Anti virus software and the curse of the false positive.


Anyone who’s been reading and following what I write here will know about my experiences with Panda Anti-Virus, not too long ago.

(Original article can be found here)

Well it turns out that I’m not the only one being vocal about the state of Anti Virus software in the market today, the guys who wrote and provide the excellent network scanning tool "Angry IP scanner" have a petition going, beacuse most of the AV software out there Identifies their very legitimate tool as a hacking/cracking tool and treats it as such, often without the users knowledge.

I’ve had similar problems with a whole raft of tools such as "Netcat", "STunnel" and many others.  It’s about time that the AV authors where called to task for this on-going practice.

Now don’t get me wrong, I know there are legitimate reasons why these tools are flagged, and to someone who doesn’t use them the sudden appearance of them on a system may mean a break in has occurred.

What does annoy me about the whole scenario however, is the attitude you get when you try to query why it’s done, and it’s very simply a "Because we did… ok…" and that’s it, a lot of companies feel they don’t have to back up there reasons for doing things the way they do, and often give users asking valid questions in forums the cold shoulder.

Lets take a typical one I see very very often.

Themedia exe packer is a commercial grade exe packing/crunching engine, used by some big companies to reduce the size of their exe files and to protect a lot of IP in this software from reverse engineering.

Because it’s so good however, it’s also a preferred choice for a lot of virus/malware writers to try and hide their creations from AV software.  AVG when ever it comes across an application packed using Themedia will pop up a huge red dialog on your screen telling you the user that you have an infection of the "Win32/Themedia" virus, and that it’s classified as a major threat.

Well I’m here to say it’s not…    at least not on it’s own anyway.  That’s not to say that the EXE thats been packed is not a virus/mallware program, but Themedia itself is NOT the virus.

The result?

Well when you get a regular user such as Joe Schmo, and they suddennly get this alert on screen, they basicly go into panic mode, they’ve just paid £100 for a new bit of commercial software, put the disk in the drive and GASP!!! the new software has a virus.

Except that, well it doesn’t it’s authors chose to use the Themedia packing engine on the application exe files.

That doesn’t bother AVG however…   oh no…    There’s no "well maybe button" and your certainly not allowed to run the app, and as for "Ignore" I’ve tried that, and 10 seconds later got the alert up again…  I’ve even sat and watched in amusement as AVG tries to erase the EXE from a CD-Rom and move it to the virus vault.

I’m not just getting at AVG here, it just so happens that AVG is the one I’m most familiar with, beacuse I use it.  All of the vendors are guilty of the same practices in one way or another however.

I’m not saying stop detecting for things like Themedia, and Huristic analysis (Yes, WIn32/Heur is NOT a virus also…) but what I am saying is stop causing unnecessary panic.  Put a dialog up by all means, but be more subtle…

We’ve found "Angry IP scanner" on your PC, is this a tool you use?  If you don’t know click here to go to the AngryIP website to find out what it is, or click here to isolate it.

Stop the bad practices of scaring the living daylights out of people, and STOP deleting files and moving them without users permission unless you know for a fact the stability of the system depends on it, you DON’T own the machine that your product is installed on, so you have no right to make any changes on that machine without first asking the user.

As for the response to the asking the user argument, yes we know that most users just click "Yes" or "Ok" without reading things, so shouldn’t we be trying to educate them not to, rather than causing them to go into meltdown and act irrationally.

If you support the ideas here, then please visit the petition page on the Angry IP website and add your signiture to the pile, and maybee, Just maybe we can make a difference.

The petition page can be found here

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s