ADVISORY: Anti-Virus
False Positives
First Published: |
August 31, 2006 |
Last Updated: |
January 28, 2007 |
All tests are subject to false negatives
and false
positives. The former is self-explanatory, as we all understand tests
are not perfect. We accept that they could fail to detect in some cases, and let
the "bad guys" pass through. However, people are not intuitively aware
that false positive is also commonplace, especially in the context of
anti-virus (AV). The fact is: Many innocuous files are being wrongly
flagged.
How does that happen?
- Signatures: AV products rely on something called
signatures,
essentially a string of characters (or more precisely, bytes) for
matching. In order to keep the size of signature database manageable,
only a tiny fragment of the offending code is listed. It is rare, but
entirely possible for some other unrelated files to share an identical
string of bytes. Obviously it is just a coincidence, and those files are
totally harmless.
- Heuristic: A few years ago, malware writers started
employing polymorphic
techniques to dodge detection. That is, they scramble up the code a bit,
by creating superficial variations. AV vendors responded by using
heuristic methods.
Symantec calls their version "Bloodhound
Technology," alluding to the fact that
it can sniff out hidden dangers. Heuristic means investigation by
speculative formulation, essentially educated guesses. i.e. signs that
indicate "could be" and "might be."
- Competition: Most of the reviews and
comparisons are done with invalid methodologies. Typically, a
non-scientist runs the programs in default mode. Then compare which
catches the most number "bad guys." Of course, programs should be run in
properly customized, optimal mode; and performance is not measured by a
single attribute, and certain not how many it catches. Needless to say,
vendors are under pressure to boost the appearance of
superiority.
- Blames: Finally, it is a matter of context,
purposes,
priorities, relevance, popularity, and even motives! Case in point: A
criminal can offer a screensaver as a lure, and bundle a file transfer
program. The victim's computer effectively becomes a file server,
accessible by the perpetrator. Of course, the file transfer tool is a
legitimate program, the deceptive package which pirated the tool, is the
culprit.
Things get murky
quickly... as you will see...
Most malware writers are copycats. There will be
numerous unrelated malware following the lead to use that same tool. AV
vendors typically would create a signature to detect the transfer tool,
as an easy (and reliable) way of flagging all such variants of malware. This, of
course would unfairly impact the minority users of that legitimate tool.
They have 2 options: Either manually exclude that file from scan, or
give up its use all together. If the tool in question is very popular,
complaining to AV vendors might result in updates to the signature
to more accurately detect the culprits, not the tool used.
Numerous shareware and freeware programs are
plagued by such situations due to their relative obscurity. Of course,
AV vendors have to make a compromise between streamlining detection for
the benefits of the mainstream public, vs. the inconvenience and losses
of the minority users. We're now rapidly approaching 100,000 strains of
viruses, worms and Trojan horses. The size of the virus definition
database is at 13M after extreme compression, which is somewhat
unmanageable, considering that it's being frequently downloaded by
hundreds of millions of users. Occasionally, the false positive is partially
profit-motivated (clearly beyond justifications, sloppiness, or
accidents)...
Case in point: In early 2005, when Symantec
released Symantec Anti-Virus (SAV) 10.0, they added anti-spyware
features, and flagged a commercial
product Radmin by Famatech, which is a direct competitor to their
own pcAnywhere remote access program. Naturally, all such products contain elements
that can be abused (just like knives and cars), for unauthorized file transfer, if
covertly
installed. Symantec planted several suspicious layers of code to defeat the
users' exception/exclusion settings, making it seemingly impossible to
override.
Even after finally jumping through all the needless hoops, whenever the SAV
program is upgraded, that particular exclusion setting is conveniently
forgotten again! This peculiar behavior was formally acknowledged as a "bug,"
but it was never fixed. Eventually, people simply gave up and switched
to alternate remote control products.
A List of Known False Positives for SAV:
The complete list has hundreds of items. This is
only the few items that are in-use among our client sites. There are
numerous other programs we use in-house, and special software used by
clients that requires custom "exclusion" setup.
- R-admin (remote control, a
competitor to pcAnywhere)
- SlimFTP (a ftp server program)
- ipscan (aka Angry IP Scanner,
oss)
- netcat (nc - a basic network
diagnostics tool)
- SuperScan 4 (security software
from a major vendor)
|
|