 3 distinct un-related problems at two different sights that I fixed by choosing a different AV product. I don't blame the other consultant, since it's difficult to know which AV software is going to break something. I DO blame the AV vendors for producing buggy software that winds up costing companies a lot of money.
AccountKiller
Here is an example from someone's blog about the ridiculous lengths people have to go to in order to work around their own AV software. As another example, my mother's Windows machine refuses to run Firefox, and it seems to be because of an AV issue.
The whole thing is nuts. AV software is a total scam. It's inaccurate, it costs money, it uses resources, and it stops people from getting their work done. Many home users also don't seem to keep their definitions up to date, which is like using a condom that you know has holes in it. The real problem is with the design of Windows and Office, which have too many dangerous functions allowed by default.
Find free books.
I couldn't agree more. I tell my family that I won't deal with their computer questions if they have anything from Norton or McAffee installed on their machines. It's a shame. Back in the DOS days, they were both really good. Now I consider both of those programs malware. (I use Avira AntiVir in my business, and I've been pretty happy with it.)
I don't respond to AC's.
On or about October 16, 2004, while I was driving home, the Help Desk where I was alpha geek received a virus report. The senior tech had to delete a bunch of files, including Excel.exe, before the machine would stop reporting infections. By the time she finished, it barely ran (and was later re-imaged).
I went in early the next day, and more reports started trickling in right away. I went to one of the first computers, and found that McAfee was reporting Excel.exe and other key files were infected even on the CD. By the time I got back to the desk, they were swamped with calls. As yet, there was no information on the McAfee site about the new virus.
I went into a room with the CIO and other execs, where they started making plans to shut down the WAN and unplug the local switches... and I spoke up: "I don't think this is a virus."
They looked at me like I was crazy, and shooed me out of the room.
I refreshed the page on the McAfee site, and they had just posted information about a "false positive caused by new definitions combined with the outdated, no-longer-supported engine version 4.xxx." I printed that page, and burst back into the emergency meeting. The planning changed to updating the McAfee clients in bulk and fixing the PCs.
Later that evening, after a grueling day of remote Office reinstallations, the CIO came to me and said, "Do you have any idea what a huge disaster this would have been if you hadn't figured this out?"
I calmly replied, "You're not paying me to fail."
A few months later, I got a $500 bonus (less taxes) in my check.
I installed Antivir on my mother's computer because I didn't see the point in installing a costly antivirus product when she is only online occasionally. I should have known better. My company uses NetworkStreaming's remote helpdesk server and at one point I wanted to help her with a small thing and had her download the client app - which rendered her computer completely unusable until she finally allowed Antivir, which claimed it was a malware program designed to spy on her, to quarantine the file. We bought her NOD32 the next day...
If you are looking for a good, freely available antivirus application for Windows, check out Avaste. I have been using Avast for almost two years without a false positive and it has a much smaller memory foot-print than McAfee or Symantec. By far, it is the best antivirus application I have ever seen. Plus, it is free for home use and does not install any kind of ad or spyware. It is honest to god free.
I suppose that pskill (a tool from Systernals that kills processes, like PS in *nix) can be used by malware authors, so it might deserve a warning flag. However, the stupid whitelist doesn't work properly, so AVG bugs me about it daily. Annoying. Fortunately, it's pretty rare that I use that tool these days.
One of my wife's friends from work was having a horrible time with her system. The lady's son gave her his old system for Christmas, complete with the contents of her old, non-functioning system's hard drive. Perfect, right?
Well, he also wanted to make sure his mom had bells and whistles, and was protected. So he installed some additional software including a copy of the AV software he used. He even made a nice bootable restore CD set with all the installed software ready to go. He then went out of state back home after Christmas.
Well, the system wouldn't boot. It'd hang sometimes. It'd get caught in a partial-boot, reboot cycle most of the time. My wife asked me to go over and take a look. I looked for spyware. I looked for adware. I looked for viruses. I looked for memory problems. I looked for Windows problems. I finally got around to going through everything in the load and run statements, in the startup group, and in services one by one.
Well, it was third-party software causing the problem all right -- but not just one program. See, she already had antivirus installed. Both programs were configured to do boot-time checks, to become memory resident scanners, and to scan email. From what I could tell the reboot loop was the two antivirus packages checking each other out and getting very, very confused. I uninstalled one (Norton), and the system runs fine with just the other.
... As several times over the last couple of years we've had AntiVir flag the odd .DLL as being infected. The upshot is that every time we've had this issue, we've e-mailed them and they've fixed their def files within a day or two. But the downside is that we spend the next week to 10 days telling customers that anything that AntiVir finds in our products is a false alarm.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
I've run into this kind of thing. Norton Antivirus doesn't like Google Spreadsheets, and when I try to open one it gets picked it up as a "virus threat". Not a virus; a virus threat. Of course, this means I can't balance my checkbook in the office over lunch or using any other computer running Norton. I'm glad I use a Mac at home. (Valiantly attempts to stifle Mac smugness..)
I calmly replied, "You're not paying me to fail."
A few months later, I got a $500 bonus (less taxes) in my check.
While I don't believe in bonuses for doing one's ordinary jobs, I believe in exceptional circumstances, bonuses should be commensurate with the associated level of appreciation. It sounds like it barely covered the extra hours you put in, seeing that you were first notified on the way home.
I think a few times your amount would be a nice gesture, especially considering a few hours wasted for the people involved would be worth much much more, not to mention the consequent lost productivity.
And whoever shooed you out of the room should have gotten a strong reprimand -- at the minimum. They appear to be more interested in maintaining their ego than logically considering the situation.
"have you ever suffered collateral damage from AV false positives?"
... I didn't read all the threats that closely.
Yes indeed - two of my freeware apps have been mis-diagnosed as trojan-bearers in the past. I contacted the AV vendors (who demanded the usual proof, mother's maiden name, left nut) and they eventually sorted the problem out. In the meantime I had to deal with angry emails from users accusing me of corrupting their machines, raping their bank accounts and stealing their wives. Or something along those lines
Thing is, these are freeware apps. A novel-writing tool, an ebook reading program, an email client, that kind of thing. They don't have ads or spyware, and they certainly don't include trojans. I wrote them for my own use and I give them away (just like the XNews guy does) and it's a bit much when I also have to go and prove my good intentions.
Hal Spacejock: Science Fiction with Nuts
On the other hand, one of my email providers was running a virus scanner that seemed to let almost through. (It's been fixed.)
At least with the fail-safe scanner, I had the option to knowingly disable the virus checker and download and install the files, albeit while the scanner and MicroSoft popped up big warning balloons announcing the computer's imminent demise from my folly.
.. paranoid crackpot leftover from the days of Amiga.
I use Linux you insensitive clod!!!
/me sorry
I was wondering when someone was going to mention avast. I switched to it from AVG for FOUR reasons:
1: Virus got past AVG and stopped it detecting any more viruses. Was a PITA to disinfect.
2: AVG Free's annoying inability to disinfect a file when it first detects the infection, forcing you to run the main program.
3: A false positive in Multimedia Fusion created programs (and another AVG false positive was reported on the MMF forums two years after I stopped using AVG)
4: No free 64-bit Windows support
Since installing it I've found several more advantages, namely it's dedicated scanners for various download programs (instead of just relying on the on-access scanner), and the fact that it can quarantine files for being "suspicious", instead of requiring a detection of a specific virus.
Since I installed it I haven't had any virus problems on my pc. That's not saying it hasn't detected anything, just no viruses have managed to infect my pc.
A few years ago, I wrote an encryption DLL to be used with a script for the mIRC IRC client. It was released together with a script written by someone else to let people encrypt their conversations on public IRC servers.
:(
A malware author decided to use it too, and a couple AV companies then treated my DLL as malware itself, even though its only function is encryption support. Considering the AV researchers are people who can pick apart nearly any piece of code, this is just plain negligent. Lazy bastards.
That particular piece of malware is still available online, and the author even mentions my name in the credits, which doesn't help much
(The captcha for this post is "invent". I'm not feeling the love here.)
I've gotten repeated false positives from Avast! on the 1.0.74 updater for Arcanum. I've reported it, but I don't think it's fixed.
This is one of the reasons I'm dropping Windows as a host platform for gaming.
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
I had a nightmare experience with Norton. I had an incoming message in Thunderbird that it felt was infected (I never got the chance to confirm/deny). The end result was my Inbox of 2500+ messages being hijacked by Norton. Since Thunderbird was running, my poor laptop started thrashing during the quarantine procedure. After fighting with Norton for hours, I could not recover my Inbox. It was the corporate edition, which, when configured properly (?) prevents the end user from turning it off! Thankfully, I had recent backups.
"No matter where you go, there you are." -- Buckaroo Banzai
On a project I was doing between 2 and 5 years ago, while still using the corporate install of MacAfee (sp?) AV, the curst thing ALWAYS flagged TAR archives as virus-laden. Now, these were built on and for a Solaris system (and combined with documents generated on Windows, for those inclined to wonder how Solaris comes into this), and usually contained NO binary executables, just Perl scripts and text data files. Customer "support" was nonexistent.
I've since had other problems with Norton AV, which bogs my system egregiously (sometimes I think the malware would be less burdensome!). (45 seconds to get a right-click menu to come up on a desktop icon with NO programs running? Yecch!)
It's most unfortunate that the manufacturers of this crapware can wreak such havoc on application developers...
"My strength is as the strength of ten men, for I am wired to the eyeballs on espresso."
False positives are an issue. Sure, AV manufacturers test against standard programs (though I can remember a case well where a rather big one identified MS-Excel (rightfully, if you ask me) as malware and deleted it without even asking), but you simply can't cover every single benign program there is out there somewhere.
Heuristics are another source of headaches, espeically for programs that share a few properties with malware (like runtime packers or trying to gain access to low level parts of the system, especially when network related). And don't start me on copy protected software, that often comes with self-modifying code, custom low level drivers, interference with standard drivers and all the other juicy little things so many rootkits enjoy doing. Makes you wonder whether it's REALLY a false positive... anyway.
I do agree that a lot of companies have their troubles with AV companies, but usually a well placed call with a reputable AV company solves that issue (with us, usually less than 3 hours from information to removal from the AV database). The question is, what would the scenario be without AV software? I'm not talking about us, people who do know what they're doing (and most likely don't really need AV software at all), I'm talking about the secretaries and other office people, for whom a computer is a tool and who don't know the dangers of "bundled" software and "free gifts" in their mail.
I'd wager, the damage done by malware would easily outdo the damage done due to false positives.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
F-Secure at my company has been a royal pain. It's one of those that has to keep in sync with a central database within the company, and we've got processing servers that just can't seem to go an hour without getting 50 alerts that the local F-Secure can't connect to the central database.
But the worst problem is that, from time to time, the AV running on one of the processing servers, or even on one of our workstations, will just decide, apparently at random, that one of our in-house DLLs or EXEs must be dangerous. And the AV will just delete the file. No warning, no feedback, no yes/no/cancel.
The good news is, the company just got bought by a larger parent company, and they're switching us over to a different AV product. So far, I haven't seen the same problems cropping up. Knock on wood.
Good judgment comes from experience.
Experience comes from bad judgment.
I've had problems with antivirus at work, but not with false positives. The problems the AV gave me were correctly identifying hacking tools as such, and then treating them as viruses (erasing them).
The situation would be pretty awful in normal circumstances, and in my case (network administrator) it would be so intolerable that the RTAV would have to be disabled (at least for me).
I wouldn't be suprised that wiseshark (AKA ethereal) would fall in that category, although it never happened with ethereal (in my case, it happened with brutus).
GPG 0x1B479C78
You haven't hung out with an alpha geek, nor with anyone who hangs out with an alpha geek for ten years? How did you find Slashdot?
If you mod me down, I shall become more powerful than you could possibly imagine.
I worked at a company that was shipping software on a CD also including 3rd-party demoware and free software. And AV programs would flag a component for >>>Linux Servers as having a windows virus. (It was the Linux version of an OODB, IIRC.)
There was no virus. It was just a false positive.
So no, Linux is not exempt from collateral damage. Potential customers may be needlessly scared away when the AV software scans your CD!
We've had several antivirus apps detect my project (Multi Theft Auto) as a virus.. alot of heuristic based detectors are set off by our mod. DLL Injection, Hooking, and memory patching are all things that a lot of virus authors use. In our case, generally an email will get a response (even Symantec updated theirs when we were getting a false positive from their AV software) Kent
Kent Simon Multitheft Auto
I was working on cell phone games, and some of the older J2ME titles had their image data - several PNG files - concatenated into a single data block, to be unpacked later using index information in a different file.
One day, the publisher calls in a panic, because their AV scan keeps reporting our games as being infected with a virus. We tried assuring them otherwise; we'd had trouble fitting the games in the limited download package, so we'd certainly know if there was something we didn't want or need in there. Regardless, they wanted it fixed.
Turns out the scan was searching the jar file, finding the image data file, recognizing the PNG header of the first image in the file, then freaking out because the entire file size didn't match the calculation from the first PNG header. Apparently, there was some kind of exploit using incorrect header information in PNGs, and the AV software was detecting the size discrepancy and flagging it as suspect.
We got around the problem by adding a dummy byte at the start of the file, enough to make it think it wasn't a single PNG image. Simple fix, but it still took a fair chunk of time to restore project backups, make the change, test it, repackage it and submit.