Category Archives: False Positive

That False Positive: the Real Positive

If you’re expecting me to try to capitalize on the misfortunes of McAfee (and more so of  its customers) because I work for another vendor, boy, are you looking at the wrong blog. This is yet another case of “there but for the grace of God…”: no vendor is immune to false positives, and while we would all like to achieve the goal of 100% detection with 0% false positives, it isn’t achievable: not with antivirus, not with any of the panaceas du jour that are already being touted in some quarters, not with any other operating system that you may happen to prefer to any of Microsoft’s. That’s a technical issue, and no amount of shouting “this shouldn’t happen” and suggesting that red-hot pokers should be thrust into McAfee’s collective eyes will change it.

Any honest researcher will acknowledge that there is a constant, unavoidable trickle of false positives that mostly go unnoticed. Unfortunately, every so often a false positive will cause enough damage to cause a PR disaster. Most of us have been there, and those who haven’t surely will.

This does not mean at all that I aim to trivialize the impact of an event like this on the customers who are affected by it. But the measure of a vendor’s worth isn’t whether it generates a false positive, or whether it offers a convincing auto-da-fé before being burned at the stake on a fire fed by its own product packaging, but what positive act of remediation it responds with.

There is plenty of comment around demonstrating the impact of this FP on McAfee customers, and while I suspect that some of it is will be seized on with the intention of proving that the AV industry is staffed with incompetents and worse – it isn’t (in general)! – that doesn’t mean that the community at large doesn’t have a right to know what happened.

What I’m not seeing is acknowledgement that McAfee have made strenuous attempts to offer help to people and companies affected by this issue, and pointers to those attempts. The company did it what any responsible company would do and withdrew the update as soon as they became aware of the problem, and generated an amended update as quickly as possible. I don’t see corporate spin here: I see a company concerned with limiting the damage to its customers, not just to its own reputation.

So here are a couple of pointers and some relevant extracts.

http://us.mcafee.com/en-us/landingpages/npdatupdate.asp?cid=77151 offers a quick guide to remediation for consumers.

http://siblog.mcafee.com/support/mcafee-response-on-current-false-positive-issue/ 

Corporate Customers
– These entries in our virus information library and the knowledge base provide workarounds for this issue for corporate customers
– Customers are discussing the issue in our online support community

Consumers
– This support page provides information for impacted consumers
– Consumers are also discussing the topic in the online community

http://siblog.mcafee.com/support/a-long-day-at-mcafee/ 

“If you are a enterprise/corporate account, and you have an issue these entries in our virus information library and the knowledge base provide workarounds for this issue. If you are a consumer and have an issue, this support page provides information for impacted consumers or call +1 866 622 3911. We have teams of people standing by to help. (To contact McAfee by phone in your region, go to the “Contact Us” page on our Web site and select your country for the correct number.)”

The essential steps are:

  • checking that you don’t have the defective DAT
  • if you do, and you have the looping boot problem, safebooting to remove  the defective DAT and de-quarantining or replacing svchost.exe

The McAfee knowledgebase article at https://kc.mcafee.com/corporate/index?page=content&id=KB68780 also refers.

David Harley FBCS CITP CISSP
AVIEN Chief Operations Officer
Mac Virus
Small Blue-Green World
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:
http://www.eset.com/blog
http://macvirus.com/
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://chainmailcheck.wordpress.com
http://amtso.wordpress.com