Eset False Positive Fiasco

[mouser]

We've had so many problems with false positives by irresponsible antivirus vendors that i feel bad picking on Eset, which by my account is actually one of the most responsible antivirus companies in terms of avoiding false positives.  I'm hoping that the attention they get from this embarassing incident will cause them to even more seriously watch out for such mistakes.

Antivirus companies MUST stop this reckless and irresponsible behavior of simply wiping out files that match some hastily added new heuristic file signature.  It scares novice users to death and damages the reputation of software authors.

The solution that antivirus companies need to adopt is simple: Treat your users like human beings.  Be honest about what was found when a file is discovered that matches an antivirus signature.  Give the user some estimate of the confidence of the alarm, when the signature was added, and give them some choices about what to do instead of just wiping out system files, etc.  It's not rocket science, it's your damn job.

ESET, the developer of the NOD32, made the subject of a new anti-virus false positive incident that affected operating system files. Due to a quality control error, an update to the heuristics module improperly tagged at least two legit Windows files as being infected with Win32/Kryptik.JX.

According to the company, the flawed v1091 update was released to users on Sunday, March 8th, at 9:52PM PDT. The ESET products that had the misfortune to "benefit" from this upgrade, quarantined vital Windows components such as the dllhost.exe, the Microsoft DCOM DLL Host Process responsible with the proper operation of DLL-based applications, or the msdtc.exe, the Distributed Transaction Coordinator used by the Microsoft Personal Web Server and Microsoft SQL Server.

Fortunately, the glitch was noticed and addressed very quickly by ESET and did not have time to affect a lot of users. "The update downloads were stopped within ten minutes of the update release, and the update was reverted to its previous version. Due to this immediate response, less than 5% of our users were affected," the company said.

We previously reported about a UK company selling flower arrangements online, whose image was damaged by a false positive on one of its newsletters by the products of Symantec-owned e-mail security company MessageLabs.

When such incidents involve systems files, they are also potentially dangerous. In November 2008, AVG Anti-virus deleted user32.dll and left computers unable to boot into the operating systems, because it confused it with a banking trojan. A month earlier, McAfee incorrectly tagged the Windows Vista console IME as a password-stealing trojan. Trend Micro also had its share of buggy updates, as in September last year a similar mistake left the computers of its customers unbootable or unstable after three Windows components had been wrongfully removed.

http://news.softpedi...licious-106553.shtml

from http://tech.cybernetnews.com/

[nosh]

And I thought they could do no wrong.

[barney]

Well-l-l ...
They're damned if they do and they're damned if they don't [sigh /].

There's at least one resident of this domicile that would totally panic at such a message popping up.  She doesn't know - and has no desire to know - enough to interpret such a popup, and would be as lief as not to hit the wrong button.  Your solution, Mouser, would be no solution at all for her.  Mind you, I like it, but it would be worse than useless to her.  And, unfortunately, to a great number of folk I know [sigh /].

Most folk just want something that works out of the box, w/o having to do anything other than press a button, click an icon or link, and have just what they expect on the screen in front of them.  The aforementioned young lady gets irritated if the app asks her whether to create a new file or reload the previous one [chuckle /].

Methinks the answer would be more along the lines of better in-house, pre-release testing, then significant beta testing.  Of course, that's even less likely than your conceptualization.  And highly unlikely, particularly, in the threat arena, even if 'twere an adopted practice otherwise.

My young lady's take - and I tend to agree - is that it should just work, and if it doesn't, the vendor sold a faulty product.  Actually, we've all contributed to that attitude - we who know better! - and now it's coming home to roost.

Told my boss back in '95 that if the Internet was an information highway, she needed to get a driver's license.  Still think that way, but it ain't gonna happen any more than it did with my boss.  We are inundated, day in and day out, with PC and software vendors promoting the next greatest thing, to the extent that education goes by the wayside, tossed into the gutter along the highway.

Ack!  This is turning into a rant.

Anyway, mouser, your solution will work for thee, me, and our kindred souls, but not for the majority of PC users.  They don' wanna make decides, they just want results right now!

[mwb1100]

Your solution, Mouser, would be no solution at all for her.  Mind you, I like it, but it would be worse than useless to her.  And, unfortunately, to a great number of folk I know [sigh /].

-barney (March 17, 2009, 02:18 AM)

While getting an inscrutable error message might not be the best thing for most people, it can't be worse than rendering the system fubar.

[gonetomorrow]

Gentlemen,
    To avoid high blood-pressure simply press F5 and and change ALL settings to NO cleaning.  ESET is far and away the best software I've used.
    Also, be sure to change the firewall setting in SmartSecurity to "Interactive" mode so you have control.  Windows search function always tries to phone-home.  Just block it.  You're set. 
    You can add nuisance false detections to "exceptions".  hope this helps people not to be afraid to use the best product there is IMHO.

[J-Mac]

Gentlemen,
    To avoid high blood-pressure simply press F5 and and change ALL settings to NO cleaning.  ESET is far and away the best software I've used.
    Also, be sure to change the firewall setting in SmartSecurity to "Interactive" mode so you have control.  Windows search function always tries to phone-home.  Just block it.  You're set. 
    You can add nuisance false detections to "exceptions".  hope this helps people not to be afraid to use the best product there is IMHO.

-gonetomorrow (March 29, 2009, 01:00 PM)

Exactly what I do now. However I agree with barney in that a lot of people wouldn't have a clue as to what they should do with a popup warning. And they feel that the decisions shouldn't all be left to them - they purchased and installed the software so that they wouldn't have to become PC security experts.

Jim