|
Softpanorama |
May the source be with you, but remember the KISS principle ;-)
|
by Dr. Nikolai Bezroukov.
Each day, most cases in corporate environment that are reported by customers that are not actual cases of virus infections. They are false alarms or false-positives.
The main problem here is AV products. Paranoid users and sometimes system administrators often blame on a computer virus effects that they cannot understand/explain.
In the past the main course of false positives in the corporate environment are such products as Inoculan, McAfee and F-secure. The old version 4.0x sometimes recognized regular VBscript program as MS Word documents and produce messages like "Infection: 'Macro.Word97.Class.eb' [AVP]. Very distressing experience if one hundred remote and clueless users get this message in one day. Probably real virus would be less frustrating ;-)
Usually file viruses and macro viruses are reported as false positive, sometimes interesting combinations arise. For example now obsolete F-prot 2.xx reported as infected any MS Word document that was disinfected by corresponding version of McAfee. That was very interesting experience if one part of the corporation uses F-prot and other McAfee ;-)
Another interesting combination arise if false positive detected but AV program unable to disinfect it and either renames it or put is some directory. That's when AV program became a real 100% pure Trojan Horse.
Inoculan is especially bad as it not only reports about files as infected when they are not, but moves them to the Infected directory. So Inoculan can be considered as a sort of Trojan Horse and may prevent installation of the packages on the network drive.
Some recommendations:
Don't play god with the user. Reveal the simple truth that you are a regular system administrator that is in complete mercy of evil AV vendors ;-). Train users not believe AV program messages without simple additional checking.
If your AV program has customizable message in situation when virus is found adapt it to reality. For example in F-secure 4.0x (now obsolete) in Preferences/Scanning of the administrator console windows the beep may be switched off and the message under "When a Virus is Found" may be changed to (please correct my English and modify the following message so that it better suit your needs, using the same idea):
This message is produced for both actual infections and so called false positives (cases when files does not actually contain virus, but due to high sensitivity of the XXX virus scanning engine were diagnosed as such). As for <put date here, for example 12/08/99> known false positives include:
< add your current problems here, for example:
yyyyyyyy.sys -- is diagnosed as "Virus-like code found by heuristics [XXX]" (funny drivers should be expected to have virus-like code)
some Notes-related files (usually with extention .tmp) are diagnozed as having "Infection: 'Macro.Word97.Class.eb' [XXX]
>
For all categories mentioned above please ignore the message. In case the message displayed is not in the categories mentioned above this might be an actual virus infection or yet unknown false positive. Please contact your Local LAN administrator of Local Help Desk. Thank you.
This document is an electronic book designed exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
Standard disclaimer: The statements, views and opinions presented in the e-book are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.