I have been reading the debate about smtp-rejection/bouncing/whatever
with much interest, and I just wanted to mention a few thoughts on false
positives.
False positives are statisticly very unlikely, but they are still worth
worrying about for *any* virus scanner, because they are perhaps not
quite as improbable as they might seem.
I found a false positive once in McAffee Virusscan 4.x. I had written a
small simple file-replication utility and deployed it on all the Windows
98 computers on our network. One morning I got a bunch of phone calls.
It seems that everybody had viruses! I was greatly dismayed by this
because I had been keeping our McAffe up-to-date with automated updates
(and this was before the virus-storms that drove the auto-update
mentality into us all, so at that time auto-updating was off by default
on that version of McAffee) Anyway. When I examined the affected
computers, I discovered that it was reporting my file-replication
utility as a virus (a specific one, not a heruisticly-probable virus,
unfortunately I don't remember the specific name) At first I thought it
was a file-infector virus, but when i compared the infected binary to my
master copy, straight out of my Delphi 4.0 compiler, it was the same
bye-forr-byte. Well, I knew for darn sure that *I* didn't write a virus,
so I forwarded a copy of it to McAffe, and the next day they wrote back
saying that it was a false positive, and that they had already fixed it
in the next set of updates.
But that is just an example of me being wildly randomly unlucky, right?
Not neccisaraly. McAffee didn't give me the wonderful level of
transparency and developer feedback that ClamAV gives me, so I really
don't know exactly what the details were of that false positive, but I
can speculate.
Virus scanners keep a database of signatures that they match files
against, right? And if you think of these signatures as random, being
matched against random data, and you work out the probability of a false
positive that way, the risk is astronomically low... but signatures are
not really random, and the data in scanned files is not even remotely
random. My false positive was on a program I had written In Delphi, a
language for which one can find a large number of freely available
re-usable packages. Suppose that a virus author writes a virus in Delphi
using some re-usable components, the very same ones that I use in my
program. When the virus is detected, the virus signature is created on
what seems to be a unique sequence within the virus exe... but maybe the
signature is created against the code that was generated when the
re-usable component was compiled-- the very same block of code that
exists in my own program.
How, when creating a signature against a virus, can you be sure that
your signature actually matches the viral portion of the virus and not a
generic "library code" portion of the virus which might also appear in
other benign programs?
Anyway. Although I worry about false positives, that fear is not enough
to make me v-spam a a bunch of innocent header-forging-victims, so I
leave remote notification turned off. What I do instead, is to filter
all my administrator warnings into a folder of my postmaster account, so
I can check occasionally and see what is getting blocked. Catching a
false positive after-the-fact is better than not catching it at all. I
recently wrote a little shell-script to be run as a cron job to show the
names of all the viruses that I have blocked recently.
#/bin/sh
cd ~postmaster/Maildir/.virus-warning
for I in cur/* new/* ; do
grep -A2 "^The virus was reported to be" ${I} | tail -1
done | sort | uniq -c | sort -gr
This script generates output that looks something like this:
190 Worm.SomeFool.X
43 Worm.SomeFool.Gen-1
28 Worm.SomeFool.P
24 Worm.SomeFool.I
10 Worm.SomeFool.Q
9 Worm.SomeFool.Gen-2
3 Worm.SomeFool.AB
3 Worm.Bagle.Z
3 Worm.Bagle.Gen-zippwd
2 Worm.Bagle.N
1 Worm.Bagle.Gen-vbs
Which is exactly what I would expect to see. A whole mess of SomeFool
and Bagle variants. However, if I saw, for example, a single copy of an
obscure trojan, or a single copy of a macro virus I have never heard of,
I would be suspicious (and curious) and would investgate my quarrantine
files further. If the chances of a harmless file being a false positive
are low, the chances of a false positive for the prolific virus-du-jour
are even lower.
-------------------------------------------------------
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
