Proactive IT Security
 

A security issue? Oops - not!

2009-02-06 [Malware discussion, Security terms, Trends & predictions]

Introduction

Security organizations are in constant battle with malware authors, trying to protect end users from being infected by "bad stuff". As we have discussed numerous times, the number of malware increases exponentially, and new techniques for spreading malware evolve all the time. This of course makes the security organizations' task increasingly more difficult.

As we shall see in this week's security article, some undesirable side effects unfortunately occur from time to time.

All web sites are malicious - true or false?

Google is one of the most visited web sites on the entire Internet. One of this famous search engine's features is the fact that you get a warning when you get a search result that may involve web sites with potential malicious content. This is of course a nice feature, which protects surfers from inadvertently visiting malicious web sites.

However, 31 January this year a minor programming error in Google's system had as a result that all web sites displayed from a search result were marked with "This site may harm your computer". This situation was solved after less than one hour, and probably did not have very serious consequences. Some consequences may have been though:

  • Some surfers who got the message for a particular web site may be led to believe that the site actually was malicious. One cannot be certain that all surfers later became aware that this was due to an error.
  • Some surfers were afraid to visit a site with information that they needed at that particular point in time.
  • Some surfers use Google as their entry to all web activity and do not know how to use neither bookmarks/favorites nor to enter a URL directly in the browser. These may have been shut off from web browsing completely during the period when the error was in effect.

This incident may be seen as a special case of a so-called "false positive incident", a term which is not uncommon in other parts of the computer security industry.

Antivirus and false positives

In the antivirus industry, the term false positive is used for the situation when the antivirus program reports that a particular file/program is malicious even when it is not.

All major antivirus companies can look back in their history and observe incidents when their product reported a false positive on a program. In most cases this is not serious, as the file that is mistakenly reported as malicious is not a critical system file. The vendor of the antivirus product will also do its utmost to fix the problem as soon as possible with a new, corrected malware signature update.

Unfortunately, sometimes the antivirus product will report a false positive on a critical system file or other critical file. This may result in situations that have severe effects for affected customers: Computers may not start after rebooting, vital tasks cannot be completed etc. It may often be cumbersome for affected customers to revert to the corrected situation even after the antivirus vendor has released a corrected update.

Similar situations can occur with other security programs, like intrusion detection/prevention systems. The problem here could be that some action that a program performs (e.g. legitimately, but in an unusual manner), may be perceived by the security system as malicious and stopped.

Such situations are of course among the worst incidents for the vendor that has caused major problems for its customers. The customers are irritated (for a good reason), and the media coverage can be harmful for the vendor.

The ultimate solution

Unfortunately this does not exist with current technology. The combination of increasingly higher malware volume and the need for more frequent malware signature releases are a threat to the quality assurance process, and make it close to impossible to completely safe-guard against false alerts on legitimate software. The fact that Norman's number of virus signatures in its current virus detection files are more than 2,6 million unique signatures give a hint about the magnitude involved here.

The potential for false positives increases with the number of signatures as well as with the technology involved in finding malware based on e.g. suspicious behavior.

What the security industry must do - and does - is to continue to create better and better systems for testing their detection files in order to avoid false positive detection on critical files (in particular). This means that the security vendors have to have huge databases of e.g. operating system files in all languages, for all service packs, for all security patches. And these databases must be updated instantly when a software vendor releases a new version of any of these components. Sufficient testing systems in itself is a task that requires lots of resources. The testing is also time consuming, which can be a serious handicap, when one needs to issue new files for a particular new threat.

As usual there is a conflict between the need for fast and precise releases of signatures and technology for detecting malware, and the need for testing to avoid undesired consequences for customers if errors occur.

This is also a part of the battle against malware!