But first some general comments about false positive results, from my point of view. I said that it is usually just a glitch; but it can indeed become a disaster; my case was definitely not that, rather amusing in fact. There are of course some cases when a false positive result can go really bad, depending on the user's actions and depending on the settings in the AV software.
For example, say that the software finds something in the mail folder/file(s) (a false positive), and then, in the worst case scenario, it is running with its default settings (such as “auto healâ€, “auto remove†etc. if such alternatives are present in the software). As we know, many times it isn’t possible to remove a virus from a file, it is better to delete the file, and that is what the AV software will do if cannot remove the virus.
Ah someone says, but we do have a "virus vault", no need to delete the file(s), just move it to the vault, or let the software move it automatically. Ah yes, most AV software seem to have that nowadays. Also, by default settings, in my worst case scenario,
the vault usually has a limited size, say a few GB (usually it is set as a percentage of the partition, and 10% can of course be 25-50 GB nowadays, thus very large). What happens if the default size is set, and the abovementioned mail files are too big? Poof! Gone. It has happened that people have lost their files that way; and if caused by a false positive it feels even more annoying. That is the reason why I don't limit the size of the virus vault, and why I don't use "auto heal" (whatever that means in all the different cases). Speaking about false positives, some year ago many users of Pegasus Mail had great problems with one specific AV software.In such cases it can be very good to mention the false positive so that other people can be warned, and the definitions can be updated. The abovementioned case, files lost from the “virus vaultâ€, isn't a problem if one has good backups, since it is a simple false positive. Just change the settings in the AV software, maybe roll-back to an earlier definition (if possible) and restore the file(s). (Real malware can be a real problem when it comes to backups, finding a clean backup etc. but it is still much better than having no backups at all. However, backups and real malware is not the topic of this post.)
So, what happened in my case? The other day, some half hour after a restart of the PC, I got an alert from the resident AV component. At that point the PC was running idle, I had only logged on. As we all know, at the start or at log on time, the OS uses some files it never bothers with otherwise. This was my first restart with the latest AV definitions from the day before, so in retrospect what happened was not so surprising. Somehow wmiprvse.exe, a host process for WMI, had decided to touch photowiz.dll, and then the resident shield in the AV software jumped in and called the latter file a trojan horse, one of those with a gazillion variants (dot ABC, dot ABD etc.), it seemed.
Some quick tests with different antispyware software were done, and nothing was found (but the resident shield popped up, as expected, whenever one of the AS software happened to get close to the file). So, what to do, what to do? The file is a Microsoft OS file. I happened to have some SP3 ISO files and also the SP3 update (WindowsXP-KB936929-SP3-x86-###.exe) around, and decided to do an “on demand†scan with the AV software on the latter update file. What did it find?
So, the trojan horse had not only infiltrated my OS directory, it had also jumped into an old install file on another partition. Clever. Of course, under more “normal†circumstances one would guess that the installation file was the origin of the trojan, but not this time. Now it got quite amusing, step two: download the SP3 update once more from Microsoft. A new scan with the AV software, same result; it points out photowiz.dll as a trojan horse. Some hours later I downloaded new definitions and then nothing was found.
What can one learn from this?
If an OS file is suddenly flagged as containing virus or malware in general, and you have no reason to believe that the file has changed; check with another copy of the same file, for example inside some update. If you get the same result the second time, as I did, then something is probably wrong with the AV definition. Obviously there are many different ways that we can suspect a false positive.
And above all, as the old Dr Solomon's said (anyone remember that old giant on the AV scene?), “don’t panicâ€. (Also one of several good quotes from “The Hitchhiker's Guide to the Galaxyâ€.)
I didn’t bother to report this in the user forum for the AV software; I have an account there, or I should say had, since they have changed to new software and everyone had to re-create their accounts... Also, they probably had bugged me to upgrade to the latest version. But as mentioned, the next definition had changed its mind about the file.
