Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Are AV False Positives Hurting You?

Cliff posted more than 7 years ago | from the this-code-is-not-a-virus dept.

Bug 97

Gerald asks: "After the most recent Wireshark release a certain AV vendor's product started warning users that the installer contained adware. Since then, I've spent several hours verifying this isn't the case, trying to get the AV vendor to fix their stuff, and reassuring affected users that we do not ship adware with our product. Unfortunately, this isn't an isolated case. I've had to do this several times over the past few years, and each incident uses up time that could have been better spent elsewhere. It's even worse for other projects. If you produce software, have you ever suffered collateral damage from AV false positives?"

cancel ×

97 comments

Sorry! There are no comments related to the filter you selected.

Nope, Running Linux... (2, Informative)

DaGoodBoy (8080) | more than 7 years ago | (#17988200)

Had to say it... ;)

D

Re:Nope, Running Linux... (0)

Anonymous Coward | more than 7 years ago | (#17997658)

Huh? How does running Linux protect from AV false positives? I don't run any AV software, so that protects me from false positives by definition, so if that's what you mean, WRITE THAT.

Spam filter false positives are around 1% on my system, but still have oversee my Spam folder, and I'd rather not.

Linux not Exempt (1)

StCredZero (169093) | more than 7 years ago | (#18000034)

I worked at a company that was shipping software on a CD also including 3rd-party demoware and free software. And AV programs would flag a component for >>>Linux Servers as having a windows virus. (It was the Linux version of an OODB, IIRC.)

There was no virus. It was just a false positive.

So no, Linux is not exempt from collateral damage. Potential customers may be needlessly scared away when the AV software scans your CD!

Yes (-1, Troll)

Anonymous Coward | more than 7 years ago | (#17988260)

Aside from the erectile discomfort, I find that AV false positives cause painful spasms in my lower back. Am I doing it wrong?

yup (5, Informative)

TheSHAD0W (258774) | more than 7 years ago | (#17988274)

I've had false positives from AV software before thanks to my use of NSIS [sf.net] as an installer. Apparently it's also a favorite of malware creators. I don't blame Nullsoft, but instead lazy AV makers who should know about NSIS by now and should test their signatures against it before publishing them.

Re:yup (2, Informative)

_xeno_ (155264) | more than 7 years ago | (#17989254)

Yep - I've had an overzealous config of Norton delete every NSIS installer I had created. (Which was a number, used for installing various components of an in-house software system.) Specifically Norton had decided that every installer created by NSIS 2.17 was a virus, and someone had configured the file server where I had the installers to delete infected files (instead of just quarantining them).

Re:yup (2, Funny)

qwijibo (101731) | more than 7 years ago | (#17995784)

Having files deleted is a minor inconvenience. Norton broke my arm when I plugged my USB drive in. Talk about a false positive hurting someone. =)

Re:yup (0)

Anonymous Coward | more than 7 years ago | (#17997868)

They're just reclaiming their monthly payment. Next time it will be your leg. ;-)

There's a problem with one very famous one... (0)

Anonymous Coward | more than 7 years ago | (#17988278)

Every time I use WPA-kill my AV tells me that file contains a virus. MS marketing tactics?

Yes and no. (5, Interesting)

c0l0 (826165) | more than 7 years ago | (#17988280)

The virus scanner installed at the secretary's machine at the company I worked for fell for a false positive in december last year (that glitch even received some coverage by meainstream media in Europe, as Trend Micro - or whatever, personally I don't know any anti virus software package good enough to tell them apart from each other ;) - identified some Windows-specific and viable system file as a malicious stub of bits), and our CTO immediately erased the installation.
If I had come to work a few hours earlier, I probably would already have propagated the info about the false alarm I got from colleagues on irc, and we'd be running Windows XP on her box, still.

This way though, it's running Ubuntu 6.10, and everyone's happy with that. So I find i hard to say that this false positive actually hurt us. Somehow, I'm glad it happened - another system that's easy to admin and use added to our network, one of the few giving me headaches removed. Win-win.

Re:Yes and no. (3, Funny)

rvw (755107) | more than 7 years ago | (#17988588)

This way though, it's running Ubuntu 6.10,
................
Win-win.
Please don't contradict yourself!

Re:Yes and no. (0)

Anonymous Coward | more than 7 years ago | (#17989310)

He isn't contradicting, you mistake the word "win" for "windows?"
It is to laugh! :)

Re:Yes and no. (1)

Zerathdune (912589) | more than 7 years ago | (#17989338)

I don't know any anti virus software package good enough to tell them apart from each other
AVG. It has won awards, including the VB100, which, from the VB100 site:

In order to display the VB100 logo, an anti-virus product must have demonstrated in our tests that:

* It detects all In the Wild viruses during both on-demand and on-access scanning.
* It generates no false positives when scanning a set of clean files.

The product must fulfil these critera in its default state.
In addition, AVG is efficient enough that you can actually do other things while it's scanning with no noticeable slowdown. I couldn't be happier with it. Oh, and it's free for personal, non-commercial use.

Re:Yes and no. (1)

Ksempac (934247) | more than 7 years ago | (#17994980)

I ve seen multiple tests (they are in French so no point in giving you a link) where the free version of AVG failed badly (not sure about the professional one). Its the poorest free AV. You should use Antivir or Avast.

Re:Yes and no. (1)

tkdtaylor (1039822) | more than 7 years ago | (#17996614)

I personally use the free version at home on 4 computers and have purchased the professional AVG for my Windows server *ducks* and I have no complaints about either. I've actually had AVG catch some old zip files and rars that had a virus in them that Norton missed since I switched.

Re:Yes and no. (1)

Nazlfrag (1035012) | more than 7 years ago | (#17990280)

If only every virus scanner would identify the malware that is Windows.

Moo (1, Funny)

Anonymous Coward | more than 7 years ago | (#17988372)

have you ever suffered collateral damage from AV false positives?"

Just before, i had this totally awesome reply, but it was *falsely* identified by the Slashdot junk filter and i couldn't post it.

Re:Moo (1)

tepples (727027) | more than 7 years ago | (#17988896)

Just before, i had this totally awesome reply, but it was *falsely* identified by the Slashdot junk filter and i couldn't post it.
If you're serious (that is, not just making a margin joke after Fermat [wikipedia.org] ), then you're free to post the reply to your blog, summarize it to a paragraph that doesn't trip the lameness filter, and post the summary along with a link to your blog post.

Re:Moo (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#17989080)

If you're serious (that is, not just making a margin joke after Fermat), then you're free to post the reply to your blog, summarize it to a paragraph that doesn't trip the lameness filter, and post the summary along with a link to your blog post.

Everyone knows you're not allowed to do that unless your blog has tons of advertisements and you give CmdrTaco a cut of the ad revenue. If you arrange that, then you'll get your summary quickly posted on Slashdot even if it's poorly written, short on facts, and even if dozens of better articles on the same topic were submitted.

Okay, okay. So I can't demonstrate that CmdrTaco receives a cut of the ad revenue from these lameass blog sites. But that the ones getting posted are poorly written and short on facts and favored over much better articles is very easy to observe.

Since I didn't try to make a joke out of this, I expect to be modded down. That's why I posted as AC, fuckers.

Yes, with Avira AntiVir (2, Insightful)

Lonewolf666 (259450) | more than 7 years ago | (#17988380)

Avira AntiVir complains about one of our old DOS tools. Not a serious problem, as we don't release this particular executable, but annoying.
Avira AntiVir also complains about some other files I'm pretty sure are harmless... maybe I need another scanner :-(

Re:Yes, with Avira AntiVir (0, Troll)

RichMan (8097) | more than 7 years ago | (#17988478)

> old DOS

Watch that old DOS. It will continue to grow, hogging more and more resources eventually slowing even the fastest systems. Reducing productivity and requiring lots of manual fixes. The old versions required user activity to update but the latest versions call home and self update. For the last 10 years or so they have been calling home with user info and restricting what you can do with the machine. Many crashes, data loss and other failures can be directly attributed to this virulent strain.

Security Threat high.
Outbreak in progress.
Latest version seen: Vista, many variants

Re:Yes, with Avira AntiVir (1)

mosschops (413617) | more than 7 years ago | (#17997644)

Avira AntiVir also reported a virus in my windows-based installer, and a couple of others reported it as suspicious. I reported it to Avira, and they came back fairly quickly with a confirmation that it was a false positive, and that it would be fixed in a future definition update (they didn't say when).

I was using UPS to compress the executable header on an NSIS installer, which seemed to be a combination likely to freak out the "smart" detection of many scanners. Avoiding the use of UPX on the installer cleared everything up for me, tho it was still annoying that I wasted a couple of hours on it and had to convince the reporting user that there really wasn't a problem!

I ended up using http://www.virustotal.com/ [virustotal.com] to check my new installer against about 25 of the major scanners - very handy free site...

Plan to give up on AV (1, Interesting)

Anonymous Coward | more than 7 years ago | (#17988384)

In general I plan to give up on AV in the near future because (for the most part) it doesn't work well enough ...

My plan is to buy a system that is fast enough that everything (except for games) will be run on a virtual machine

Re:Plan to give up on AV (2, Interesting)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#17988892)

In general I plan to give up on AV in the near future because (for the most part) it doesn't work well enough ...

I have ClamAV installed. It never comes up with false positives, or negatives, or really anything at all.

My plan is to buy a system that is fast enough that everything (except for games) will be run on a virtual machine

I run Windows and Linux in VMs right now, on top of OS X. Most of my applications are native OS X ones, but the VMs are plenty fast for InkScape and OpenOffice and XPDF under Linux and Adobe Framemaker and IE under WinXP. The machine is a 2Ghz Intel Core Duo MacBook. I do play the occasional game, OS X native ones. One of the nice things about this setup is that several companies are rushing to provide speedy gaming with emulation or virtualization. Parallels and VmWare have both announced they are working on graphics acceleration for direct hardware access for gaming, and several companies are working with WINE based re-implementations of the Windows APIs for running Windows native games quickly. Also, right now you can install a dual boot setup for Windows gaming and use the same partition for your VM when you don't feel like or need to reboot. I've never felt better about the security of my Windows setup, since I use a known clean version installed without internet access, every time I use it. As an added bonus, getting new hardware from work means I plug in a firewire cable, push a button, and go to lunch. When I come back all my user accounts, files, certs, settings, programs, etc. have been migrated, including my Linux and Windows VMs. It's the easiest way to move a Windows install to new hardware ever.

Re:Plan to give up on AV (1)

Opportunist (166417) | more than 7 years ago | (#17996274)

I have ClamAV installed. It never comes up with false positives, or negatives, or really anything at all.

I can vouch for that. Then again, the same is true for the AV system from MS. It doesn't find jack either.

Though I wouldn't call that a sign of high quality.

Re:Plan to give up on AV (1)

phlamingo (629479) | more than 7 years ago | (#18013708)

Also, right now you can install a dual boot setup for Windows gaming and use the same partition for your VM when you don't feel like or need to reboot.

Of course, doing this actually violates the brain-dead Windows licensing, because it looks like different hardware to the license manager (or whatever they call it.) There is probably a way to fool it, but I have better things to do with my time, so I only run Windows under Vmware Server with a SUSE host O/S on my laptop.

Maybe Microsoft will eventually get smart about virtual machine licensing. I think I'll hold my breath until that happens.

Re:Plan to give up on AV (1)

kwikrick (755625) | more than 7 years ago | (#17994802)

what does that solve? Virusses run perfectly well on a VM too.

Re:Plan to give up on AV (1)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#17996774)

what does that solve? Virusses run perfectly well on a VM too.

Viruses have a lot harder time of it when they have to re-infect your machine every time you quit and restart your Windows apps/VM. I use a VM for several Windows applications and they can read and write files to one directory shared with the rest of my OS. Aside from that, all changes are wiped every time I use those applications and it goes back to a known good copy. Occasionally, I'll boot the saved, known good copy and install the updates to it or change some setting and then save that copy of the VM as the new known good copy. In this way, the chances of being hit with malware are slim to none.

distributed.net's client appears sometimes (0)

Anonymous Coward | more than 7 years ago | (#17988386)

I've seen distributed.net [distributed.net] 's processing client flagged as spyware or a virus on a few occassions.

Re:distributed.net's client appears sometimes (1)

WMD_88 (843388) | more than 7 years ago | (#17988768)

Distributed.net client gets flagged because, in the past, some people have actually distributed it as spyware - they would have a script install it and then run it on the user's computer 24/7. A rather stupid idea, because in order to get credit for those packets, you have to supply an email address...duh.

Yes, this has been a problem for Nmap too (5, Interesting)

fv (95460) | more than 7 years ago | (#17988448)

This has been enough of a problem for the Nmap Security Scanner [insecure.org] that we warn about McAfee specifically and suggest better alternatives on the Nmap Download Page [insecure.org] (See the Windows section). More details about the problems we've encountered are posted here [seclists.org] . I've spoken with McAfee executives at conferences and they say they want to fix the problem, but then it just gets lost in their bureaucracy. Sigh.

Also, it is annoying when free software gets wrongly listed on spyware databases. For example, check out the "Spyware Encyclopedia" entry on Nmap [spywaredb.com] , which says "NMap belongs to the Port Scanner spyware category. It's[SIC] presense[SIC] means that your computer is infected with malicious software and is insecure." WTF? Similarly, Nmap has an entry [ca.com] in the "CA Spyware Information Center". If they want to warn about Nmap because it can be used for network discovery, fine. But it shouldn't be called spyware, adware, or anything like that.

-Fyodor
Insecure.Org [insecure.org]

Re:Yes, this has been a problem for Nmap too (2, Informative)

Twon (46168) | more than 7 years ago | (#17988894)

I'm pretty sure they hate netcat as well; I had to convince my IT guys to whitelist it after it kept getting quarantined/deleted from my machine. Apparently it's a "hacker tool." I wonder when they'll come for tcpip.sys...

Re:Yes, this has been a problem for Nmap too (0)

Anonymous Coward | more than 7 years ago | (#17996950)

As a Linux admin looking to increase Linux usage at the company i work for, that one has helped me. Some of our developers now have Linux boxes on their desk in addition to their Windows boxes solely to avoid antivirus warnings about netcat, which they all use.

No (1, Funny)

Anonymous Coward | more than 7 years ago | (#17988460)

It's the HIV false positives that are really bothering the hell out of me!

Danger Approaches (4, Insightful)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#17988550)

Right now, an antivirus company may list your software as adware because it matches some other software's behavior too closely or because your software was mistakenly classified as adware. Other malware detection systems may even start to classify your software incorrectly, taking their cue from their peer. So what can you do? You can write to the antivirus company(s) and ask them to fix their signatures. You can complain on forums and the like, especially informing your users that the antivirus is defective, hurting the reputation of that company and possibly driving users to better coded alternatives. This is far from ideal, but it could be worse.

MS has included and antivirus solution (defender) with Windows Vista. Since it is bundled with Vista and everyone who buys a new computer will find Vista pre-installed and with it Defender and they will have already paid for it by the time they find out about it, Defender will almost certainly become the most widespread solution, possibly completely taking over the home market, regardless of how good it is (failed to be certified due to too many incorrect classifications). This means within the next few years, it may be only one company you have to go to to get the signature fixed. That's the good news. The bad news is that they won't have any reason to respond quickly and won't have any motivation to not have false positive and negatives since they get paid when Windows is purchased and even if users abandon it and buy something else, they don't lose any money.

Now I'm not entirely opposed to MS providing a free anti-virus solution, but to comply with the law they have to bend over backwards to provide other companies the same access so as not to destroy the competitive market and create another situation like IE where the worst solution on the market is paid for and used by 80% of the populace and the state of technology advances only at a snail's pace.

From what I've seen, MS has not done that, so you can look forward to more false positives in the future with less chance of those classifications ever being corrected.

Re:Danger Approaches (1)

cdrguru (88047) | more than 7 years ago | (#17990160)

The problem is rule #1. Spammers lie.

This exists in the anti-malware world. All people distributing malware lie. Therefore, if your software is identified as malware and you say it isn't, you are lying. Neat, huh?

If you have not experienced this yet, just try getting off some anti-malware program's list. Try. Then try several more times. Go have a few drinks. Come back tomorrow and realize it is fruitless. Be prepared to answer a lot of phone calls and email saying "But it says it is spyware!!!"

Once the threat of spyware has been unleased on the user's mind there is no authority that can reverse this.

Re:Danger Approaches (1)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#17996714)

If you have not experienced this yet, just try getting off some anti-malware program's list. Try. Then try several more times. Go have a few drinks. Come back tomorrow and realize it is fruitless. Be prepared to answer a lot of phone calls and email saying "But it says it is spyware!!!"

Right, so your main tool for solving this is the court of public opinion. People can and do currently choose antivirus software from quite a few different options. Thus, even if they are not 100% convinced that their antivirus is wrong, they might try a different company's product next time in the hopes that they don't have to deal with it. At the same time if their antivirus is not finding anything, but they are experiencing problems because of malware, they can choose another company to compensate for false negatives.

The important point I was trying to convey was that MS's illegal venture into the anti-virus market will remove even this ability to enact change and will almost certainly remove any motivation for further innovation in the industry. The sad thing is that MS has a great opportunity for innovation here. If they just enacted an open standard for certification and verification of software (whitelist+blacklist) they could move this entire discussion to one about which verification companies provide the most accurate data. Further, the security community has been moving toward mandatory access controls for a while, which would both simplify the task of verifying software, and make it more valuable to end users. Picture this, you write an application and include an ACL that specifies what system resources it will access. A number of verification companies verify that ACL seems to be true and that none of that behavior is malicious. Each individual subscribers to one or more free and/or pay verification services (which can double as repositories for download and update in some cases) and base their trust of each application on the certifications and verifications they have for an application. It would be like having as many antivirus programs as you want voting on the credibility of an application and then actually doing something about that other than giving you the option to run it or not run it.

Trust is a value that must be earned. Some people place some trust inherently in those they are paying for a service. Why not make that process more effective and more flexible and more useful, instead of undermining it entirely?

Re:Danger Approaches (1)

Kalriath (849904) | more than 7 years ago | (#18004554)

MS has included and antivirus solution (defender) with Windows Vista. Since it is bundled with Vista and everyone who buys a new computer will find Vista pre-installed and with it Defender and they will have already paid for it by the time they find out about it, Defender will almost certainly become the most widespread solution, possibly completely taking over the home market, regardless of how good it is (failed to be certified due to too many incorrect classifications). This means within the next few years, it may be only one company you have to go to to get the signature fixed. That's the good news. The bad news is that they won't have any reason to respond quickly and won't have any motivation to not have false positive and negatives since they get paid when Windows is purchased and even if users abandon it and buy something else, they don't lose any money.


No they haven't. Windows Defender is Anti-Spyware ONLY. It will not find viruses. OneCare will, but OneCare is NOT free, and NOT bundled.

No, but the potential is there! (4, Funny)

LibertineR (591918) | more than 7 years ago | (#17988558)

If you have ever been privileged to hear the high-pitched squeal from Kaspersky Internet Security when it encounters a virus and been knocked out of your Aeron into mid-air, you know your life has just been shortened.

I know they want to get your attention, but DAMN that noise is obnoxious!

Heuristics use vs. False positives (1)

stormeru (1027946) | more than 7 years ago | (#17988612)

From my experience I can tell you that enabling heuristic detection increases false positives for a lot of AV software.
I can't recall how many times I had to exclude some Javascript files I wrote from virus scanning because those we're reported as exploits.
But I don't mind manually enabling access to the trusted files as long as I also have protection for the real malicious files.

question (0)

Anonymous Coward | more than 7 years ago | (#17988684)

What's a "virus"? Does it run on Linux?

Re:question (0)

Anonymous Coward | more than 7 years ago | (#17988890)

Not yet. You'll have to wait for Wine's 1.0 release. It will have full support for the latest viruses and spyware.

Re:question (1)

the_B0fh (208483) | more than 7 years ago | (#17989894)

Umm, yes. Dr. Cohen's original research was done on VMS and Unix, iirc.

Re:question (3, Funny)

Skrynesaver (994435) | more than 7 years ago | (#17994780)

This is the Linux honour system virus, please :
  • Copy this text to a text file on each of your hard drives
  • Randomly delete three files on your system
  • forward this to everyone in your addressbook.
Your co-operation has been appreciated, thank you.

No, not really. ...or maybe. I don't know. (0)

Anonymous Coward | more than 7 years ago | (#17988758)

I've been running XP SP1 with only two other patches. That along with Opera, F-Prot, and BlackICE and I haven't had problems since.

Soooo either they're working perfectly or aren't catching anything.

DB Server (1)

Flwyd (607088) | more than 7 years ago | (#17988836)

We've had multiple clients configure their database servers to virus scan all file changes. If you're ever looking for a way to tank your database performance, try this one.

Is lack of adequate testing hurting you? (1, Interesting)

Anonymous Coward | more than 7 years ago | (#17989002)

Subject line is what the article should have been called. Can't you do some pre-release testing in a few likely scenarios, such as that your program might be getting installed on systems equipped with various AV products? Then you have the chance to spot and fix problems, either on your side or working with the AV vendor BEFORE you let your repuation get ruined.

Re:Is lack of adequate testing hurting you? (2, Interesting)

Gerald (9696) | more than 7 years ago | (#17989494)

Samir: Hmm... well why don't you just go by Mike instead of Michael?
Michael Bolton: No way. Why should I change? He's the one who sucks.

More seriously, false positives are usually due to a definition file that comes out well _after_ the software has been released. Testing beforehand won't accomplish anything at the expense of paying N dollars per year to multiple antivirus vendors.

In this particular case, it looks like WinPcap is being flagged. It came out on Jan 29th, and we started getting reports about 10 days later.

Slashdot is so much better than reddit or digg (0, Flamebait)

exp(pi*sqrt(163)) (613870) | more than 7 years ago | (#17989018)

After all, it has an editing process which means that editors can edit the story to give a useful context and make things clear for the wide audience they have. Of course in this case there was no need for editing as the story was perfectly clear, and anyway, everyone already knows AV=audio-visual.

It's the Cyber ages 'Opinion Monopoly' problem (1)

Qbertino (265505) | more than 7 years ago | (#17989028)

'am working on a Web project fixing glitches in one of the crappiest Webapps I've ever seen. A obscure PHP Framework (SmartMVC) so crappy it's unbelievable.
Aparently the guy who built it told the customer that 'it's a CMS' - which is total BS. It happend today. This proves once again that technical stuff that's so close to the enduser and yet so obscure as software and anything IT have that problem of 'opinion monopoly' or 'short-term opinion overhand'.
People think Windows is a good OS - which it isn't - and that Outlook == E-Mail or at least Outlook == good mailer - which both is false. The think if Google doesn't list it it doesn't exist and if Google doesn't keep the site on top the webmaster did a mistake. Just look at you people struggle to get SEF URLs. Which is - in my opinion - stupid. It's up to the search engines to get their stuff in line. Me just has to see to it that im standards compliant.

Opinions spread fast in cyberspace, no mattter how far from reality they are. We - the IT freaks - have to deal with the problem. If an AV vendor says your software is malware and it isn't, then you have to be good enough to be able to convince your customers that Av-Vendor is wrong. If you are good enough in your field then you'll be able to display the competence needed to emphasise your judgement in most cases.
Point in case: If Flash 8 on OS X compiles an utf8 .as Source in such a way that Special Characters come out broken in the Flash Applet and I'm good and fast enough to pinpoint the problem with Adobemedia and a broken/buggy flash compiler with 1/2 an hour then my client trusts me more than Adobemedia or any other vendor on that judgement. If your an expert in comp-security and your clients know that, they'll trust you if you tell them that AV vendor is wrong in saying that your tool is malware.

Bottom line:
This problem won't go away, as it is the nature of all things Interweb. Deal with it.
Look for the mistake on your side but don't hesitate to name the one that is wrong. Like, for instance, when an AV-Vendor claims your Secscanner is malware.

One drove me crazy... (1, Interesting)

Anonymous Coward | more than 7 years ago | (#17989152)

I used to use an mIRC script religiously... McAfee labelled it as a Trojan, and wouldn't let you run it, PERIOD, no way to get around it, no way to whitelist it, NOTHING. Had to go pay for something else over McAfee's inability to compromise.

Of note, if you attempt to contact McAfee, they won't re-test individual software. I was screwed out of my money.

Re:One drove me crazy... (1)

Magada (741361) | more than 7 years ago | (#17995536)

You paid to get a mIRC script. Wish I had mod points so I could push this up to +5 hilarious. Then again, maybe not. mIRC is so bad in terms of UI and so full of holes it's not even funny.

Re:One drove me crazy... (0)

Anonymous Coward | more than 7 years ago | (#18003208)

He almost certainly means he paid for a better AV. Which is advisable, McAfee isn't very good and never has been.

I have minimal assembly skills, yet some time ago I managed to write an extremely simple appending virus without any encryption or "anti-anti-virus" measures, which mostly by using an odd delta offset calculator (copied from an ancient 29a issue) was completely undetected by VShield. Any AV that doesn't think it's probably a problem when a process appends itself to a bunch of executables has crap heuristics and is mostly relying on a signature database, which in this age of rapid and self-updating virus/bot/malware releases just isn't good enough.

Re:One drove me crazy... (0)

Anonymous Coward | more than 7 years ago | (#18005712)

You paid to get a mIRC script. Wish I had mod points so I could push this up to +5 hilarious.

Why is that any funnier than paying for any other kind of software?

Re:One drove me crazy... (1)

Magada (741361) | more than 7 years ago | (#18010594)

Since the discussion is still open, I'll take the bite: it's because mIRC is such a pig that paying for script addons to enhance it would be like paying for an antivirus to go with your brand-new Windows ME install - today. Dig?

Not a false positive, but AV winds up costing $$. (2, Interesting)

Vellmont (569020) | more than 7 years ago | (#17989240)

I do IT consulting for small businesses, and I can tell you that bad AV software has cost the companies I work for thousands of dollars in lost productivity, and in troubleshooting costs.

One particular product that got installed by another consultant was BitDefender. It caused at least 3 distinct un-related problems at two different sights that I fixed by choosing a different AV product. I don't blame the other consultant, since it's difficult to know which AV software is going to break something. I DO blame the AV vendors for producing buggy software that winds up costing companies a lot of money.

Re:Not a false positive, but AV winds up costing $ (1)

DogDude (805747) | more than 7 years ago | (#17989556)

I couldn't agree more. I tell my family that I won't deal with their computer questions if they have anything from Norton or McAffee installed on their machines. It's a shame. Back in the DOS days, they were both really good. Now I consider both of those programs malware. (I use Avira AntiVir in my business, and I've been pretty happy with it.)

AV is nuts (1)

bcrowell (177657) | more than 7 years ago | (#17989316)

Here [blogspot.com] is an example from someone's blog about the ridiculous lengths people have to go to in order to work around their own AV software. As another example, my mother's Windows machine refuses to run Firefox, and it seems to be because of an AV issue.

The whole thing is nuts. AV software is a total scam. It's inaccurate, it costs money, it uses resources, and it stops people from getting their work done. Many home users also don't seem to keep their definitions up to date, which is like using a condom that you know has holes in it. The real problem is with the design of Windows and Office, which have too many dangerous functions allowed by default.

a funny little AV story (1)

mr_mischief (456295) | more than 7 years ago | (#17990796)

One of my wife's friends from work was having a horrible time with her system. The lady's son gave her his old system for Christmas, complete with the contents of her old, non-functioning system's hard drive. Perfect, right?

Well, he also wanted to make sure his mom had bells and whistles, and was protected. So he installed some additional software including a copy of the AV software he used. He even made a nice bootable restore CD set with all the installed software ready to go. He then went out of state back home after Christmas.

Well, the system wouldn't boot. It'd hang sometimes. It'd get caught in a partial-boot, reboot cycle most of the time. My wife asked me to go over and take a look. I looked for spyware. I looked for adware. I looked for viruses. I looked for memory problems. I looked for Windows problems. I finally got around to going through everything in the load and run statements, in the startup group, and in services one by one.

Well, it was third-party software causing the problem all right -- but not just one program. See, she already had antivirus installed. Both programs were configured to do boot-time checks, to become memory resident scanners, and to scan email. From what I could tell the reboot loop was the two antivirus packages checking each other out and getting very, very confused. I uninstalled one (Norton), and the system runs fine with just the other.

I'll never forget... (3, Insightful)

spywhere (824072) | more than 7 years ago | (#17989562)

On or about October 16, 2004, while I was driving home, the Help Desk where I was alpha geek received a virus report. The senior tech had to delete a bunch of files, including Excel.exe, before the machine would stop reporting infections. By the time she finished, it barely ran (and was later re-imaged).
I went in early the next day, and more reports started trickling in right away. I went to one of the first computers, and found that McAfee was reporting Excel.exe and other key files were infected even on the CD. By the time I got back to the desk, they were swamped with calls. As yet, there was no information on the McAfee site about the new virus.

I went into a room with the CIO and other execs, where they started making plans to shut down the WAN and unplug the local switches... and I spoke up: "I don't think this is a virus."
They looked at me like I was crazy, and shooed me out of the room.
I refreshed the page on the McAfee site, and they had just posted information about a "false positive caused by new definitions combined with the outdated, no-longer-supported engine version 4.xxx." I printed that page, and burst back into the emergency meeting. The planning changed to updating the McAfee clients in bulk and fixing the PCs.

Later that evening, after a grueling day of remote Office reinstallations, the CIO came to me and said, "Do you have any idea what a huge disaster this would have been if you hadn't figured this out?"
I calmly replied, "You're not paying me to fail."

A few months later, I got a $500 bonus (less taxes) in my check.

Re:I'll never forget... (3, Insightful)

/dev/trash (182850) | more than 7 years ago | (#17991680)

500 bucks? A lousy 500 bucks?

Re:I'll never forget... (1)

spywhere (824072) | more than 7 years ago | (#17991808)

500 bucks? A lousy 500 bucks?

Yeah. I must have saved them tens of thousands of dollars...
However, I lived to tell the story on Slashdot, so I guess I won in the end!

Not paid to succeed? (1)

woolio (927141) | more than 7 years ago | (#17992560)

I calmly replied, "You're not paying me to fail."

A few months later, I got a $500 bonus (less taxes) in my check.


While I don't believe in bonuses for doing one's ordinary jobs, I believe in exceptional circumstances, bonuses should be commensurate with the associated level of appreciation. It sounds like it barely covered the extra hours you put in, seeing that you were first notified on the way home.

I think a few times your amount would be a nice gesture, especially considering a few hours wasted for the people involved would be worth much much more, not to mention the consequent lost productivity.

And whoever shooed you out of the room should have gotten a strong reprimand -- at the minimum. They appear to be more interested in maintaining their ego than logically considering the situation.

Re:I'll never forget... (1)

Opportunist (166417) | more than 7 years ago | (#17996294)

Gee, you must've been in the biz for ages. The last time I heard the phrase "alpha geek" was like a decade ago.

And you can rest assured that your boss got a bonus of at least 5k, mostly for not interfering with your work. Welcome to the corporate world.

alpha (1)

Gary W. Longsine (124661) | more than 7 years ago | (#17998816)

You haven't hung out with an alpha geek, nor with anyone who hangs out with an alpha geek for ten years? How did you find Slashdot?

Re:alpha (1)

Opportunist (166417) | more than 7 years ago | (#17999424)

Sure do, but these people refuse to be refered to as alpha geeks. I mean, that's so 90s.

Re:I'll never forget... (0)

Anonymous Coward | more than 7 years ago | (#18011828)

I calmly replied, "You're not paying me to fail."

Ffs, upgrade your reading material.

Yes, with Antivir (free-av) (1)

theonlyholle (720311) | more than 7 years ago | (#17989678)

I installed Antivir on my mother's computer because I didn't see the point in installing a costly antivirus product when she is only online occasionally. I should have known better. My company uses NetworkStreaming's remote helpdesk server and at one point I wanted to help her with a small thing and had her download the client app - which rendered her computer completely unusable until she finally allowed Antivir, which claimed it was a malware program designed to spy on her, to quarantine the file. We bought her NOD32 the next day...

Avast! (2)

DaMattster (977781) | more than 7 years ago | (#17990068)

If you are looking for a good, freely available antivirus application for Windows, check out Avaste [avast.com] . I have been using Avast for almost two years without a false positive and it has a much smaller memory foot-print than McAfee or Symantec. By far, it is the best antivirus application I have ever seen. Plus, it is free for home use and does not install any kind of ad or spyware. It is honest to god free.

I switched to Avast! from AVG (1)

TheThiefMaster (992038) | more than 7 years ago | (#17995252)

I was wondering when someone was going to mention avast. I switched to it from AVG for FOUR reasons:
1: Virus got past AVG and stopped it detecting any more viruses. Was a PITA to disinfect.
2: AVG Free's annoying inability to disinfect a file when it first detects the infection, forcing you to run the main program.
3: A false positive in Multimedia Fusion created programs (and another AVG false positive was reported on the MMF forums two years after I stopped using AVG)
4: No free 64-bit Windows support

Since installing it I've found several more advantages, namely it's dedicated scanners for various download programs (instead of just relying on the on-access scanner), and the fact that it can quarantine files for being "suspicious", instead of requiring a detection of a specific virus.

Since I installed it I haven't had any virus problems on my pc. That's not saying it hasn't detected anything, just no viruses have managed to infect my pc.

Re:Avast! (0)

Anonymous Coward | more than 7 years ago | (#17996860)

But is it any good at stopping viruses? Many other programs fit the description you gave. I, for example, run Minesweeper. It has a low memory footprint, never identifies false positives, is free for home use, and doesn't install adware or spyware. And it helps me find all those nasty mines.

Re:Avast! (1)

basicguy (1063914) | more than 7 years ago | (#18006966)

I've used Avast for a lot longer than two years. More like since 1999 when Norton finally crossed the line and I spent eight plus hours removing it line by line from my registry. AVAST has never had and infection. Never had a false positive. Never had an issue period. It plays well with just about all open source and I've experimented a lot. No problem with WireShark, SysInternals etc. It also uninstalls and installs cleanly and doesn't junk up the registry. I recommend it constantly. It is light weight, and effective. I use it and Zone Alarm on all the computers I get badgered and/or volunteer to fix, and people think I'm the genius. My hat is off to AVAST. Great product. Free for home use. If it was an American product, it would deservingly be the number one. Dell, HP are you listening. Dump that crap you're putting on the new machines and use AVAST. I'm just removing it anyways. Security suites? Ha, major bloatware. If I have one complaint, it is they update daily, sometimes more often and with automatic update on, the VOICE prompt makes me jump when I'm in programming mode.

AVG has been bugging me about pskill.exe... (1)

WoTG (610710) | more than 7 years ago | (#17990328)

I suppose that pskill (a tool from Systernals that kills processes, like PS in *nix) can be used by malware authors, so it might deserve a warning flag. However, the stupid whitelist doesn't work properly, so AVG bugs me about it daily. Annoying. Fortunately, it's pretty rare that I use that tool these days.

Re:AVG has been bugging me about pskill.exe... (0)

Anonymous Coward | more than 7 years ago | (#18000528)

Yes, this one causes me trouble too.

AntiVir seems to be the most prone to this..... (1)

8127972 (73495) | more than 7 years ago | (#17991498)

... As several times over the last couple of years we've had AntiVir flag the odd .DLL as being infected. The upshot is that every time we've had this issue, we've e-mailed them and they've fixed their def files within a day or two. But the downside is that we spend the next week to 10 days telling customers that anything that AntiVir finds in our products is a false alarm.

Symantec vs. Google? (1)

kattphud (708847) | more than 7 years ago | (#17992462)

I've run into this kind of thing. Norton Antivirus doesn't like Google Spreadsheets, and when I try to open one it gets picked it up as a "virus threat". Not a virus; a virus threat. Of course, this means I can't balance my checkbook in the office over lunch or using any other computer running Norton. I'm glad I use a Mac at home. (Valiantly attempts to stifle Mac smugness..)

Re:Symantec vs. Google? (0)

Anonymous Coward | more than 7 years ago | (#17993196)

NAV on Mac is just as much a piece of shit as NAV on Windows, only without so many tenticles. Of course, you're less likely to see a virus on OS X, but I only see one on Windows every few years anyway.

dom

Re:Symantec vs. Google? (0)

Anonymous Coward | more than 7 years ago | (#17997966)

Running NAV on a Mac is like fitting wheels to a tomato, time consuming and completely unnecessary.

Re:Symantec vs. Google? (0)

Anonymous Coward | more than 7 years ago | (#17994298)

startkeylogger

Re:Symantec vs. Google? (0)

Anonymous Coward | more than 7 years ago | (#18013258)

Norton also doesn't like nc.exe, which I need to do my job. It took me ten minutes to get it on the ignore list.

I've also disabled domain admin access to my box (explicit deny rule) so network scanning doesn't wreck things and bzip2 executables that I archive on the network server or send through email.

I've told my boss that if norton causes problems again, it is gone, company policy or no company policy.

YES! (1)

Spacejock (727523) | more than 7 years ago | (#17993082)

"have you ever suffered collateral damage from AV false positives?"

Yes indeed - two of my freeware apps have been mis-diagnosed as trojan-bearers in the past. I contacted the AV vendors (who demanded the usual proof, mother's maiden name, left nut) and they eventually sorted the problem out. In the meantime I had to deal with angry emails from users accusing me of corrupting their machines, raping their bank accounts and stealing their wives. Or something along those lines ... I didn't read all the threats that closely.

Thing is, these are freeware apps. A novel-writing tool, an ebook reading program, an email client, that kind of thing. They don't have ads or spyware, and they certainly don't include trojans. I wrote them for my own use and I give them away (just like the XNews guy does) and it's a bit much when I also have to go and prove my good intentions.

Re:YES! (0)

Anonymous Coward | more than 7 years ago | (#17995840)

Why bother? Release binaries (executables for the Windows users) to Free(*) operating systems only, and you will not get any of those accusations.

After all, if they don't trust you, they can inspect and compile the sources themselves. No, most of them probably can not be bothered, or don't have the skills to review the code, but they could. And they know that is the answer, hence they shut up.

Antiware is the equivalent of a cyber-nanny. I keep wondering why people put up with it, and put up with OS-es which are unsafe without it.

If you feel like defending Windows now, think twice! Do you want to look like you are suffering from the Stockholm syndrome?

*) For all practical intents and purposes, *BSD and Linux.

Two security patches were flagged as viruses ... (1)

whitehatlurker (867714) | more than 7 years ago | (#17993748)

My "anti-virus" package warned me about that nasty virus-laden installer for Adobe Acrobat Reader 8, which I had downloaded - or tried to - to fix a vulnerability. There was another security patch for which I had to disable the scanner in order to download. This was in about the same time period. (I'm sorry, I've forgotten which product or patch.)

On the other hand, one of my email providers was running a virus scanner that seemed to let almost through. (It's been fixed.)

At least with the fail-safe scanner, I had the option to knowingly disable the virus checker and download and install the files, albeit while the scanner and MicroSoft popped up big warning balloons announcing the computer's imminent demise from my folly.

Obligatory statement... (1)

Zapotek (1032314) | more than 7 years ago | (#17994102)

I use Linux you insensitive clod!!!

/me sorry

Yes (0)

Anonymous Coward | more than 7 years ago | (#17995320)

A few years ago, I wrote an encryption DLL to be used with a script for the mIRC IRC client. It was released together with a script written by someone else to let people encrypt their conversations on public IRC servers.

A malware author decided to use it too, and a couple AV companies then treated my DLL as malware itself, even though its only function is encryption support. Considering the AV researchers are people who can pick apart nearly any piece of code, this is just plain negligent. Lazy bastards.

That particular piece of malware is still available online, and the author even mentions my name in the credits, which doesn't help much :(

(The captcha for this post is "invent". I'm not feeling the love here.)

I don't produce software, but... (1)

seebs (15766) | more than 7 years ago | (#17995466)

I've gotten repeated false positives from Avast! on the 1.0.74 updater for Arcanum. I've reported it, but I don't think it's fixed.

This is one of the reasons I'm dropping Windows as a host platform for gaming.

Norton Hijacker (1)

tedgyz (515156) | more than 7 years ago | (#17995680)

I had a nightmare experience with Norton. I had an incoming message in Thunderbird that it felt was infected (I never got the chance to confirm/deny). The end result was my Inbox of 2500+ messages being hijacked by Norton. Since Thunderbird was running, my poor laptop started thrashing during the quarantine procedure. After fighting with Norton for hours, I could not recover my Inbox. It was the corporate edition, which, when configured properly (?) prevents the end user from turning it off! Thankfully, I had recent backups.

Re:Norton Hijacker (1)

bzipitidoo (647217) | more than 7 years ago | (#18009044)

Same thing happened to me with Norton and Thunderbird. Some spam is always getting through the filters, and most of the time it's annoying but not debilitating. But one day Norton freaked out over one spam email and quarantined my entire inbox. Nothing I was allowed to do would release the inbox. Norton also sent out an email to the sys admin, who came running about a minute later, just as I was about to fire up Knoppix to deal with the prob, as I hadn't been given admin access on my own box. (They believed their security measures were a cut above, and took any breach hard. And yet, they ran Windows.) Shortly after that incident I blew away Windows and all that required AV crap, and weeks long official procedures to get admin access, and stuck Linux on my box myself.

Re:Norton Hijacker (1)

alavaliant (1002928) | more than 7 years ago | (#18053614)

To protect yourself from losing the entire inbox I'd recommend turning on the option under options -> privacy -> anti-virus to allow individual messages to be quarantined by the anti virus program. That way one positive hit (false or not) won't make the entire inbox get deleted.

Oh, yesindeedy. (1)

OmniGeek (72743) | more than 7 years ago | (#17996260)

On a project I was doing between 2 and 5 years ago, while still using the corporate install of MacAfee (sp?) AV, the curst thing ALWAYS flagged TAR archives as virus-laden. Now, these were built on and for a Solaris system (and combined with documents generated on Windows, for those inclined to wonder how Solaris comes into this), and usually contained NO binary executables, just Perl scripts and text data files. Customer "support" was nonexistent.

I've since had other problems with Norton AV, which bogs my system egregiously (sometimes I think the malware would be less burdensome!). (45 seconds to get a right-click menu to come up on a desktop icon with NO programs running? Yecch!)

It's most unfortunate that the manufacturers of this crapware can wreak such havoc on application developers...

Re:Oh, yesindeedy. (0)

Anonymous Coward | more than 7 years ago | (#18003484)

(45 seconds to get a right-click menu to come up on a desktop icon with NO programs running? Yecch!)
We had a similar problem with a system at work, I used Sysinternals process explorer (free) [microsoft.com] to see wtf explorer was doing and it turned out to be stalling looking for a graphics driver DLL that wasn't there, presumably for some pointless context menu extension. Installed the latest nvidia reference drivers, problem fixed.

You might want to try this to see if it really is Norton, although I can totally believe either that or McAfee crippling a system.

What's worse? (1)

Opportunist (166417) | more than 7 years ago | (#17996412)

False positives are an issue. Sure, AV manufacturers test against standard programs (though I can remember a case well where a rather big one identified MS-Excel (rightfully, if you ask me) as malware and deleted it without even asking), but you simply can't cover every single benign program there is out there somewhere.

Heuristics are another source of headaches, espeically for programs that share a few properties with malware (like runtime packers or trying to gain access to low level parts of the system, especially when network related). And don't start me on copy protected software, that often comes with self-modifying code, custom low level drivers, interference with standard drivers and all the other juicy little things so many rootkits enjoy doing. Makes you wonder whether it's REALLY a false positive... anyway.

I do agree that a lot of companies have their troubles with AV companies, but usually a well placed call with a reputable AV company solves that issue (with us, usually less than 3 hours from information to removal from the AV database). The question is, what would the scenario be without AV software? I'm not talking about us, people who do know what they're doing (and most likely don't really need AV software at all), I'm talking about the secretaries and other office people, for whom a computer is a tool and who don't know the dangers of "bundled" software and "free gifts" in their mail.

I'd wager, the damage done by malware would easily outdo the damage done due to false positives.

Youbetcha (1)

Dannon (142147) | more than 7 years ago | (#17996608)

F-Secure at my company has been a royal pain. It's one of those that has to keep in sync with a central database within the company, and we've got processing servers that just can't seem to go an hour without getting 50 alerts that the local F-Secure can't connect to the central database.

But the worst problem is that, from time to time, the AV running on one of the processing servers, or even on one of our workstations, will just decide, apparently at random, that one of our in-house DLLs or EXEs must be dangerous. And the AV will just delete the file. No warning, no feedback, no yes/no/cancel.

The good news is, the company just got bought by a larger parent company, and they're switching us over to a different AV product. So far, I haven't seen the same problems cropping up. Knock on wood.

Not as a false positive, but nasty anyway. (1)

Ernesto Alvarez (750678) | more than 7 years ago | (#17996708)

I've had problems with antivirus at work, but not with false positives. The problems the AV gave me were correctly identifying hacking tools as such, and then treating them as viruses (erasing them).

The situation would be pretty awful in normal circumstances, and in my case (network administrator) it would be so intolerable that the RTAV would have to be disabled (at least for me).

I wouldn't be suprised that wiseshark (AKA ethereal) would fall in that category, although it never happened with ethereal (in my case, it happened with brutus).

Re:Not as a false positive, but nasty anyway. (1)

jonbryce (703250) | more than 7 years ago | (#18017234)

I've yet to find a virus scanner that doesn't detect VNC as a remote access trojan. Yes, I know it allows people who know the password and are on the LAN to access my computer remotely. That's why I installed it.

YES! (1)

Kent Simon (760127) | more than 7 years ago | (#18003782)

We've had several antivirus apps detect my project (Multi Theft Auto) as a virus.. alot of heuristic based detectors are set off by our mod. DLL Injection, Hooking, and memory patching are all things that a lot of virus authors use. In our case, generally an email will get a response (even Symantec updated theirs when we were getting a false positive from their AV software) Kent

Yes - concatenated PNG files (1)

Scorchio (177053) | more than 7 years ago | (#18004682)

I was working on cell phone games, and some of the older J2ME titles had their image data - several PNG files - concatenated into a single data block, to be unpacked later using index information in a different file.

One day, the publisher calls in a panic, because their AV scan keeps reporting our games as being infected with a virus. We tried assuring them otherwise; we'd had trouble fitting the games in the limited download package, so we'd certainly know if there was something we didn't want or need in there. Regardless, they wanted it fixed.

Turns out the scan was searching the jar file, finding the image data file, recognizing the PNG header of the first image in the file, then freaking out because the entire file size didn't match the calculation from the first PNG header. Apparently, there was some kind of exploit using incorrect header information in PNGs, and the AV software was detecting the size discrepancy and flagging it as suspect.

We got around the problem by adding a dummy byte at the start of the file, enough to make it think it wasn't a single PNG image. Simple fix, but it still took a fair chunk of time to restore project backups, make the change, test it, repackage it and submit.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>