Slashdot Mirror

← Back to Stories (view on slashdot.org)

Are AV False Positives Hurting You?

Posted by Cliff on from the this-code-is-not-a-virus dept.

Gerald asks: "After the most recent Wireshark release a certain AV vendor's product started warning users that the installer contained adware. Since then, I've spent several hours verifying this isn't the case, trying to get the AV vendor to fix their stuff, and reassuring affected users that we do not ship adware with our product. Unfortunately, this isn't an isolated case. I've had to do this several times over the past few years, and each incident uses up time that could have been better spent elsewhere. It's even worse for other projects. If you produce software, have you ever suffered collateral damage from AV false positives?"

8 of 97 comments (clear)

  1. Yes and no. by c0l0 · · Score: 5, Interesting

    The virus scanner installed at the secretary's machine at the company I worked for fell for a false positive in december last year (that glitch even received some coverage by meainstream media in Europe, as Trend Micro - or whatever, personally I don't know any anti virus software package good enough to tell them apart from each other ;) - identified some Windows-specific and viable system file as a malicious stub of bits), and our CTO immediately erased the installation.
    If I had come to work a few hours earlier, I probably would already have propagated the info about the false alarm I got from colleagues on irc, and we'd be running Windows XP on her box, still.

    This way though, it's running Ubuntu 6.10, and everyone's happy with that. So I find i hard to say that this false positive actually hurt us. Somehow, I'm glad it happened - another system that's easy to admin and use added to our network, one of the few giving me headaches removed. Win-win.

    --
    :%s/Open Source/Free Software/g

    YTARY!
  2. Plan to give up on AV by Anonymous Coward · · Score: 1, Interesting

    In general I plan to give up on AV in the near future because (for the most part) it doesn't work well enough ...

    My plan is to buy a system that is fast enough that everything (except for games) will be run on a virtual machine

    1. Re:Plan to give up on AV by 99BottlesOfBeerInMyF · · Score: 2, Interesting

      In general I plan to give up on AV in the near future because (for the most part) it doesn't work well enough ...

      I have ClamAV installed. It never comes up with false positives, or negatives, or really anything at all.

      My plan is to buy a system that is fast enough that everything (except for games) will be run on a virtual machine

      I run Windows and Linux in VMs right now, on top of OS X. Most of my applications are native OS X ones, but the VMs are plenty fast for InkScape and OpenOffice and XPDF under Linux and Adobe Framemaker and IE under WinXP. The machine is a 2Ghz Intel Core Duo MacBook. I do play the occasional game, OS X native ones. One of the nice things about this setup is that several companies are rushing to provide speedy gaming with emulation or virtualization. Parallels and VmWare have both announced they are working on graphics acceleration for direct hardware access for gaming, and several companies are working with WINE based re-implementations of the Windows APIs for running Windows native games quickly. Also, right now you can install a dual boot setup for Windows gaming and use the same partition for your VM when you don't feel like or need to reboot. I've never felt better about the security of my Windows setup, since I use a known clean version installed without internet access, every time I use it. As an added bonus, getting new hardware from work means I plug in a firewire cable, push a button, and go to lunch. When I come back all my user accounts, files, certs, settings, programs, etc. have been migrated, including my Linux and Windows VMs. It's the easiest way to move a Windows install to new hardware ever.

  3. Yes, this has been a problem for Nmap too by fv · · Score: 5, Interesting

    This has been enough of a problem for the Nmap Security Scanner that we warn about McAfee specifically and suggest better alternatives on the Nmap Download Page (See the Windows section). More details about the problems we've encountered are posted here. I've spoken with McAfee executives at conferences and they say they want to fix the problem, but then it just gets lost in their bureaucracy. Sigh.

    Also, it is annoying when free software gets wrongly listed on spyware databases. For example, check out the "Spyware Encyclopedia" entry on Nmap, which says "NMap belongs to the Port Scanner spyware category. It's[SIC] presense[SIC] means that your computer is infected with malicious software and is insecure." WTF? Similarly, Nmap has an entry in the "CA Spyware Information Center". If they want to warn about Nmap because it can be used for network discovery, fine. But it shouldn't be called spyware, adware, or anything like that.

    -Fyodor
    Insecure.Org

  4. Is lack of adequate testing hurting you? by Anonymous Coward · · Score: 1, Interesting

    Subject line is what the article should have been called. Can't you do some pre-release testing in a few likely scenarios, such as that your program might be getting installed on systems equipped with various AV products? Then you have the chance to spot and fix problems, either on your side or working with the AV vendor BEFORE you let your repuation get ruined.

    1. Re:Is lack of adequate testing hurting you? by Gerald · · Score: 2, Interesting

      Samir: Hmm... well why don't you just go by Mike instead of Michael?
      Michael Bolton: No way. Why should I change? He's the one who sucks.

      More seriously, false positives are usually due to a definition file that comes out well _after_ the software has been released. Testing beforehand won't accomplish anything at the expense of paying N dollars per year to multiple antivirus vendors.

      In this particular case, it looks like WinPcap is being flagged. It came out on Jan 29th, and we started getting reports about 10 days later.

  5. One drove me crazy... by Anonymous Coward · · Score: 1, Interesting

    I used to use an mIRC script religiously... McAfee labelled it as a Trojan, and wouldn't let you run it, PERIOD, no way to get around it, no way to whitelist it, NOTHING. Had to go pay for something else over McAfee's inability to compromise.

    Of note, if you attempt to contact McAfee, they won't re-test individual software. I was screwed out of my money.

  6. Not a false positive, but AV winds up costing $$. by Vellmont · · Score: 2, Interesting

    I do IT consulting for small businesses, and I can tell you that bad AV software has cost the companies I work for thousands of dollars in lost productivity, and in troubleshooting costs.

    One particular product that got installed by another consultant was BitDefender. It caused at least 3 distinct un-related problems at two different sights that I fixed by choosing a different AV product. I don't blame the other consultant, since it's difficult to know which AV software is going to break something. I DO blame the AV vendors for producing buggy software that winds up costing companies a lot of money.

    --
    AccountKiller