From the desk of: Sam C. Chan

ADVISORY: Anti-Virus False Positives

First Published: August 31, 2006
Last Updated: January 28, 2007

All tests are subject to false negatives and false positives. The former is self-explanatory, as we all understand tests are not perfect. We accept that they could fail to detect in some cases, and let the "bad guys" pass through. However, people are not intuitively aware that false positive is also commonplace, especially in the context of anti-virus (AV). The fact is: Many innocuous files are being wrongly flagged.

How does that happen?

  • Signatures: AV products rely on something called signatures, essentially a string of characters (or more precisely, bytes) for matching. In order to keep the size of signature database manageable, only a tiny fragment of the offending code is listed. It is rare, but entirely possible for some other unrelated files to share an identical string of bytes. Obviously it is just a coincidence, and those files are totally harmless.
  • Heuristic: A few years ago, malware writers started employing polymorphic techniques to dodge detection. That is, they scramble up the code a bit, by creating superficial variations. AV vendors responded by using heuristic methods. Symantec calls their version "Bloodhound Technology," alluding to the fact that it can sniff out hidden dangers. Heuristic means investigation by speculative formulation, essentially educated guesses. i.e. signs that indicate "could be" and "might be."
  • Competition: Most of the reviews and comparisons are done with invalid methodologies. Typically, a non-scientist runs the programs in default mode. Then compare which catches the most number "bad guys." Of course, programs should be run in properly customized, optimal mode; and performance is not measured by a single attribute, and certain not how many it catches. Needless to say, vendors are under pressure to boost the appearance of superiority.
  • Blames: Finally, it is a matter of context, purposes, priorities, relevance, popularity, and even motives! Case in point: A criminal can offer a screensaver as a lure, and bundle a file transfer program. The victim's computer effectively becomes a file server, accessible by the perpetrator. Of course, the file transfer tool is a legitimate program, the deceptive package which pirated the tool, is the culprit.

Things get murky quickly... as you will see...

Most malware writers are copycats. There will be numerous unrelated malware following the lead to use that same tool. AV vendors typically would create a signature to detect the transfer tool, as an easy (and reliable) way of flagging all such variants of malware. This, of course would unfairly impact the minority users of that legitimate tool. They have 2 options: Either manually exclude that file from scan, or give up its use all together. If the tool in question is very popular, complaining to AV vendors might result in updates to the signature to more accurately detect the culprits, not the tool used.

Numerous shareware and freeware programs are plagued by such situations due to their relative obscurity. Of course, AV vendors have to make a compromise between streamlining detection for the benefits of the mainstream public, vs. the inconvenience and losses of the minority users. We're now rapidly approaching 100,000 strains of viruses, worms and Trojan horses. The size of the virus definition database is at 13M after extreme compression, which is somewhat unmanageable, considering that it's being frequently downloaded by hundreds of millions of users. Occasionally, the false positive is partially profit-motivated (clearly beyond justifications, sloppiness, or accidents)...

Case in point: In early 2005, when Symantec released Symantec Anti-Virus (SAV) 10.0, they added anti-spyware features, and flagged a commercial product Radmin by Famatech, which is a direct competitor to their own pcAnywhere remote access program. Naturally, all such products contain elements that can be abused (just like knives and cars), for unauthorized file transfer, if covertly installed. Symantec planted several suspicious layers of code to defeat the users' exception/exclusion settings, making it seemingly impossible to override. Even after finally jumping through all the needless hoops, whenever the SAV program is upgraded, that particular exclusion setting is conveniently forgotten again! This peculiar behavior was formally acknowledged as a "bug," but it was never fixed. Eventually, people simply gave up and switched to alternate remote control products.


 

A List of Known False Positives for SAV:

The complete list has hundreds of items. This is only the few items that are in-use among our client sites. There are numerous other programs we use in-house, and special software used by clients that requires custom "exclusion" setup.

  • R-admin (remote control, a competitor to pcAnywhere)
  • SlimFTP (a ftp server program)
  • ipscan (aka Angry IP Scanner, oss)
  • netcat (nc - a basic network diagnostics tool)
  • SuperScan 4 (security software from a major vendor)

Copyright @2005-2006   Bravo Technology Center  *  Bravo:GO  *  Contact Us