Saturday, July 12, 2008

False Positive

When I ran my regular virus scan this morning I was stunned by the report that several files were infected (Exploit.PHP.Userpic.a), of which one in the installation zip of the popular Enigma Sim, available as download on my website. The same file was also infected in the source code folder as well as my own installation folder!

Not taking any risk, and since the software is downloaded many times each day, I immediately created a new installation and zip. As it turned out later, lots of work for nothing. I already found it strange that even old CD's, which cannot get overwritten, were also infected. After contacting F-Secure I received the confirmation that it was a false positive and the error was fixed in the new anti-virus update. After I checked some forums it seems Kaspersky AV also had the same problem.

Nice to know that my carefully scanned and published software is clean, but this doesn't do any good to your credibility if someone downloads from your website and runs into a wrong virus alert. I can imagine that some commercial firms aren't that happy if they are wrongly 'accused' of downloading viruses onto your computer. It's a bit like being wrongly accused, jailed and then set free. Damage done.

I must say that my e-mail to F-Secure was answered within 15 minutes, apologies inclusive, and indeed, about one hour later the new AV database update no longer reported my precious files as infected. So, no complaints here. But this shows how vulnerable our modern Internet society has become, not only for viruses, but also for these false positive alerts and the consequences that can follow.

This has cost my about one and a half hour of recompiling the code, creating installs, uploading, adding apologies to the concerned web page, changing these apologies again, etc etc. All for nothing! Fortunately it's freeware, and I'll be just as poor as I was before. But I can imagine some people lose customers thanks to a virus that doesn't exist.

Visitors on my website will all know by now that I regularly scan my stuff and make sure nothing gets infected. They can download without fear, as before!

I noticed that many visitors landed on my weblog, searching for information about "Exploit.PHP.Userpic.a". To all people that are affected by this nasty thing, one advice: contact your AV provider and send him the infected file (zipped). I don't have any idea how many and which type of files are false positive and which are actually infected, but I'm sure the Exploit things exists (otherwise they didn't searched for it), so never assume it's always false alarm.

Update: I added the SHA-256 Secure Hash values for all downloads on my website. This way, everyone can verify the downloaded files and be sure that they are not corrupted.

4 comments:

Blaarp said...

It's very good that it was a false positive ;)

Dirk Rijmenants said...

Yes, better a false positive than a positive false. But still, it has cost me lots of work an time for nothing :-)

Blaarp said...

Just a suggestion for your website, if I may dare be so bold ..

Despite the fact that you note the date of last update, in the plethora of "New" and "Updated" tags new stuff isn't really easy to find, so how about adding an "Update history" page ? ;)

Dirk Rijmenants said...

Hi Winamp,

Your will is my command :-) A website history is now available on the site.