(OT) False Positive

[BasketCase]

Hello all.

More than once I have stumbled across the term 'false positive' in
relation to questions about viruses or to do with virus software.

Is this when your virus scanner tells you that you have a virus when you
really haven't ?

How does this occur and why ?

I ask here simply because I 've lurked for some time and most of you
people ( unlike me ) really seem to know your way around a computer.

Jim

 

[old jon]

Hello all.

More than once I have stumbled across the term 'false positive' in
relation to questions about viruses or to do with virus software.

Is this when your virus scanner tells you that you have a virus when you
really haven't ?

How does this occur and why ?

I ask here simply because I 've lurked for some time and most of you
people ( unlike me ) really seem to know your way around a computer.

Jim

Correct. No software is infallible. It reports what it thinks is suspicious.
bw..OJ

 

[BasketCase]

Correct. No software is infallible. It reports what it thinks is suspicious.
bw..OJ

But how do you *know* it's a false positive ? I recently read one post
where someone said that AVG detected a Trojan in a program they'd
downloaded...and some person replied that they should ignore it because
it was a false positive ! How the hell did *he* know this ?

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

But how do you *know* it's a false positive ? I recently read one post
where someone said that AVG detected a Trojan in a program they'd
downloaded...and some person replied that they should ignore it because
it was a false positive ! How the hell did *he* know this ?

The only way I would say that a file was definitely a false positive was if
I had a known backup that was not detected (would infer that new virus
definitions were broken), if a service such as VirusTotal[1] reported only
that vendor saw it as a virus or upon sending the file to the vendor they
replied back saying it wasn't infected.

There are also other instances such as the recent Symantec Bloodhound (34 I
think) flagging all of a certain type of file as infected, where one can
usually gather that it is making a mistake. Especially if you write "hello"
into a text file and rename it to test.emf and Symantec jumps on it

False positives happen because a lot of viruses are detected as each virus
has a "signature" - a particular pattern of information - that is present
in infected files. This method of detection can sometimes be triggered by
innocuous files.

There is also "heuristic" detection where a product knows what "suspicious"
behaviour is, for example a program setting itself to listen for orders
from the Internet, setting Windows Firewall to allow incoming connections
and trying to email hundreds of addresses. This behaviour would trigger the
anti-virus into stopping the program but again, can sometimes accuse an
innocent party.

And a question like this isn't OT

HTH

[1]
Scans a given file against multiple anti-virus programs
http://www.virustotal.com/
- --
Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk/

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFDdHrw7uRVdtPsXDkRAoixAJ4wTcWQ+pOeBmSJ+AdBIusYHk1g+wCeKYFg
TBydR+/hs7kcz4CF57dw/no=
=sCKt
-----END PGP SIGNATURE-----

 

[dadiOH]

But how do you *know* it's a false positive ? I recently read one
post where someone said that AVG detected a Trojan in a program they'd
downloaded...and some person replied that they should ignore it
because it was a false positive ! How the hell did *he* know this ?

IIRC, that was "Six buttons from hell"...a script button in 1st Page
2000. If that is the case, he knew it was a false positive because it
is common knowledge. Actually, it is more of a "benign positive" rather
than a false one.

--
dadiOH
____________________________

dadiOH's dandies v3.06...
....a help file of info about MP3s, recording from
LP/cassette and tips & tricks on this and that.
Get it at http://mysite.verizon.net/xico

 

[John Corliss]

But how do you *know* it's a false positive ? I recently read one post
where someone said that AVG detected a Trojan in a program they'd
downloaded...and some person replied that they should ignore it because
it was a false positive ! How the hell did *he* know this ?

Because generally, other people will have the same problem and Googling
will turn up those remarks. Not only that, but the AV program authors
usually will quickly acknowledge that this is the case. To insist
otherwise if it is indeed a false positive, will cause the AV program to
lose face and quickly fall out of favor.

Regardless, this is a problem that really doesn't occur very often so
don't let it put you off.

--
Regards from John Corliss
My current killfile: aafuss, Chrissy Cruiser, Slowhand Hussein, BEN
RITCHEY and others.
No adware, cdware, commercial software, crippleware, demoware, nagware,
PROmotionware, shareware, spyware, time-limited software, trialware,
viruses or warez please.

 

[Lou]

But how do you *know* it's a false positive ? I recently read one post
where someone said that AVG detected a Trojan in a program they'd
downloaded...and some person replied that they should ignore it because
it was a false positive ! How the hell did *he* know this ?

As another poster (John..) says I use Google to search for info on the item being
questioned.

Lou

 

[B. R. 'BeAr' Ederson]

But how do you *know* it's a false positive ?

It's a matter of knowledge and trust. If you're able to analyse the
program yourself, you can decide the question yourself. If the source
code is available, things are a bit more easy. (Of course, later the
'cleared from suspicion' program has to be compiled from that very
source code and not obtained otherwise.) But analysis can be done by
checking the machine code, too.

Increasing program size and complexity increase the time and skill
required for correct results. Apart from trivial programs you can
think of the test result as asymptote, which barely can reach 100 %.
Even seemingly 'sloppy coding' can be a backdoor, placed on purpose.
(E.g. unchecked means of input, which can be used by buffer overflow
attacks.)

If you don't do the analysis yourself, you have to trust someone.
Maybe you got the program verifiably from the author (and you trust
him without fail.) Or you got clearance by checking with one or
more Antivirus program(s) of your choice. (Current signatures are
necessary.)

If a program (version) is new, you better wait a few days to give
the AV community the chance to check the program. Note, that they
don't check all and every program. There has to be some cause of
suspicion, first. That's why, a 'no find' doesn't mean clearance.
But most malware authors fortunately trigger one or more security
controls - sooner or later. (Suspicious code found by heuristic
scanning, unexpected file or network access,...)

It is especially difficult to decide on false positives. (As you
already guessed.) If one (or maybe more) scanner lists a program
as infected, you can cross-check with other AV programs. If these
don't find anything, you should do two things:
(1) Submit a sample of the program as 'possibly infected' to the
companies *not detecting* anything suspicious.
(2) Submit a sample of the program as 'possibly false positive' to
the companies *detecting* malware.

Be sure to check the common malware related places to ensure you
aren't the 1000-th person submitting the same program. Current
threats are discussed there. (E.g.: alt.comp.virus)

Until all AV engines agree on the status of your program, you
should restrain from using it. (Unless you trust one vendor or
a couple of vendors more than other.) Even if no engine reports
risks, anymore, you stand a (marginal) chance they are wrong...

And just another thought about 'trust': Be sure the person (/ company /
whatever you consult) really responds. Even websites have been forged,
before. ;-)

BeAr

 

[B. R. 'BeAr' Ederson]

The only way I would say that a file was definitely a false positive was if
I had a known backup that was not detected (would infer that new virus
definitions were broken),

Dangerous. The malware detection could have been added, newly. (And
could be right about the character of the program!)

if a service such as VirusTotal[1] reported only that vendor saw it as a
virus

Dangerous as well. Especially for new (versions of) programs.

or upon sending the file to the vendor they replied back saying it wasn't
infected.

Best choice. (If you refer to the *AV* vendor / company.)

There are also other instances such as the recent Symantec Bloodhound (34 I
think) flagging all of a certain type of file as infected, where one can
usually gather that it is making a mistake. Especially if you write "hello"
into a text file and rename it to test.emf and Symantec jumps on it

The 'Hello' virus. Written countless myself... ;-)

False positives happen because a lot of viruses are detected as each virus
has a "signature" - a particular pattern of information - that is present
in infected files. This method of detection can sometimes be triggered by
innocuous files.
Yep.

There is also "heuristic" detection where a product knows what "suspicious"
behaviour is, for example a program setting itself to listen for orders
from the Internet, setting Windows Firewall to allow incoming connections
and trying to email hundreds of addresses. This behaviour would trigger the
anti-virus into stopping the program but again, can sometimes accuse an
innocent party.

Most AV programs don't look for suspicious *behavior*, but for suspicious
*code* when scanning with the heuristic engine(s).

And a question like this isn't OT

But it is a bit more on-topic on comp.security.misc or alt.comp.virus
;-)

BeAr

 

[Conor]

Hello all.

More than once I have stumbled across the term 'false positive' in
relation to questions about viruses or to do with virus software.

Is this when your virus scanner tells you that you have a virus when you
really haven't ?

How does this occur and why ?

Part of the scanning is to look for certain code in a file. Sometimes a
legitimate file can have part of that code so the AV software sees it
as infected.

 

[Mike Bourke]

But how do you *know* it's a false positive ? I recently read one post
where someone said that AVG detected a Trojan in a program they'd
downloaded...and some person replied that they should ignore it because
it was a false positive ! How the hell did *he* know this ?

There are two ways most Antivirus programs can trigger - one, they think
they recognise a file as being a particular virus; or two, they think the
file has content similar to that of other viruses. I'll talk about each of
these seperately.

Where a package finds that a particular file might be a Virus, it does so
because part of the computer code contained in that file matches what the
antivirus program has on record as "characteristic and specific" to that
particular variety of that particular virus. The AV packages can't contain
the whole of the virus code - besides being dangerous and potentially
educating people in how to write viruses (there's more than enough help out
there anyway for that), it would make the signature files absolutely massive
and therefore impractical. So the AV researchers locate something unique to
that particular virus and just look for that code when they scan a file.

Because this is a limited slice of the whole virus, there is always the risk
of a virus "identification" being a false positive. For this reason, most
antivirus programs "quarantine" affected files rather than deleting them
outright - that makes it easier to recover from.

I don't trust googling per se, there are too many people posting info they
don't actually know. There are a couple of sites that are reputable, though,
and if I see one of the links provided by Google as coming from a site that
I recognise and trust, I will look more closely at that response.

It's generally the case that if you get a false positive from one anti-virus
package, you are unlikely to get the same result from a second. That's why
the "scan a suspect file with multiple anti-virus packages" link is so
useful.

The big problem with scanning for viruses this way is that only a known and
identified virus can be stopped. All the virus writer has to do is switch a
couple of things around within the file, and you have a new version of the
old virus - one that may not match the "signature" that the AV program has.
In fact, they can keep trying until they successfully make a variant that
stops the AV from identifying the virus.

To stop this, and give the customers on the firing line a chance to discover
a new virus BEFORE your system is infected, some AV programs also look for
"suspicous characteristics" - this was described fairly well in a seperate
post, so I won't repeat it here. If a file matches too many of the criteria
that are common to viruses, the AV program will report that "file X may be
infected with an unknown virus" or something similar.

When this happens - and it has happened to me - there are three steps that I
follow (and double clicking on the file is not one of them!)

1) work out how long you've had that file - if you've had it for 6 years
it's very unlikely to be a genuine virus (or you would have found it by now
with previous scans). I would treat it as a false positive and test the same
as I would any other "virus warning". But, if it's a new file, you don't
have that safety net - even if the file itself is supposed to be 6 years
old, if you've only just downloaded it, it's new and potentially a problem.
And so to step 2.

2) Visit the major antivirus sites and look at the news section - they will
all have them. If there is a new virus doing the rounds, they will usually
tell you all about it - definitively and quickly. There usually is one, and
if so, I compare the characteristics reported - like filename, file size,
etc - with the suspect file. If the details match, then you know that you've
just been saved by you AV program, and act accordingly. But what if the file
doesn't match any of the new viruses reported over the last week or two?
Does that mean that it's safe and the warning can be disregarded? Not on
your nellie! It's on to step 3.

3) There's always someone in the world who will be the first person to
notice a new virus. SOMEONE has to be first, and it might just be you! Most
AV companies will provide a link or instructions for uploading a suspected
virus so that their scientists can take a look at it. Unless the file is
supposed to contain information that has to be kept secret or private, like
payroll info, bank details, confidential memos, and the like, Send it to
your AV company and let them check it. I've done that three times - two were
false positives, and the other was indeed a new virus. (In fact, I was the
third person to report the suspicious file to them, world-wide). Once you
know, you can act.

Antivirus companies love to discover false positives, because they like to
eliminate them, if only to save their researchers time and themselves money.
The more time that gets wasted on the umpteen hundredth report of a false
positive, the less time they have to devote to real viruses. So even if
you're sure it's a false positive (from steps 1 or 2), send it to them
anyway, and in an update or three it should stop being detected. And you'll
have that knowing look about you for quite a while!

Someone here reading over my shoulder as I type has asked how I would deal
with a situation where I got a possible virus in a file that DID contain
sensitive information - payroll info or bank details or whatever. So, for
what it's worth....

Anyone receiving that info either has no business receiving it and deserves
whatever they get, or they have received it legitimately. If you're in a
position to receive that sort of information legitimately, there is usually
an IT security contact you can report to. DO IT. Then, get the person who
sent you the file on the phone. Warn them that they may have a new virus on
their system. Get them to send you a file of the same file TYPE without any
of the sensitive info, immediatly. If they really are infected, the same
Heuristic Analysis that warned you in the first place SHOULD react to the
file without the sensitive content in the same way that it did the first
file. If it does, then you have something that can be safely sent to the AV
company for analysis. By the time you are ready to do so, you should have
heard from the IT Security department. Bring them up to date on what you
have done, and ask their permission to send the safe file to the AV company
for analysis - they may well want to do it themselves. Either way, you
should get significant kudos for intelligently handling the situation!

Mike Bourke

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The only way I would say that a file was definitely a false positive was if
I had a known backup that was not detected (would infer that new virus
definitions were broken),

Dangerous. The malware detection could have been added, newly. (And
could be right about the character of the program!)

if a service such as VirusTotal[1] reported only that vendor saw it as a
virus

Dangerous as well. Especially for new (versions of) programs.

or upon sending the file to the vendor they replied back saying it wasn't
infected.

Best choice. (If you refer to the *AV* vendor / company.)

Fraid not - if they actually reply it can often be days later. And then to
tell you that they're looking into the file and will reply within x
business days.

The best choice is all of them. I should have made it a bit clearer that
one should use various methods to check such things.

Most AV programs don't look for suspicious *behavior*, but for suspicious
*code* when scanning with the heuristic engine(s).

One could also argue that a virus does not delete a file, it merely
contains the code asking the OS to delete a file. IMO the virus still
deletes the file.

But it is a bit more on-topic on comp.security.misc or alt.comp.virus
;-)

True, but I'm a sucker for answering a good question! And also thought this
/was/ in alt.comp.anti-virus...
- --
Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk/

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFDdL407uRVdtPsXDkRAnj4AJ9KCLUCvbRgSk8yeO+WdNcThSCwoQCghnfH
WFTtS93ErTFJzxcZkjVQ9aU=
=Uoh4
-----END PGP SIGNATURE-----

 

[B. R. 'BeAr' Ederson]

On Fri, 11 Nov 2005 15:52:21 +0000, Adam Piggott wrote:

[Submitting file to AV companies]

Fraid not - if they actually reply it can often be days later. And then to
tell you that they're looking into the file and will reply within x
business days.

How often do you encounter a program containing malware or causing a
possible false positive? I always had to *search* for infected files.
Can't really remember that I *ever* had a truly infected file among
the ones downloaded for testing or usage. False positives might be
sth. between 5 and 10 over the years. Floppy swapping in the late
80-th and early 90-th was far more dangerous.

I don't tell this to query the security measures one should adopt.
Quite the opposite: In my opinion a delay of a couple of days (or
even weeks) normally doesn't matter in those rare cases. So it should
be no problem to wait for reaction. Besides: the only sample I ever
submitted took Frisk about 3 years to adopt. I think they somewhat
forgot it and I didn't press the subject because I could use another
version (which always tested okay by all scanners) of the same
program.

The best choice is all of them. I should have made it a bit clearer that
one should use various methods to check such things.

My main goal was to prevent novices in computer security taking your
suggestions too literally.

[Detection of behavior vs. code]

One could also argue that a virus does not delete a file, it merely
contains the code asking the OS to delete a file. IMO the virus still
deletes the file.

What I tried to clarify is that AV programs usually don't execute a
program to observe its *behavior*. That is sometimes done by experts
when *manually* analyzing programs. And even then it is not very often
used, IMHO. An application monitor (like some firewall programs), OTOH,
works that way.

[Not OT or not entirely not OT] ;-)

True, but I'm a sucker for answering a good question! And also thought this
/was/ in alt.comp.anti-virus...

No problem on my side. I couldn't resist, either. ;-)

BeAr

 

[John Fitzsimons]

It's a matter of knowledge and trust. If you're able to analyse the
program yourself, you can decide the question yourself. If the source
code is available, things are a bit more easy. (Of course, later the
'cleared from suspicion' program has to be compiled from that very
source code and not obtained otherwise.) But analysis can be done by
checking the machine code, too.

I think you may have overlooked adding the words "packet sniffer"
somewhere in your answer.

< snip >

Regards, John.

--
****************************************************
,-._|\ (A.C.F FAQ) http://clients.net2000.com.au/~johnf/faq.html
/ Oz \ John Fitzsimons - Melbourne, Australia.
\_,--.x/ http://www.vicnet.net.au/~johnf/welcome.htm
v http://clients.net2000.com.au/~johnf/

 

[B. R. 'BeAr' Ederson]

On Sat, 12 Nov 2005 10:03:42 +1100, John Fitzsimons wrote:

[Malware analysis]

I think you may have overlooked adding the words "packet sniffer"
somewhere in your answer.

Hm. Not really. ;-) I've 'overlooked' lots of aspects of Safe hex and
program analysis. It is too broad an area to entirely be covered in a
single Usenet posting.

However, a packet sniffer is another level of defence, compared to the
program analysis I talked about. You have to run the suspect program
to get results. If you do so outside a sandbox (and there aren't free
sandbox applications available I'd trust, entirely) the program might
delete your HD while you're watching the packets float by. Further on,
the program could manipulate your sniffer in memory and send packets,
anyway.

That's not an argument against a packet sniffer in general. It's just
that you use such a tool to check against 'seemingly trustworthy'
programs (after virus scans didn't come up with results) or to analyze
suspicious behavior of your working system.

There also is the aspect of 'code analysis while running'. I mentioned
that in another posting. But you need a truly expert level of knowledge
to do that in a secure manner.

BeAr

 

[Al Klein]

The only way I would say that a file was definitely a false positive was if
I had a known backup that was not detected (would infer that new virus
definitions were broken), if a service such as VirusTotal[1] reported only
that vendor saw it as a virus or upon sending the file to the vendor they
replied back saying it wasn't infected.

I've had virus software report a hit on a text file. I've gotten hits
on program source code, or executable code, that I wrote myself and
*KNEW* was virus-free. And, before you say that the library might
have been infected, I've had it happen on programs written in
assembler that didn't use any libraries.

A lot of virus programs, including Norton and McAfee, reported hits on
anything written in Borland Pascal version 5 and up - and it was due
to a real virus that had been written in BP, so some BP library code
was included in the virus definition.

Virus programs just look for specific text strings in files - if they
find one in the definition file they report a virus. If you point
virus checking program A at virus checking program B's definition
file, and if it's not encoded, you'll get hits on that file.

Bottom line: If you aren't absolutely certain of the source, and you
want to be as safe as possible, accept what the virus checker tells
you and don't run the program. Wear a belt and suspenders, carry your
umbrella even when there's not a cloud in the sky and stay in bed for
the rest of your life.

Most of us aren't quite that paranoid.

 

[Aaron]

On Fri, 11 Nov 2005 15:52:21 +0000, Adam Piggott wrote:

[Submitting file to AV companies]

Fraid not - if they actually reply it can often be days later. And
then to tell you that they're looking into the file and will reply
within x business days.

Yes, but most often, when someone tells you that x is a FP, it's because
it's often a combination of the following

a) Flagging a file that is very very reliable - E.g Say something
flagging AVG or it's patently impossible to be malware, say a txt file.
It's still Possible that the file is infected by a file infector
(unlikely these days) or a trojanised copy but...

b) Lots of people (who you expect to be secure) reporting the same
problem- you might expect one or two people to have a trojanised copy of
a safe file, but lots of people reporting it means it's unlikely.

c) Confirmation by some semi official source on the product forum.

d) No other antivirus detects it. Of course, that's not conclusive on
it's own but I would be very suspicious if only one scanner flags it
espically together with conditions stated above.

Of course this is not 100% confirmation.

How often do you encounter a program containing malware or causing a
possible false positive?

Depends on how many scanners you use. The more you use, the more likely
of a FP.

My main goal was to prevent novices in computer security taking your
suggestions too literally.

You are right of course, no one can be 100% sure about these things.

[Detection of behavior vs. code]

Well yes, suspicious code that does suspicious behavior in some.
And some do emulation and all that crap.

What I tried to clarify is that AV programs usually don't execute a
program to observe its *behavior*.

True, except some that use emulation i think. And some like Panda's
truprevent (not freeware) actually does monitor behavior.

 

[B. R. 'BeAr' Ederson]

Depends on how many scanners you use. The more you use, the more likely
of a FP.

The best AV programs are optimized both ways. So a program which causes
lots of false positives is normally not developed and updated in a
sufficient way. I'd change to better ones. I barely encounter false
positives with F-Prot, F-Secure, McAfee, AVP (some OT).

[Detection of behavior vs. code]

Most AV programs don't look for suspicious *behavior*, but for
suspicious *code* when scanning with the heuristic engine(s).

Well yes, suspicious code that does suspicious behavior in some.
And some do emulation and all that crap.

Yes, I know. NOD32 and Norman antivirus are typical examples. But
that's not the most common approach and only okay when combined
with other means of detection. Important is virtualization of a
*complete* system. (No means to break out of the Sandbox.) There
are other issues which make this kind of the detection a more
uncommon one...

True, except some that use emulation i think. And some like Panda's
truprevent (not freeware) actually does monitor behavior.

Your sample TruPrevent is an example of the increase of 'security
suites' and not a virus scanner. I'm not too happy about that latest
trend. Instead of combining the best tools of every kind on own
account, one gets a complete package with loads of unneeded
functionality and parts of less quality. :-(

BeAr