Are AV False Positives Hurting You? 97
Gerald asks: "After the most recent Wireshark release a certain AV vendor's product started warning users that the installer contained adware. Since then, I've spent several hours verifying this isn't the case, trying to get the AV vendor to fix their stuff, and reassuring affected users that we do not ship adware with our product. Unfortunately, this isn't an isolated case. I've had to do this
several times over the past few years, and each incident uses up time that could have been better spent elsewhere. It's even worse for other projects. If you produce software, have you ever suffered collateral damage from AV false positives?"
Nope, Running Linux... (Score:2, Informative)
D
Linux not Exempt (Score:2)
There was no virus. It was just a false positive.
So no, Linux is not exempt from collateral damage. Potential customers may be needlessly scared away when the AV software scans your CD!
yup (Score:5, Informative)
Re: (Score:2, Informative)
Yep - I've had an overzealous config of Norton delete every NSIS installer I had created. (Which was a number, used for installing various components of an in-house software system.) Specifically Norton had decided that every installer created by NSIS 2.17 was a virus, and someone had configured the file server where I had the installers to delete infected files (instead of just quarantining them).
Re: (Score:3, Funny)
Yes and no. (Score:5, Interesting)
If I had come to work a few hours earlier, I probably would already have propagated the info about the false alarm I got from colleagues on irc, and we'd be running Windows XP on her box, still.
This way though, it's running Ubuntu 6.10, and everyone's happy with that. So I find i hard to say that this false positive actually hurt us. Somehow, I'm glad it happened - another system that's easy to admin and use added to our network, one of the few giving me headaches removed. Win-win.
Re:Yes and no. (Score:4, Funny)
Win-win.
Re: (Score:1)
AVG. It has won awards, including the VB100, which, from the VB100 site:
In addition, AVG is effic
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
Moo (Score:1, Funny)
Just before, i had this totally awesome reply, but it was *falsely* identified by the Slashdot junk filter and i couldn't post it.
Re: (Score:1)
Yes, with Avira AntiVir (Score:3, Insightful)
Avira AntiVir also complains about some other files I'm pretty sure are harmless... maybe I need another scanner
Re: (Score:2)
I was using UPS to compress the executable header on an NSIS installer, which seemed to be a combination likely to freak out the "smart" detection of many scanners. Avoiding the use of UPX on the installer
Plan to give up on AV (Score:1, Interesting)
My plan is to buy a system that is fast enough that everything (except for games) will be run on a virtual machine
Re: (Score:3, Interesting)
In general I plan to give up on AV in the near future because (for the most part) it doesn't work well enough ...
I have ClamAV installed. It never comes up with false positives, or negatives, or really anything at all.
My plan is to buy a system that is fast enough that everything (except for games) will be run on a virtual machine
I run Windows and Linux in VMs right now, on top of OS X. Most of my applications are native OS X ones, but the VMs are plenty fast for InkScape and OpenOffice and XPDF unde
Re: (Score:2)
I can vouch for that. Then again, the same is true for the AV system from MS. It doesn't find jack either.
Though I wouldn't call that a sign of high quality.
Re: (Score:1)
Of course, doing this actually violates the brain-dead Windows licensing, because it looks like different hardware to the license manager (or whatever they call it.) There is probably a way to fool it, but I have better things to do with my time, so I only run Windows under Vmware Server with a SUSE host O/S on my laptop.
Maybe Microsoft will eventuall
Re: (Score:1)
Re: (Score:2)
what does that solve? Virusses run perfectly well on a VM too.
Viruses have a lot harder time of it when they have to re-infect your machine every time you quit and restart your Windows apps/VM. I use a VM for several Windows applications and they can read and write files to one directory shared with the rest of my OS. Aside from that, all changes are wiped every time I use those applications and it goes back to a known good copy. Occasionally, I'll boot the saved, known good copy and install the updates
Re: (Score:2)
Yes, this has been a problem for Nmap too (Score:5, Interesting)
This has been enough of a problem for the Nmap Security Scanner [insecure.org] that we warn about McAfee specifically and suggest better alternatives on the Nmap Download Page [insecure.org] (See the Windows section). More details about the problems we've encountered are posted here [seclists.org]. I've spoken with McAfee executives at conferences and they say they want to fix the problem, but then it just gets lost in their bureaucracy. Sigh.
Also, it is annoying when free software gets wrongly listed on spyware databases. For example, check out the "Spyware Encyclopedia" entry on Nmap [spywaredb.com], which says "NMap belongs to the Port Scanner spyware category. It's[SIC] presense[SIC] means that your computer is infected with malicious software and is insecure." WTF? Similarly, Nmap has an entry [ca.com] in the "CA Spyware Information Center". If they want to warn about Nmap because it can be used for network discovery, fine. But it shouldn't be called spyware, adware, or anything like that.
-Fyodor
Insecure.Org [insecure.org]
Re: (Score:2, Informative)
No (Score:1, Funny)
Danger Approaches (Score:5, Insightful)
Right now, an antivirus company may list your software as adware because it matches some other software's behavior too closely or because your software was mistakenly classified as adware. Other malware detection systems may even start to classify your software incorrectly, taking their cue from their peer. So what can you do? You can write to the antivirus company(s) and ask them to fix their signatures. You can complain on forums and the like, especially informing your users that the antivirus is defective, hurting the reputation of that company and possibly driving users to better coded alternatives. This is far from ideal, but it could be worse.
MS has included and antivirus solution (defender) with Windows Vista. Since it is bundled with Vista and everyone who buys a new computer will find Vista pre-installed and with it Defender and they will have already paid for it by the time they find out about it, Defender will almost certainly become the most widespread solution, possibly completely taking over the home market, regardless of how good it is (failed to be certified due to too many incorrect classifications). This means within the next few years, it may be only one company you have to go to to get the signature fixed. That's the good news. The bad news is that they won't have any reason to respond quickly and won't have any motivation to not have false positive and negatives since they get paid when Windows is purchased and even if users abandon it and buy something else, they don't lose any money.
Now I'm not entirely opposed to MS providing a free anti-virus solution, but to comply with the law they have to bend over backwards to provide other companies the same access so as not to destroy the competitive market and create another situation like IE where the worst solution on the market is paid for and used by 80% of the populace and the state of technology advances only at a snail's pace.
From what I've seen, MS has not done that, so you can look forward to more false positives in the future with less chance of those classifications ever being corrected.
Re: (Score:2)
This exists in the anti-malware world. All people distributing malware lie. Therefore, if your software is identified as malware and you say it isn't, you are lying. Neat, huh?
If you have not experienced this yet, just try getting off some anti-malware program's list. Try. Then try several more times. Go have a few drinks. Come back tomorrow and realize it is fruitless. Be prepared to answer a lot of phone calls and email saying "But it says it is spyware!!!"
Onc
Re: (Score:2)
If you have not experienced this yet, just try getting off some anti-malware program's list. Try. Then try several more times. Go have a few drinks. Come back tomorrow and realize it is fruitless. Be prepared to answer a lot of phone calls and email saying "But it says it is spyware!!!"
Right, so your main tool for solving this is the court of public opinion. People can and do currently choose antivirus software from quite a few different options. Thus, even if they are not 100% convinced that their antiv
Re: (Score:2)
MS has included and antivirus solution (defender) with Windows Vista. Since it is bundled with Vista and everyone who buys a new computer will find Vista pre-installed and with it Defender and they will have already paid for it by the time they find out about it, Defender will almost certainly become the most widespread solution, possibly completely taking over the home market, regardless of how good it is (failed to be certified due to too many incorrect classifications). This means within the next few years, it may be only one company you have to go to to get the signature fixed. That's the good news. The bad news is that they won't have any reason to respond quickly and won't have any motivation to not have false positive and negatives since they get paid when Windows is purchased and even if users abandon it and buy something else, they don't lose any money.
No they haven't. Windows Defender is Anti-Spyware ONLY. It will not find viruses. OneCare will, but OneCare is NOT free, and NOT bundled.
No, but the potential is there! (Score:5, Funny)
I know they want to get your attention, but DAMN that noise is obnoxious!
Re: (Score:1)
Re:question (Score:4, Funny)
DB Server (Score:2)
Is lack of adequate testing hurting you? (Score:1, Interesting)
Re: (Score:2, Interesting)
Michael Bolton: No way. Why should I change? He's the one who sucks.
More seriously, false positives are usually due to a definition file that comes out well _after_ the software has been released. Testing beforehand won't accomplish anything at the expense of paying N dollars per year to multiple antivirus vendors.
In this particular case, it looks like WinPcap is being flagged. It came out on Jan 29th, and we started getting reports about
It's the Cyber ages 'Opinion Monopoly' problem (Score:2)
Aparently the guy who built it told the customer that 'it's a CMS' - which is total BS. It happend today. This proves once again that technical stuff that's so close to the enduser and yet so obscure as software and anything IT have that problem of 'opinion monopoly' or 'short-term opinion overhand'.
People think Windows is a good OS - which it isn't - an
One drove me crazy... (Score:1, Interesting)
Of note, if you attempt to contact McAfee, they won't re-test individual software. I was screwed out of my money.
Re: (Score:1)
Re: (Score:1)
Not a false positive, but AV winds up costing $$. (Score:3, Interesting)
One particular product that got installed by another consultant was BitDefender. It caused at least 3 distinct un-related problems at two different sights that I fixed by choosing a different AV product. I don't blame the other consultant, since it's difficult to know which AV software is going to break something. I DO blame the AV vendors for producing buggy software that winds up costing companies a lot of money.
Re:Not a false positive, but AV winds up costing $ (Score:1)
AV is nuts (Score:2)
Here [blogspot.com] is an example from someone's blog about the ridiculous lengths people have to go to in order to work around their own AV software. As another example, my mother's Windows machine refuses to run Firefox, and it seems to be because of an AV issue.
The whole thing is nuts. AV software is a total scam. It's inaccurate, it costs money, it uses resources, and it stops people from getting their work done. Many home users also don't seem to keep their definitions up to date, which is like using a condom that
a funny little AV story (Score:2)
Well, he also wanted to make sure his mom had bells and whistles, and was protected. So he installed some additional software including a copy of the AV software he used. He even made a nice bootable restore CD set with all the installed software ready to go. He then went out of state ba
I'll never forget... (Score:4, Insightful)
I went in early the next day, and more reports started trickling in right away. I went to one of the first computers, and found that McAfee was reporting Excel.exe and other key files were infected even on the CD. By the time I got back to the desk, they were swamped with calls. As yet, there was no information on the McAfee site about the new virus.
I went into a room with the CIO and other execs, where they started making plans to shut down the WAN and unplug the local switches... and I spoke up: "I don't think this is a virus."
They looked at me like I was crazy, and shooed me out of the room.
I refreshed the page on the McAfee site, and they had just posted information about a "false positive caused by new definitions combined with the outdated, no-longer-supported engine version 4.xxx." I printed that page, and burst back into the emergency meeting. The planning changed to updating the McAfee clients in bulk and fixing the PCs.
Later that evening, after a grueling day of remote Office reinstallations, the CIO came to me and said, "Do you have any idea what a huge disaster this would have been if you hadn't figured this out?"
I calmly replied, "You're not paying me to fail."
A few months later, I got a $500 bonus (less taxes) in my check.
Re:I'll never forget... (Score:4, Insightful)
Re: (Score:2)
Yeah. I must have saved them tens of thousands of dollars...
However, I lived to tell the story on Slashdot, so I guess I won in the end!
Not paid to succeed? (Score:2)
A few months later, I got a $500 bonus (less taxes) in my check.
While I don't believe in bonuses for doing one's ordinary jobs, I believe in exceptional circumstances, bonuses should be commensurate with the associated level of appreciation. It sounds like it barely covered the extra hours you put in, seeing that you were first notified on the way home.
I think a few times your amount would be a nice gesture, especially considering a few hours wasted for
Re: (Score:2)
And you can rest assured that your boss got a bonus of at least 5k, mostly for not interfering with your work. Welcome to the corporate world.
alpha (Score:2)
Re: (Score:2)
Yes, with Antivir (free-av) (Score:2)
Avast! (Score:2)
I switched to Avast! from AVG (Score:2)
1: Virus got past AVG and stopped it detecting any more viruses. Was a PITA to disinfect.
2: AVG Free's annoying inability to disinfect a file when it first detects the infection, forcing you to run the main program.
3: A false positive in Multimedia Fusion created programs (and another AVG false positive was reported on the MMF forums two years after I stopped using AVG)
4: No free 64-bit Windows support
Since i
Re: (Score:1)
AVG has been bugging me about pskill.exe... (Score:2)
AntiVir seems to be the most prone to this..... (Score:2)
Symantec vs. Google? (Score:1)
YES! (Score:2)
Yes indeed - two of my freeware apps have been mis-diagnosed as trojan-bearers in the past. I contacted the AV vendors (who demanded the usual proof, mother's maiden name, left nut) and they eventually sorted the problem out. In the meantime I had to deal with angry emails from users accusing me of corrupting their machines, raping their bank accounts and stealing their wives. Or something along those lines
Two security patches were flagged as viruses ... (Score:2)
On the other hand, one of my email providers was running a virus scanner that seemed to let almost through. (It's been fixed.)
At least with the fail-safe scann
I don't produce software, but... (Score:2)
This is one of the reasons I'm dropping Windows as a host platform for gaming.
Norton Hijacker (Score:2)
Re: (Score:2)
Same thing happened to me with Norton and Thunderbird. Some spam is always getting through the filters, and most of the time it's annoying but not debilitating. But one day Norton freaked out over one spam email and quarantined my entire inbox. Nothing I was allowed to do would release the inbox. Norton also sent out an email to the sys admin, who came running about a minute later, just as I was about to fire up Knoppix to deal with the prob, as I hadn't been given admin access on my own box. (They bel
Re: (Score:1)
Oh, yesindeedy. (Score:2)
I've since had other problems with Norton AV, which bogs my
What's worse? (Score:2)
Heuristics are another source of headaches, espeically for programs that share a few properties with malware (like runtime packers or trying to gain access to low level parts of the system,
Youbetcha (Score:2)
But the worst problem is that, from time to time, the AV running on one of the processing servers, or even on one of our workstations, will just decide, apparently at random, that one of our in-house DLLs or EXEs must be da
Not as a false positive, but nasty anyway. (Score:2)
The situation would be pretty awful in normal circumstances, and in my case (network administrator) it would be so intolerable that the RTAV would have to be disabled (at least for me).
I wouldn't be suprised that wiseshark (AKA ethereal) would fall in that category, although it never happened with ethereal (in m
Re: (Score:2)
YES! (Score:2)
Yes - concatenated PNG files (Score:2)
One day, the publisher calls in a panic, because their AV scan keeps reporting our games as being infected with a virus. We tried assuring them otherwise; we'd had trouble fitting the games in the limited download package, so we'd certainly know if there was something we didn't want or need in t