A tale from the land of false positive results

User avatar
Argus
GoldLounger
Posts: 3081
Joined: 24 Jan 2010, 19:07

A tale from the land of false positive results

Post by Argus »

In most cases I don't think a false positive AV result is worth mentioning; it is just a glitch, usually solved very quickly nowadays with a later version of the AV definitions. But then how do you know it is a false positive? Well, one obvious indication is the definitions I mentioned, if no malware is found with a later version, then that is one way to know. But one cannot always wait for a new definition. I will explain my case below and give one example how you can compare your results.

But first some general comments about false positive results, from my point of view. I said that it is usually just a glitch; but it can indeed become a disaster; my case was definitely not that, rather amusing in fact. There are of course some cases when a false positive result can go really bad, depending on the user's actions and depending on the settings in the AV software.

For example, say that the software finds something in the mail folder/file(s) (a false positive), and then, in the worst case scenario, it is running with its default settings (such as “auto heal”, “auto remove” etc. if such alternatives are present in the software). As we know, many times it isn’t possible to remove a virus from a file, it is better to delete the file, and that is what the AV software will do if cannot remove the virus.

Ah someone says, but we do have a "virus vault", no need to delete the file(s), just move it to the vault, or let the software move it automatically. Ah yes, most AV software seem to have that nowadays. Also, by default settings, in my worst case scenario, :grin: the vault usually has a limited size, say a few GB (usually it is set as a percentage of the partition, and 10% can of course be 25-50 GB nowadays, thus very large). What happens if the default size is set, and the abovementioned mail files are too big? Poof! Gone. It has happened that people have lost their files that way; and if caused by a false positive it feels even more annoying. That is the reason why I don't limit the size of the virus vault, and why I don't use "auto heal" (whatever that means in all the different cases). Speaking about false positives, some year ago many users of Pegasus Mail had great problems with one specific AV software.

In such cases it can be very good to mention the false positive so that other people can be warned, and the definitions can be updated. The abovementioned case, files lost from the “virus vault”, isn't a problem if one has good backups, since it is a simple false positive. Just change the settings in the AV software, maybe roll-back to an earlier definition (if possible) and restore the file(s). (Real malware can be a real problem when it comes to backups, finding a clean backup etc. but it is still much better than having no backups at all. However, backups and real malware is not the topic of this post.)

So, what happened in my case? The other day, some half hour after a restart of the PC, I got an alert from the resident AV component. At that point the PC was running idle, I had only logged on. As we all know, at the start or at log on time, the OS uses some files it never bothers with otherwise. This was my first restart with the latest AV definitions from the day before, so in retrospect what happened was not so surprising. Somehow wmiprvse.exe, a host process for WMI, had decided to touch photowiz.dll, and then the resident shield in the AV software jumped in and called the latter file a trojan horse, one of those with a gazillion variants (dot ABC, dot ABD etc.), it seemed.

Some quick tests with different antispyware software were done, and nothing was found (but the resident shield popped up, as expected, whenever one of the AS software happened to get close to the file). So, what to do, what to do? The file is a Microsoft OS file. I happened to have some SP3 ISO files and also the SP3 update (WindowsXP-KB936929-SP3-x86-###.exe) around, and decided to do an “on demand” scan with the AV software on the latter update file. What did it find?
Scan.png
So, the trojan horse had not only infiltrated my OS directory, it had also jumped into an old install file on another partition. Clever. Of course, under more “normal” circumstances one would guess that the installation file was the origin of the trojan, but not this time. Now it got quite amusing, step two: download the SP3 update once more from Microsoft. A new scan with the AV software, same result; it points out photowiz.dll as a trojan horse. Some hours later I downloaded new definitions and then nothing was found.

What can one learn from this?
If an OS file is suddenly flagged as containing virus or malware in general, and you have no reason to believe that the file has changed; check with another copy of the same file, for example inside some update. If you get the same result the second time, as I did, then something is probably wrong with the AV definition. Obviously there are many different ways that we can suspect a false positive.

And above all, as the old Dr Solomon's said (anyone remember that old giant on the AV scene?), “don’t panic”. (Also one of several good quotes from “The Hitchhiker's Guide to the Galaxy”.)

I didn’t bother to report this in the user forum for the AV software; I have an account there, or I should say had, since they have changed to new software and everyone had to re-create their accounts... Also, they probably had bugged me to upgrade to the latest version. But as mentioned, the next definition had changed its mind about the file.
You do not have the required permissions to view the files attached to this post.
Byelingual    When you speak two languages but start losing vocabulary in both of them.

User avatar
Hey Jude
5StarLounger
Posts: 1015
Joined: 24 Jan 2010, 15:45
Location: Ohio, U.S.A.

Re: A tale from the land of false positive results

Post by Hey Jude »

Argus wrote: There are of course some cases when a false positive result can go really bad, depending on the user's actions and depending on the settings in the AV software.
Depending on the user's "reaction" or "over reaction" the results you had could have been disastrous. I'm very happy you were astute enough to methodically deduce that it was a false positive :clapping: :grin: :cheers:
♫...Take a sad song and make it better . . .♫ Image

User avatar
HansV
Administrator
Posts: 78235
Joined: 16 Jan 2010, 00:14
Status: Microsoft MVP
Location: Wageningen, The Netherlands

Re: A tale from the land of false positive results

Post by HansV »

"Don't panic" is wise advice indeed.

I've had some false positives, but fortunately most were rather obvious. For example, I've set my browser to start with a blank page, and several of the antispyware programs I've used considered this to be a browser hijack :crazy:
Best wishes,
Hans

User avatar
Argus
GoldLounger
Posts: 3081
Joined: 24 Jan 2010, 19:07

Re: A tale from the land of false positive results

Post by Argus »

HansV wrote:"Don't panic" is wise advice indeed.
Heh, indeed. I was sitting at another desk and didn't bother to walk over to that PC for some 10 minutes. :grin:
HansV wrote:... considered this to be a browser hijack :crazy:
That's indeed crazy.

I would say that, and I know that we all have seen this so many times, odd things happen and they are not malevolent in the absolute majority of the cases. Some years ago when I started Fx it loaded msn.com, instead of the blank page or the start page I used; that was the start page in IE at the time (I hadn't changed it since I didn't use IE), and I hadn't visited it with Fx before it happened. Odd. To know what's wrong one has to know how it should be, how it should look. That's one reason why it's good to take a closer look at the start-up programs and running processes every now and then, starting when the OS is installed.
Byelingual    When you speak two languages but start losing vocabulary in both of them.