The Naked PC Newsletter

Your good neighbor
who's also a computer
consultant!
Friday 21 November 2008

TNPCers Say:
Your information and assistance is brilliant in scope. Thank you! -- Gerald M.
117,977+ current readers

Type your email address and click Subscribe!
Subscribe to Our Newsletter
Name: 
E-mail:

Swiss-Tech Key Ring Products

You'll find a jillion uses for these super-cool portable tool kits that fit right on your key chain. Whether it's fixing your eyeglasses, pulling splinters, tightening up the loose screws you run into everyday... Open computer cases with ease, snip wires, all the jobs a small set of pliers would make easy work of, you've got to check out Swiss-Tech tools!

Get Jim and Lee's Book!
T.J. Lee and Lee Hudspeth's Absolute Beginner's Guide to PC Upgrades
Now available at Amazon!

Contact TNPC

Home What is TNPC?
Meet the crew... The TNPC Store TNPC Articles
Send comments Members Only Prior Issues
From TNPC issue #4.16...DefCON Lee Hudspeth

Seeing Red Over AntiVirus False Positives

by Lee Hudspeth
August 9, 2001

I recently had a series of CodeRed Worm alerts on my production PC. But guess what, that's impossible!

Why impossible? Because this particular piece of malware cannot infect a PC unless it's running Windows NT 4.0 or Windows 2000, and my production PC runs Windows 98SE. This scenario is called a "false positive" in computer security circles. Think of it as a false alarm.

This term means that some mechanism or system has incorrectly identified some other mechanism or system (like a PC) as being in a given state when it isn't. An example we humans can all relate to is a disease diagnosis based on a blood test. There's a chance--sometimes small, sometimes not, depending on the test and the disease--that you will be told you're sick when you're not, at least not with that particular malady. False positives are a part of the empirical reality of our world, but I'm not going to cut Symantec or the anti-virus developers any slack. A mistake is a mistake, I paid my money for error-free detection/prevention of viruses, and they need to raise the bar.

On the date in question, Symantec's Norton AntiVirus ("NAV") was running in its latest update incarnation. As I've said repeatedly in this newsletter, I have NAV check for virus definition and scanning engine updates DAILY. I was running the latest build; NAV 2001 v7.07.23D to be exact. When I started Internet Explorer 5, NAV stubbornly insisted it had detected the CodeRed Worm, and it did so four times. By the second Alert screen I was seeing red (pun intended). A file named iis2ucms[2].asp kept appearing in randomly spawned folders under C:\Windows\Local Settings\Temporary Internet Files\Content.IE5. (Where did these weird pages come from? Probably a recent Napigator session.) Each time I quarantined the suspect file, and was told the system was clear, IE5 would get busy again and NAV would sound another false alarm.

After the second false alarm, here's what I did. I couldn't get online because IE5 was triggering the alarm, and I didn't want to use another PC on the LAN in case the problem really was a virus just not the CodeRed Worm (this would be a case of misidentification by NAV's scanning engine). I let NAV continue to alert me, called my associates Mike Craven and Jim (T.J.) Lee to see if they could look up the relevant CodeRed Worm data on the Symantec Security Updates Home Page:
http://www.TheNakedPC.com/t/416/tr.cgi?lee1

Their searches confirmed what we already knew: it was an impossible infection. Right when I had decided to shut IE5 down and clean out all Temporary Internet Files, the fourth alert cleared and stayed clear.

What can anti-virus manufacturers do about false positives? If a simple and unalterable property of the system can be used to warn the user about false positives (like the version/build of the operating system), the anti-virus package should do so. In this particular case, NAV knows the PC is running an operating system that cannot support the CodeRed Worm. It should have used that information to tell me, "Lee, our virus scanning engine thinks the CodeRed Worm is attacking your system, but since you aren't running an operating system that allows that to happen, it's probably a false alarm. Please take the appropriate precautions. Have a nice day." Note that Symantec's own CodeRed Security Check tool told me this when I ran it, "Invalid operating system version detected. This program can only test for the CodeRed worm on Windows NT 4.0 and Windows 2000." They've got the tool and infrastructure, it simply isn't integrated into the NAV scanning engine.

Another gripe I have with the anti-virus manufacturers is that they don't post any information on their sites about the phenomenon of false positives. I checked the Web sites of Symantec, McAfee, and Trend Micro, but there's not a single bit of information on the topic. Call me naive, but I think that in the war against malware, the manufacturers of defensive tools should explain that the scanning engine will occasionally-- perhaps rarely--make a mistake, either as a false positive or a total misidentification, and provide a help file topic that suggests what to do.

Rob Rosenberger is editor of Vmyths.com, a Web site dedicated to dispensing the truth about computer virus myths and hoaxes. I ran this scenario by Rob who comments, "'False positives' occur in the antivirus world. They always do. Antivirus vendors can control the problem to some extent, but when you're in a hurry (for publicity reasons) to release an update, well--let's just say 'there isn't always enough time' to make sure the detection triggers correctly. Time is critical when you're trying to earn valuable media exposure." Check out Rob's site here:
http://www.TheNakedPC.com/t/416/tr.cgi?lee2

In the meantime, here are my suggestions if you get ambushed by a false alarm. Even if you suspect a false alarm, assume the worst and proceed as if it is the real McCoy. It's not until you get to step 6 when, if it's a false positive, you'll realize you really don't have anything to remove. (For more details about these steps see my article "Virus Attacks and How to Thwart Them When You Get One"):
http://www.TheNakedPC.com/t/416/tr.cgi?lee3

1. Start by staying calm and taking thorough notes in your system journal.

2. Let your anti-virus program tell you what it thinks you should do, and do it.

3. Immediately disconnect your PC from the network and notify your system administrator.

4. Use your anti-virus program's built-in virus definitions to look up what it says about the virus.

5. Go to your (or any other) anti-virus program's Web site and look up the latest details on the virus, especially about removal.

6. Follow the recommended removal instructions.

7. Finish up by doing a full virus scan of all the PC's hard disks.

For your convenience, here is a listing of all the virus articles we've published to date in "The Naked PC."

"A Serious Reminder About Viruses and Backups"
http://www.TheNakedPC.com/t/416/tr.cgi?lee4

"Optimal Norton AntiVirus 2000 Settings"
http://www.TheNakedPC.com/t/416/tr.cgi?lee5

"Safely Testing Your AntiVirus Package with the EICAR Test File"
http://www.TheNakedPC.com/t/416/tr.cgi?lee6

"Safely Testing Your AntiVirus Package with the EICAR Test File:
Part 2" http://www.TheNakedPC.com/t/416/tr.cgi?lee7

"Virus Attacks and How to Thwart Them When You Get One"
http://www.TheNakedPC.com/t/416/tr.cgi?lee8

If your anti-virus program has incorrectly identified a virus, either false positive or blatant misidentification, I'd like to hear your story.

You can reach Lee Hudspeth at:
mailto:leehudspeth@TheNakedPC.com

Why not subscribe to TNPC Newsletter Now?
You'll be glad you did.
Your Name: 
Your E-mail Address:
Copyright © 2001, PRIME Consulting Group, Inc. and Dan Butler.
All Rights Reserved.
The Naked PC is a trademark of PRIME Consulting Group, Inc.
ISSN: 1522-4422

You may reprint an article from TNPC as long as you show the
entire article and include the authors byline, excerpt and
subscription information as shown:

article_title
by author_name
(This article originally appeared in The Naked PC
newsletter; subscribe at http://www.TheNakedPC.com)

Return to Top

Advertise in TNPC Disclosure JOIN the Horde!
Letters to Editor Privacy policy Search TNPC
TNPC Library
 		TNPC Forum
 		Subscriber Services
Why not subscribe to TNPC Newsletter Now?
You'll be glad you did.
Your Name: 
Your E-mail Address:

TNPC Hot Tips:

  • Email out of control? Spam filling your inbox? People trying to steal your identity? Same here - until I applied these tips. You can too in a new multimedia e-book. Tame Your Email.

  • DO YOU MAKE THESE MONEY MISTAKES? Do you know that trying to pay off your high interest rate debts first and/or paying extra on more than one debt is the SLOWEST way to get out of debt? Don't make these same mistakes. Learn more at by clicking here...

Google

In The Current Issue
Read #4.16 here!

Featured Articles
Seeing Red Over
   False Positives
Computer Memory:
   More is Better
The Naked PC Store:
   Update
Preventing PDA
   Power Shortages

Featured Web Site
Intel's Download Calculator
Intel provides a free download calculator that lets you enter the file size in KB, MB, or GB that you want to download it calculates how long it will take at your connection speed. Very handy!

Featured Product
Anonymizer Privacy Button
The new Anonymizer Privacy Button utility installs as an add-in for Internet Explorer and appears as an icon on the IE toolbar. Click the button and you're surfing through the Anonymizer proxy, which prevents sites from identifying your IP addresses, blocks Java, JavaScript, ActiveX, and cookies.

Featured Tip
Microsoft Office Template Gallery
The Microsoft Office Template Gallery is a great resource with hundreds of templates available, ready for your instant use, and you can preview them right inside your browser.

Read TNPC Backissues

© 2000-2005 by Dan Butler. All Rights Reserved.