Friday, July 8, 2011

On false positives (the antivirus kind)

The phrase "false positive" refers to something that is judged as true when it is actually false. For example, if an AFIS (not from my company or any of my esteemed competitors) said that my fingerprints were identical to those of Charles Manson, then that would be considered a false positive. (I was in Illinois at the time. I have witnesses.)

The same phrase can be applied to anti-virus software. Dave Winer is getting infuriated that McAfee claims scripting.com is dangerous. Winer states that:

The files they [McAfee] claim are trojans are actually archives of back-issues of this site. Snapshots taken on the 10th anniverary, in 2007. They're lying when they say they looked inside these files. They couldn't possibly have. All they contain are text files.

But Winer at least has a platform that is read by influential members of the tech community. Others do not. NirSoft:

Unfortunately, most Antivirus companies goes too far with their Virus/Trojan protection, and in many times they classify completely legit software as Virus/Trojan infection.

One good example for that is my own password recovery tools: Most people need these tools to recover their own lost password. These password tools, like many other utilities out there, can also be used by hackers for bad purposes.

The attitude of many Antivirus companies is very tough in this subject -

If it's a tool that can be used by bad guys, it's classified as Trojan or Virus, even when most users need it and use it for good purposes. Antivirus companies don't care that they block their own customers that want to recover their own passwords, and they don't care that they may cause their customer to think that I'm a Virus distributer.

I must say that some Antivirus companies are a little more gentle, and classify these tools as "Security Threat" or "Riskware" which is much better than classifying them as Virus or Trojan, but they still prevent the user from running them - by deleting them or by putting them in quarantine.


And some detection companies admit their mistakes:

A Slovenian language directory for Windows Live is causing us considerable headaches this morning, and we have no one to blame but ourselves.

A Network World article has alleged Samsung laptops of having a keylogger. Unfortunately (and to our dismay), the evidence was based off of a false positive by VIPRE for the StarLogger keylogger.

The detection was based off of a rarely-used and aggressive VIPRE detection method, using folder paths as a heuristic....

The directory in question was C:\WINDOWS\SL, and is the Slovenian language directory for Windows Live. This same directory path is used by the StarLogger keylogger.


GFI Labs apologized, and added the following comment:

False positives do happen, it’s inevitable and like all antivirus companies, we continually strive to improve our detections, while reducing any chance of a false positive. This one (admittedly, an incredibly embarrassing one) made it through our processes, and I have met with the senior managers in the area this morning to handle what happened and to continue to improve our processes.

Let's compare how McAfee - the company that marks Dave Winer's scripting.com as a red site - apologized in the wake of a recent issue. Compare the opening of the GFI Labs statement with the statement below:

In the past 24 hours, McAfee identified a new threat that impacts Windows PCs. Our researchers worked to address this threat that attacks critical Windows system executables and buries itself deep into a computer’s memory.

The research team created detection and removal to address this threat. The remediation passed our quality testing and was released with the 5958 virus definition file at 2.00 PM GMT+1 (6am Pacific Time) on Wednesday, April 21.

McAfee is aware that a number of customers have incurred a false positive error due to this release. We believe that this incident has impacted a small percentage of our enterprise accounts globally and a fraction of our consumer base–home users of products such as McAfee VirusScan Plus, McAfee Internet Security Suite and McAfee Total Protection. That said, if you’re one of those impacted, this is a significant event for you, we understand that and we’re very sorry.


Yes, McAfee admitted its mistake. In the third paragraph.

The chances of a profuse apology to Dave Winer are somewhat remote.

Although some of the people who see McAfee's reporting on scripting.com may conclude that the site is dangerous after all. McAfee reports that scripting.com includes links to sites such as harvard.edu and nytimes.com. In some of the circles in which I travel, that's just about as bad as having a Kenyan national as President.
blog comments powered by Disqus