Monday, March 9 2009, 16:32
More anti-virus fail...
If you are a regular follower of this blog, you’ll probably remember my couple of rather recent entries regarding the current state of the anti-virus technology and whether this kind of products still are as useful as they were in the past in today’s world. I’ve been going into great lengths regarding their weak points and how they tend to lagging behind the Operating Systems more and more every year due to their missing of infections, delays in signatures updates, which makes their protection far from being bullet-proof. What’s worst than everything, though, is when a system isn’t infected but the anti-virus thinks it is… and has identified an important system file as an offender…
This morning, I received several e-mails notifications from our anti-virus system (Eset’s NOD32) indicating a virus intrusion in several of our servers, namely by the Win32/Kryptik.JX trojan in the file msdtc.exe (I won’t translate what the dtc acronym means in french, but it could have been an appropriate name, had I not known that it actually stands for Distributed Transaction Coordinator)... This was rather surprising as none of our servers but one (the Application/Terminal server) are used by users. They just sit there and do what servers usually do: handle database, store files, run scheduled tasks, etc… Needless to say that they are all behind the corporate firewall and none of them is directly exposed to the Internet, except the e-mail one. It basically meant that the chances for this infection to come from the outside was quite low.
msdtc.exe detected as Kryptic.JX variant? O RLY?
I then immediately suspected a false positive as I already knew the name of the MS DTC technology, but it wouldn’t have been the first time a virus would take a seemingly legitimate name to remain unnoticed as long as possible in the infected system. I then searched the Internet for the terms NOD32 msdtc and quickly enough, I landed on this official web page confirming the false positive theory and how to recover the files.
On our systems, the file wasn’t deleted, but just detected and blocked from accessing, but on a number of systems across the world, this file was erased. In either scenarios, any software service relying on MS DTC might have stopped working. However, that isn’t the worst case situation and it is actually not that uncommon for anti-virus vendors to screw up when releasing signatures files. A big name of the anti-virus industry, Trend Micro pushed incorrect signatures files twice (in 2005 and 2008), which had the very undesirable effect to flag system files of the Windows operating system as virus and move them to the quarantine, which would obviously cause big problems on the next restart and leave the user with an un-bootable machine and totally crippled system. Experienced and computer-literate users might find a way around this rather quickly, but typical home users would more than likely have a much harder time, especially since they won’t know what happened and what was the cause. The last thing they would probably suspect is their anti-virus to be the culprit. After all, would you suspect your trusted (and expensive) bodyguard to shot you in the head? Probably not. In a large corporate network, having hundreds if not thousands of machine crippled that way can quickly turn out to be the worst nightmare ever for the IT staff and make the company lose hundred of thousands of dollars in wasted productivity and lost man-hours.
However, this kind of incidents is bound to happen considering the pressure the anti-virus companies and their researchers are under: hundred of new viruses appear everyday, most of the time, variants of already existing ones, and adding detection schemes for them in the anti-virus database as quickly as possible is bound to cause some collisions against legitimate files some day, and in the worst case, system files. One difference between anti-virus software and many other kind of software is that updates are usually thoroughly tested before being released. Granted, a virus signature database might not be an executable, but it is these signature files which will determine most of the behavior of the anti-virus during its scan activities, and the fact is that they don’t receive as much testing as they should, simply because at a rate of 3 updates a day for the most known anti-virus products, bulletproof testing simply is impossible.
In the previous paragraph, I seem to be rather understanding, to not say forgiving: after all, we accept the reality of existence of bugs in a lot of other software equally (if not more) important as a fact of software engineering, so why not accept their existence in anti-virus signature files as well? However, the bottom line for users and administrators is that, in addition to the licensing cost (machine-based, for most vendors), their lack of efficiency in detecting a lot of threats, their lack of technological innovation, the risk they could be affected by security vulnerabilities themselves, and last, the risk of vital system files being detected as malware, the anti-virus products tend to appear as creating more problems than they are actually solving… who would continue investing in a system protecting you only most of the time, and which could actually reveal itself to be a rather unexpected time-bomb which could damage your system much more than most viruses nowadays do? My conclusion is not going to be different this time again: Anti-virus vendors and engineers need to get their act together and innovate until they get squashed by more secure operating systems and the weight of their very own mistakes.