Slashdot Mirror
Are AV False Positives Hurting You?
Gerald asks: "After the most recent Wireshark release a certain AV vendor's product started warning users that the installer contained adware. Since then, I've spent several hours verifying this isn't the case, trying to get the AV vendor to fix their stuff, and reassuring affected users that we do not ship adware with our product. Unfortunately, this isn't an isolated case. I've had to do this
several times over the past few years, and each incident uses up time that could have been better spent elsewhere. It's even worse for other projects. If you produce software, have you ever suffered collateral damage from AV false positives?"
I've had false positives from AV software before thanks to my use of NSIS as an installer. Apparently it's also a favorite of malware creators. I don't blame Nullsoft, but instead lazy AV makers who should know about NSIS by now and should test their signatures against it before publishing them.
The virus scanner installed at the secretary's machine at the company I worked for fell for a false positive in december last year (that glitch even received some coverage by meainstream media in Europe, as Trend Micro - or whatever, personally I don't know any anti virus software package good enough to tell them apart from each other ;) - identified some Windows-specific and viable system file as a malicious stub of bits), and our CTO immediately erased the installation.
If I had come to work a few hours earlier, I probably would already have propagated the info about the false alarm I got from colleagues on irc, and we'd be running Windows XP on her box, still.
This way though, it's running Ubuntu 6.10, and everyone's happy with that. So I find i hard to say that this false positive actually hurt us. Somehow, I'm glad it happened - another system that's easy to admin and use added to our network, one of the few giving me headaches removed. Win-win.
:%s/Open Source/Free Software/g
YTARY!
This has been enough of a problem for the Nmap Security Scanner that we warn about McAfee specifically and suggest better alternatives on the Nmap Download Page (See the Windows section). More details about the problems we've encountered are posted here. I've spoken with McAfee executives at conferences and they say they want to fix the problem, but then it just gets lost in their bureaucracy. Sigh.
Also, it is annoying when free software gets wrongly listed on spyware databases. For example, check out the "Spyware Encyclopedia" entry on Nmap, which says "NMap belongs to the Port Scanner spyware category. It's[SIC] presense[SIC] means that your computer is infected with malicious software and is insecure." WTF? Similarly, Nmap has an entry in the "CA Spyware Information Center". If they want to warn about Nmap because it can be used for network discovery, fine. But it shouldn't be called spyware, adware, or anything like that.
-Fyodor
Insecure.Org
Right now, an antivirus company may list your software as adware because it matches some other software's behavior too closely or because your software was mistakenly classified as adware. Other malware detection systems may even start to classify your software incorrectly, taking their cue from their peer. So what can you do? You can write to the antivirus company(s) and ask them to fix their signatures. You can complain on forums and the like, especially informing your users that the antivirus is defective, hurting the reputation of that company and possibly driving users to better coded alternatives. This is far from ideal, but it could be worse.
MS has included and antivirus solution (defender) with Windows Vista. Since it is bundled with Vista and everyone who buys a new computer will find Vista pre-installed and with it Defender and they will have already paid for it by the time they find out about it, Defender will almost certainly become the most widespread solution, possibly completely taking over the home market, regardless of how good it is (failed to be certified due to too many incorrect classifications). This means within the next few years, it may be only one company you have to go to to get the signature fixed. That's the good news. The bad news is that they won't have any reason to respond quickly and won't have any motivation to not have false positive and negatives since they get paid when Windows is purchased and even if users abandon it and buy something else, they don't lose any money.
Now I'm not entirely opposed to MS providing a free anti-virus solution, but to comply with the law they have to bend over backwards to provide other companies the same access so as not to destroy the competitive market and create another situation like IE where the worst solution on the market is paid for and used by 80% of the populace and the state of technology advances only at a snail's pace.
From what I've seen, MS has not done that, so you can look forward to more false positives in the future with less chance of those classifications ever being corrected.
I know they want to get your attention, but DAMN that noise is obnoxious!
On or about October 16, 2004, while I was driving home, the Help Desk where I was alpha geek received a virus report. The senior tech had to delete a bunch of files, including Excel.exe, before the machine would stop reporting infections. By the time she finished, it barely ran (and was later re-imaged).
I went in early the next day, and more reports started trickling in right away. I went to one of the first computers, and found that McAfee was reporting Excel.exe and other key files were infected even on the CD. By the time I got back to the desk, they were swamped with calls. As yet, there was no information on the McAfee site about the new virus.
I went into a room with the CIO and other execs, where they started making plans to shut down the WAN and unplug the local switches... and I spoke up: "I don't think this is a virus."
They looked at me like I was crazy, and shooed me out of the room.
I refreshed the page on the McAfee site, and they had just posted information about a "false positive caused by new definitions combined with the outdated, no-longer-supported engine version 4.xxx." I printed that page, and burst back into the emergency meeting. The planning changed to updating the McAfee clients in bulk and fixing the PCs.
Later that evening, after a grueling day of remote Office reinstallations, the CIO came to me and said, "Do you have any idea what a huge disaster this would have been if you hadn't figured this out?"
I calmly replied, "You're not paying me to fail."
A few months later, I got a $500 bonus (less taxes) in my check.
- Copy this text to a text file on each of your hard drives
- Randomly delete three files on your system
- forward this to everyone in your addressbook.
Your co-operation has been appreciated, thank you."Linux is for noobs"-The new MS fud strategy