Skip to main content

McAfee AntiVirus false positives - older, "reliable" signatures pose risk too

False positives are the bane of AntiVirus and IDS/IPS systems. On the one hand, hundreds and even thousands of new threats are released each week, where they must be discovered, submitted to vendors, analyzed by vendors, definitions, signature files or heuristic algorithms must be tweaked, tested, released to customers, and finally deployed to customer systems. All of this must be done in as short a time as possible, since the threats often spread in minutes and hours. AntiVirus signatures are often available within two days from the first appearance of a threat on the network. Polymorphic techniques, even simple ones like automatically generating dozens or more variants at the threat's compile time, are becoming more common making it more difficult for AntiVirus vendors to keep up with the expanding threat pool every year. Today we learned that an error in a signature file caused the McAfee AntiVirus system to delete good files from production systems. This unfortunate accident affected at least a hundred of their customers and probably thousands of PC systems. The final tally of affected systems probably won't be announced. (A similar problem recently caused Microsoft AntiSpyware to zap Symantec AntiVirus from systems.) This incident is receiving more press attention than they usually do. The real wonder is that things like this don't happen more often. McAfee update exterminates Excel
Such problems with security software are called false positives and they happen occasionally. McAfee typically has to do an emergency release of a virus definition file once every three months because of a false positive issue, Telafici said. "This is our once for the quarter I think," he said.
Similar rates of false positives are probably seen from other vendors, but this might be the first time that an AntiVirus vendor publicly disclosed information about their false positive rate. Not every customer is affected by every false positive. Many affect 3rd party applications which were previously unknown to the AntiVirus vendor. In cases like these, a DLL from a valid production software system accidentally matches a signature file developed by the AntiVirus vendor, who doesn't have the system to test against. Tracking down these problems sometimes includes a finger-pointing exercise between the AntiVirus vendor and the 3rd party application vendor -- the AntiVirus companies sometimes uncover viruses in shipping code, too, and it may be difficult to tell where the problem lies at first. McAfee update exterminates Excel
However, this time around it was a particularly big goof, because the company faulted Excel, Telafici admitted. "Usually, it is either custom applications or applications that did not exist at the time we wrote the signature file," he said.
That bit is particularly interesting. The implication is that after the initial creation and testing, a given signature may not be tested as thoroughly or as often down the line. Several months later, an update to your application software might cause a signature file to break, causing catastrophic damage. In retrospect it makes some sense, as full-on testing of this stuff takes time and resources, and the pressure to test and ship the newest definition or signature files is quite high. However, this revelation probably indicates that the ongoing risks from signature or heuristic approaches may be somewhat higher than previously thought. With the number of threats multiplying every year, and with the number of signature files which require testing increasing concomitantly, older signatures which have been "thoroughly tested and validated in the customer environment" may no longer be assumed to be benign beyond doubt. The current McAfee false positive incident is discussed here: McAfee Anti-Virus Causes Widespread File Damage [Slashdot] Excel = Virus ... At Least to McAfee [RealTechNews]

Technorati Tags: , , , ,

Comments

Post a Comment

Popular posts from this blog

Verified by Visa (Veriphied Phishing?)

If you have used a Visa card to make a purchase online lately you may have encountered a relatively new program, Verified by Visa . I've encountered it twice. The system is an interesting attempt by Visa to reduce online fraud and identity theft. It's a noble effort, but the user experience is unsettling, and the security implications are not exactly crystal clear. Here's what happened to me, both times the Verified by Visa system was activated. I was redirected away from the domain at which I was shopping, to a URL which was: not the domain where I was shopping, not the domain of the bank that issued my card not visa.com I've been telling people for years that if anything like that happens to you, close your web browser immediately and do not under any circumstances enter any personal information into the form, because this is a sure sign of a man in the middle or phishing scam. (Never mind that all the best phishing scams now-a-days look like the actual dom
20 comments
Read more

Virus Vulnerability for RFID (Radio Frequency ID tags)?

The breeding ground for the computer virus will be expanding continually and rapidly over the next decade as appliances, automobiles, and all manner of other things become equipped with wireless networking and miniature computers. Cell phone and similar networks may enable worms to leap between devices over long distances and other networks over short distances. Researchers have recently demonstrated that RFID tags may be vulnerable next. Articles on the topic: RFID worm created in the lab [NewScientist.com] Viruses leap to smart radio tags [BBC.co.uk] RFID tags could carry computer viruses [SecurityFocus.com] The details for the curious: RFID Viruses and Worms The AntiVirus paradigm that we [the IT community and industry] have foisted upon PC users is already breaking down under the strain of too many virus variants and too many non-technical PC users. The paradigm probably won't work at all for cell phones and the paradigm is completely broken for the typical RFID devic
6 comments
Read more

Microsoft Fingerprint Reader - The Fine Print

If you haven't noticed, somehow lately computer keyboards and laptops in the Windows PC world are sporting a little pad for reading fingerprints. Notice the fine print at the bottom of this page, which I'll quote here in case it goes away: Microsoft Fingerprint Reader "The Fingerprint Reader should not be used for protecting sensitive data such as financial information, or for accessing corporate networks. We continue to recommend that you use a strong password for these types of activities." Why do you suppose Microsoft and all those hardware makers would go to all the trouble to add a fingerprint reader to laptops and keyboards, and then advise you not to use it? Probably because they know something that the average consumer probably doesn't: these devices can be spoofed. It's only a matter of time before there are clear, step by step instructions available on the internet for lifting a fingerprint and applying it to a model finger for spoofing purposes. H
3 comments
Read more