One of the problems with automation of antivirus signature creation is that if a few AV vendors start detecting something as malicious, even with heuristics, "automagically" soon afterwards other AV vendors start doing the same without even checking if the file in question is in fact malicious or not, even going as far as creating specific signatures for it via automated systems.
An example of such a False Positive (FP) problem with automatic AV signature creation is the case of Fenomen Games (aka Gamecentersolution), by Legacy Interactive. Fenomen is a company that creates and distributes games. They do so via a bunch of "Game Downloaders" which basically allow users to choose and download different games on-the-fly. The problem is that these "Game Downloaders" have very similar characteristics to known "Trojan Downloaders", such as the runtime-packing and their behaviour (connecting to the Internet, downloading something, executing it and then exiting), so they naturally set off heuristic alarms like a christmas tree.
After manual analysis the only thing I found truly suspicious about it is the fact that we have over 200.000 different unique "Game Downloaders" from Fenomen Games in our Collective Intelligence database. The ones I checked are not malicious in any way nor do they do anything different than what they advertise (if you have evidence of the contrary please let me know). Fenomen seems pretty active from a partner/affiliate perspective and this could be the reason for the multitude of unique MD5's.
So let's look at detections by different AV engines. Most of the Fenomen Game Downloaders out of the 200.000 we have checked are detected by anywhere from 4 to almost 20 different AV engines:
The problem with these detections are not the "heuristic" detections but the signature detections. Normally (traditionally that is) a signature detection signifies a "100% known malicious" program. However in today's world where signatures are created automatically based on other criteria, False Positives are amplified and rolled-over to other engines freely.
Some statistics of detections per engine based on the 200.000 Fenomen Games Download samples we have (names have been omitted to protect the "innocent"):
Scanner A 137.465 detections
Scanner B 101.061 detections
Scanner C 96.472 detections
Scanner D 68.264 detections
Scanner E 45.602 detections
Scanner F 38.027 detections
Scanner G 31.603 detections
Scanner H 28.152 detections
And so on…
These include both heuristic and signature detections. All of the latter are false positives by very well known AV engines!
The other problem created by these "FPs generated by automated signature systems" is that, once considered malicious, samples of these FPs are included in regular "collection sharing packages" amongst different AV labs and, more importantly, independent research and testing organizations. These type of organizations, which rely on multi-scanners to classify their testbeds, should take good care of not falling into the same mistake. So the next time you see detection rates based on AV signatures published in a magazine or website, you should be asking yourselves "what" is truly being tested.
All in all, automation at the lab is an absolute must for any AV vendor that wants to keep up with the large volume of new incoming malware. However it is critical that these systems are well supervised, finetuned and backed by engineers who oversee the signatures generated automatically to avoid creating "fenomenal" false positive problems.
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
15 comments
LOL your’ right, even publish in encyclopedia:
http://vil.nai.com/vil/content/v_144505.htm
http://www.sophos.com/security/analyses/adware-and-puas/fenomengamedownl_jW6NG0O5.html
http://www.avira.de/en/threats/section/details/id_vir/4116/game_dldr.fenomen.gen.html
Hi,guys,I know Panda Antivirus is a world wide popular software,but its compatibility is not so good as the frame.Such is an example,Thunder ( http://{block}.sandai.net/Thunder5.7.12.493.exe) is a nice downloader,which couldn't work properly with Panda Firewall installed.
Anyway,I love your product,but the flaw should be fixed instantly.
I almost foget that the Sandboxie(www.sandboxie.com) which also can’t work properly with panda
Nones, feel free to submit false positive problems you may experience to virussamples@pandasecurity.com. However in these cases you can probably create custom firewall rules to deal with this downloader.
I am also curious about FPs.
What you said suggest that FPs happen consequentially but not by carelessness,does’t them?
FPs have traditionally happened for other reasons (too generic signatures, poor QA, etc.). What I suggest on this post is a more recent method by which FPs appear because of “automated” signature generation systems.
OK,I agreed with what you said.
It makes sense to an extent.
If it is possible,i wanna communicate with you further about this issue.
Traditionally,How many reasons can cause FPs happen?
Currently,Are there any new reasons?besides “automated” here?
Yes quding there are other reasons that cause FPs other than automated systems. But I believe these FPs that are generated automatically can have a significant effect as the volume of FPs can grow very rapidly and affect users negatively unless more controls are added to these automated systems.
And what’s more,”Fenomen(al)” is titled here,you constructed with a suffix “al”,does it mean to be an adjective word?
I mean,you predicated of yhe word that it is a class but not only a sigle one,didn’t it?
In other words,in conclusion,not only Panda but also other vendors’ automation will appear such type of FPs?
Hi, I’m using IS08, and very please with the performance. Regarding the FPs problems, i’m just setting in firewall. The smartest brain is human’s brain not computer’s brain.
Yes of course quding, FPs happen to every vendor. That’s why its extremely important to invest in resources to control these FPs on a daily basis, more so with more automation involved in adding signatures.
Hi, My last Panda actualization deletes my Swish flash editor [www.swishzone.com] by a false positive error, same issue happened with Norton AV on May as you can see on Swish forums at http://forums.swishzone.com/index.php?showtopic=58210&hl= , fortunately it was solved inmediately by Symantec.
I wrote to local Panda support and Panda support staf tells me I need to contact program vendor (Prodigy -a internet provider-). So I called Prodigy support, and Ms Beatriz Contreras simply tells me “disable antivirus”. What kind of support is this?
I want to known if this problem will be solved soon or if I need to get a new antivirus software.
Thanks
Thanks for the heads-up Norberto. We’ll take a look at it and fix it.
Nobody at Panda answered me since 1 year when I ask about SwishMax2, a very nice flash web designer program I can’t use anymore.
Why?
Simply! Panda IS 2008 always says me that it is Malicious Paker inside!
CRAZY!
In the while I’m losing money with my clients dued to Panda stupid interpretation of this paker…
No way to say Panda IS to avoid file analisys of this folder and/or file.exe of swishmax.
Look at various forums are talking of that!
It seems that SwishMax2 is using multiple layers of run-time packing and/or a packer that is used by known malware.
We can add this to the exclusion list on the signature, but you might want to tell the SwishMax2 developers to not use malicious runtime packers. I see that other AV engines also detect this as malicious because of the same reason.