Even Antivirus Scanners Make Mistakes

In his heart, Security Supersite Editor Larry Seltzer knew his virus scanning software was just wrong. So who was right, the scanner or common sense? Thanks to a free service, he was able to confirm or deny the results.

Security fundamentally requires trust. You cant function without trusting some other users and some programs. On the other hand, you cant completely trust everything, and that includes normally trustworthy software, such as Symantecs Norton AntiVirus.

A couple of months ago I began receiving virus notifications about a file that had been on my hard disk for a while. At that time, I was testing spyware removal tools for PC Magazine and this was the install file for one of the products. NAV reported that it found Backdoor.IRC.dr in the file. The suspicion about this infection was either inaccurate or newsworthy.

While Symantec was checking on it, I decided to double-check their results. Several antivirus vendors have a Web page where you can upload a file for them to scan (see Kasperskys page for example).

Trend Micro takes this a step further and lets you scan whole drives through an ActiveX control version of their PC scanner called Trend HouseCall. The software is pretty neat, but be advised that its also very slow, and thats not counting the time it takes to download, which wasnt a short while for me.

Housecalls scan is also slow, but at least Trend provides some entertainment in the form of a "Virus Knowledge Quiz" while the scan runs. However, I suggest that you answer "no" to the fifth and final question: Is HouseCall all you need for virus protection?

If a real infected file gets onto your system to the point where you have to find it with a manual scan like this, the barn doors already open and the horse is in the next county. You need live protection. But if all you need is a quickie scan of a file or drive, HouseCall can be just what the doctor ordered.

In addition, if you suspect spyware has found its way onto your system but dont want to install a whole scanning application, theres now an online spyware scanner, PestPatrols PestScan. Like HouseCall, this is an ActiveX control.

Meanwhile, neither HouseCall nor any of the other scanners I tried found anything really wrong with that suspect file. Symantec got back to me to say that the code resulting in the false positive was fixed in the next days definitions.

But even if I hadnt had the other scanners to use, there were plenty of common sense reasons to suspect that the report was false. This file had been on my system for some time. If it was the only infected file on my system—as the reports indicated—then it must have come to my system infected. And it didnt make sense that such an infection could have been out in the wild for that length of time without making its way into NAVs set of virus definitions.

Every time Ive seen a real virus get through Nortons protections (its happened a couple of times recently), the culprit has been a new, fast-spreading outbreak like Sobig.E. So once again, common sense is your most important resource when it comes to your ongoing security.

Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.