Even Antivirus Scanners Make Mistakes

By Larry Seltzer  |  Posted 2003-07-25 Print this article Print

In his heart, Security Supersite Editor Larry Seltzer knew his virus scanning software was just wrong. So who was right, the scanner or common sense? Thanks to a free service, he was able to confirm or deny the results.

Security fundamentally requires trust. You cant function without trusting some other users and some programs. On the other hand, you cant completely trust everything, and that includes normally trustworthy software, such as Symantecs Norton AntiVirus.

A couple of months ago I began receiving virus notifications about a file that had been on my hard disk for a while. At that time, I was testing spyware removal tools for PC Magazine and this was the install file for one of the products. NAV reported that it found Backdoor.IRC.dr in the file. The suspicion about this infection was either inaccurate or newsworthy.

While Symantec was checking on it, I decided to double-check their results. Several antivirus vendors have a Web page where you can upload a file for them to scan (see Kasperskys page for example).
Trend Micro takes this a step further and lets you scan whole drives through an ActiveX control version of their PC scanner called Trend HouseCall. The software is pretty neat, but be advised that its also very slow, and thats not counting the time it takes to download, which wasnt a short while for me.
Housecalls scan is also slow, but at least Trend provides some entertainment in the form of a "Virus Knowledge Quiz" while the scan runs. However, I suggest that you answer "no" to the fifth and final question: Is HouseCall all you need for virus protection? If a real infected file gets onto your system to the point where you have to find it with a manual scan like this, the barn doors already open and the horse is in the next county. You need live protection. But if all you need is a quickie scan of a file or drive, HouseCall can be just what the doctor ordered.

In addition, if you suspect spyware has found its way onto your system but dont want to install a whole scanning application, theres now an online spyware scanner, PestPatrols PestScan. Like HouseCall, this is an ActiveX control.

Meanwhile, neither HouseCall nor any of the other scanners I tried found anything really wrong with that suspect file. Symantec got back to me to say that the code resulting in the false positive was fixed in the next days definitions. But even if I hadnt had the other scanners to use, there were plenty of common sense reasons to suspect that the report was false. This file had been on my system for some time. If it was the only infected file on my system—as the reports indicated—then it must have come to my system infected. And it didnt make sense that such an infection could have been out in the wild for that length of time without making its way into NAVs set of virus definitions. Every time Ive seen a real virus get through Nortons protections (its happened a couple of times recently), the culprit has been a new, fast-spreading outbreak like Sobig.E. So once again, common sense is your most important resource when it comes to your ongoing security.

Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel