Slashdot Mirror

← Back to Stories (view on slashdot.org)

Are AV False Positives Hurting You?

Posted by Cliff on from the this-code-is-not-a-virus dept.

Gerald asks: "After the most recent Wireshark release a certain AV vendor's product started warning users that the installer contained adware. Since then, I've spent several hours verifying this isn't the case, trying to get the AV vendor to fix their stuff, and reassuring affected users that we do not ship adware with our product. Unfortunately, this isn't an isolated case. I've had to do this several times over the past few years, and each incident uses up time that could have been better spent elsewhere. It's even worse for other projects. If you produce software, have you ever suffered collateral damage from AV false positives?"

18 of 97 comments (clear)

  1. Nope, Running Linux... by DaGoodBoy · · Score: 2, Informative

    Had to say it... ;)

    D

    --
    My God! It's full of Voids!
  2. yup by TheSHAD0W · · Score: 5, Informative

    I've had false positives from AV software before thanks to my use of NSIS as an installer. Apparently it's also a favorite of malware creators. I don't blame Nullsoft, but instead lazy AV makers who should know about NSIS by now and should test their signatures against it before publishing them.

    1. Re:yup by _xeno_ · · Score: 2, Informative

      Yep - I've had an overzealous config of Norton delete every NSIS installer I had created. (Which was a number, used for installing various components of an in-house software system.) Specifically Norton had decided that every installer created by NSIS 2.17 was a virus, and someone had configured the file server where I had the installers to delete infected files (instead of just quarantining them).

      --
      You are in a maze of twisty little relative jumps, all alike.
    2. Re:yup by qwijibo · · Score: 2, Funny

      Having files deleted is a minor inconvenience. Norton broke my arm when I plugged my USB drive in. Talk about a false positive hurting someone. =)

  3. Yes and no. by c0l0 · · Score: 5, Interesting

    The virus scanner installed at the secretary's machine at the company I worked for fell for a false positive in december last year (that glitch even received some coverage by meainstream media in Europe, as Trend Micro - or whatever, personally I don't know any anti virus software package good enough to tell them apart from each other ;) - identified some Windows-specific and viable system file as a malicious stub of bits), and our CTO immediately erased the installation.
    If I had come to work a few hours earlier, I probably would already have propagated the info about the false alarm I got from colleagues on irc, and we'd be running Windows XP on her box, still.

    This way though, it's running Ubuntu 6.10, and everyone's happy with that. So I find i hard to say that this false positive actually hurt us. Somehow, I'm glad it happened - another system that's easy to admin and use added to our network, one of the few giving me headaches removed. Win-win.

    --
    :%s/Open Source/Free Software/g

    YTARY!
    1. Re:Yes and no. by rvw · · Score: 3, Funny

      This way though, it's running Ubuntu 6.10,
      ................
      Win-win. Please don't contradict yourself!
  4. Yes, with Avira AntiVir by Lonewolf666 · · Score: 2, Insightful

    Avira AntiVir complains about one of our old DOS tools. Not a serious problem, as we don't release this particular executable, but annoying.
    Avira AntiVir also complains about some other files I'm pretty sure are harmless... maybe I need another scanner :-(

    --
    C - the footgun of programming languages
  5. Yes, this has been a problem for Nmap too by fv · · Score: 5, Interesting

    This has been enough of a problem for the Nmap Security Scanner that we warn about McAfee specifically and suggest better alternatives on the Nmap Download Page (See the Windows section). More details about the problems we've encountered are posted here. I've spoken with McAfee executives at conferences and they say they want to fix the problem, but then it just gets lost in their bureaucracy. Sigh.

    Also, it is annoying when free software gets wrongly listed on spyware databases. For example, check out the "Spyware Encyclopedia" entry on Nmap, which says "NMap belongs to the Port Scanner spyware category. It's[SIC] presense[SIC] means that your computer is infected with malicious software and is insecure." WTF? Similarly, Nmap has an entry in the "CA Spyware Information Center". If they want to warn about Nmap because it can be used for network discovery, fine. But it shouldn't be called spyware, adware, or anything like that.

    -Fyodor
    Insecure.Org

    1. Re:Yes, this has been a problem for Nmap too by Twon · · Score: 2, Informative

      I'm pretty sure they hate netcat as well; I had to convince my IT guys to whitelist it after it kept getting quarantined/deleted from my machine. Apparently it's a "hacker tool." I wonder when they'll come for tcpip.sys...

  6. Danger Approaches by 99BottlesOfBeerInMyF · · Score: 4, Insightful

    Right now, an antivirus company may list your software as adware because it matches some other software's behavior too closely or because your software was mistakenly classified as adware. Other malware detection systems may even start to classify your software incorrectly, taking their cue from their peer. So what can you do? You can write to the antivirus company(s) and ask them to fix their signatures. You can complain on forums and the like, especially informing your users that the antivirus is defective, hurting the reputation of that company and possibly driving users to better coded alternatives. This is far from ideal, but it could be worse.

    MS has included and antivirus solution (defender) with Windows Vista. Since it is bundled with Vista and everyone who buys a new computer will find Vista pre-installed and with it Defender and they will have already paid for it by the time they find out about it, Defender will almost certainly become the most widespread solution, possibly completely taking over the home market, regardless of how good it is (failed to be certified due to too many incorrect classifications). This means within the next few years, it may be only one company you have to go to to get the signature fixed. That's the good news. The bad news is that they won't have any reason to respond quickly and won't have any motivation to not have false positive and negatives since they get paid when Windows is purchased and even if users abandon it and buy something else, they don't lose any money.

    Now I'm not entirely opposed to MS providing a free anti-virus solution, but to comply with the law they have to bend over backwards to provide other companies the same access so as not to destroy the competitive market and create another situation like IE where the worst solution on the market is paid for and used by 80% of the populace and the state of technology advances only at a snail's pace.

    From what I've seen, MS has not done that, so you can look forward to more false positives in the future with less chance of those classifications ever being corrected.

  7. No, but the potential is there! by LibertineR · · Score: 4, Funny
    If you have ever been privileged to hear the high-pitched squeal from Kaspersky Internet Security when it encounters a virus and been knocked out of your Aeron into mid-air, you know your life has just been shortened.

    I know they want to get your attention, but DAMN that noise is obnoxious!

  8. Re:Plan to give up on AV by 99BottlesOfBeerInMyF · · Score: 2, Interesting

    In general I plan to give up on AV in the near future because (for the most part) it doesn't work well enough ...

    I have ClamAV installed. It never comes up with false positives, or negatives, or really anything at all.

    My plan is to buy a system that is fast enough that everything (except for games) will be run on a virtual machine

    I run Windows and Linux in VMs right now, on top of OS X. Most of my applications are native OS X ones, but the VMs are plenty fast for InkScape and OpenOffice and XPDF under Linux and Adobe Framemaker and IE under WinXP. The machine is a 2Ghz Intel Core Duo MacBook. I do play the occasional game, OS X native ones. One of the nice things about this setup is that several companies are rushing to provide speedy gaming with emulation or virtualization. Parallels and VmWare have both announced they are working on graphics acceleration for direct hardware access for gaming, and several companies are working with WINE based re-implementations of the Windows APIs for running Windows native games quickly. Also, right now you can install a dual boot setup for Windows gaming and use the same partition for your VM when you don't feel like or need to reboot. I've never felt better about the security of my Windows setup, since I use a known clean version installed without internet access, every time I use it. As an added bonus, getting new hardware from work means I plug in a firewire cable, push a button, and go to lunch. When I come back all my user accounts, files, certs, settings, programs, etc. have been migrated, including my Linux and Windows VMs. It's the easiest way to move a Windows install to new hardware ever.

  9. Not a false positive, but AV winds up costing $$. by Vellmont · · Score: 2, Interesting

    I do IT consulting for small businesses, and I can tell you that bad AV software has cost the companies I work for thousands of dollars in lost productivity, and in troubleshooting costs.

    One particular product that got installed by another consultant was BitDefender. It caused at least 3 distinct un-related problems at two different sights that I fixed by choosing a different AV product. I don't blame the other consultant, since it's difficult to know which AV software is going to break something. I DO blame the AV vendors for producing buggy software that winds up costing companies a lot of money.

    --
    AccountKiller
  10. Re:Is lack of adequate testing hurting you? by Gerald · · Score: 2, Interesting

    Samir: Hmm... well why don't you just go by Mike instead of Michael?
    Michael Bolton: No way. Why should I change? He's the one who sucks.

    More seriously, false positives are usually due to a definition file that comes out well _after_ the software has been released. Testing beforehand won't accomplish anything at the expense of paying N dollars per year to multiple antivirus vendors.

    In this particular case, it looks like WinPcap is being flagged. It came out on Jan 29th, and we started getting reports about 10 days later.

  11. I'll never forget... by spywhere · · Score: 3, Insightful

    On or about October 16, 2004, while I was driving home, the Help Desk where I was alpha geek received a virus report. The senior tech had to delete a bunch of files, including Excel.exe, before the machine would stop reporting infections. By the time she finished, it barely ran (and was later re-imaged).
    I went in early the next day, and more reports started trickling in right away. I went to one of the first computers, and found that McAfee was reporting Excel.exe and other key files were infected even on the CD. By the time I got back to the desk, they were swamped with calls. As yet, there was no information on the McAfee site about the new virus.

    I went into a room with the CIO and other execs, where they started making plans to shut down the WAN and unplug the local switches... and I spoke up: "I don't think this is a virus."
    They looked at me like I was crazy, and shooed me out of the room.
    I refreshed the page on the McAfee site, and they had just posted information about a "false positive caused by new definitions combined with the outdated, no-longer-supported engine version 4.xxx." I printed that page, and burst back into the emergency meeting. The planning changed to updating the McAfee clients in bulk and fixing the PCs.

    Later that evening, after a grueling day of remote Office reinstallations, the CIO came to me and said, "Do you have any idea what a huge disaster this would have been if you hadn't figured this out?"
    I calmly replied, "You're not paying me to fail."

    A few months later, I got a $500 bonus (less taxes) in my check.

    1. Re:I'll never forget... by /dev/trash · · Score: 3, Insightful

      500 bucks? A lousy 500 bucks?

  12. Avast! by DaMattster · · Score: 2

    If you are looking for a good, freely available antivirus application for Windows, check out Avaste. I have been using Avast for almost two years without a false positive and it has a much smaller memory foot-print than McAfee or Symantec. By far, it is the best antivirus application I have ever seen. Plus, it is free for home use and does not install any kind of ad or spyware. It is honest to god free.

  13. Re:question by Skrynesaver · · Score: 3, Funny
    This is the Linux honour system virus, please :
    • Copy this text to a text file on each of your hard drives
    • Randomly delete three files on your system
    • forward this to everyone in your addressbook.
    Your co-operation has been appreciated, thank you.
    --
    "Linux is for noobs"-The new MS fud strategy