Symantec has managed to screw the pooch again I’m afraid. Their antivirus signatures for July 15 rev. 2 had a false positive for adware “cpush”. Sans readers had notified them of false positive detection for Filezilla and NASA World Wind.
It appears that Symantec’s anti-virus definitions (July 15th, rev 2) had a false positive on Filezilla and NASA World Wind, detecting them as Adware.cpush. The definition was fixed in the July 16th release. This isn’t the first or last time false positives have shown up with anti-virus updates. As more and more malware gets developed and deployment of said malware gets quicker, the strain on AV vendors to get definitions out quickly is intense. This makes it difficult to test all software, especially the more esoteric variety. Test longer and allow more exploitation or get the definition out fast and possibly have false-positives or negatives? Not an easy question to answer (unless you tier definitions and customize updates so people can choose “stable” rules, “bleeding edge” rules, etc).
A bit of an apologist tone but, what the hell. I know that there was a false positive detection for Apache web server for Windows as well. The SANS posting goes on to question whether or not malware writers could create proggies that could be seen by AV engines as safe.
Short answer, of course. Anti virus detection is based on signature matching (with a smattering of heuristics). Love it or hate it, that’s what we’ve got. That being said a malware writer would need to reverse the signature set of antivirus company X and figure what they are matching on. Then set their application to off by one. Boom…off they go.
This idea of bypassing antivirus is by no means a new concept. Code Red did this when the packet was padded with 100+bytes of useless information eg. “GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNN”. What’s even funnier is that IDS systems soon afterwards would even detect that string in emails. Intrusion detection vendors at the time were only checking the first 100 bytes of a packet for malcode. Where am I going with this? No where really. Mostly pointing out that as much as we may all rant about antivirus, its the best we’ve got.
For now.
[tags]Malware, Symantec False Positive, Antivirus[/tags]
Norton has been giving false virus reports on NASA World Wind for ages, just check the forums, it is a pain but then if you install Norton you deserve what you get.
No argument here.
🙂
Thanks for the comment.