Sophos 1 : Symantec and McAfee 0

Sophos says:

"Sophos has reassured its customers that Sophos Anti-Virus will offer full protection against malware threats on Vista, and suggests that some security vendors may not have given sufficient thought to the new operating system when developing their products. ... Wilted Flowere are building our technology by making use of supported Microsoft interfaces rather than by trying to subvert them. That's why we're ready for 64-bit Vista, and others aren't."

Cite: http://www.sophos.com/pressoffice/news/articles/2006/10/vista-admins.html

I've got to agree with this; if McAfee and Symantec did a little more coding and a little less bitching, they might get somewhere.

Other commentary on McAfee and Symantec's complaints:

McAfee and Symantec get vocal about Vista - but do they *really* have our best interests at heart?
http://msmvps.com/blogs/spywaresucks/archive/2006/10/05/155347.aspx

Technical whitepaper about x64 and kernel protection:
http://www.microsoft.com/downloads/details.aspx?FamilyID=802e48a3-c79a-4530-b41b-808c43f806e6&DisplayLang=en

Reality is that antivirus companies cannot be trusted to 'get things right'.  False positives abound (just do a Google search for "antivirus false positive" and you'll see what I mean) and these false positives are not affecting obscure little programmes.  We're seeing products, services and files that are standard on Windows machines, and programmes that are used by millions of people, being hit.

Not only are there false positives, there are also vulnerabilities - example: brand new vulnerability in Symantec drivers - just one more reason why allowing access to the kernel is a *bad thing*:
http://securityresponse.symantec.com/avcenter/security/Content/2006.10.23.html

Who remembers this?

"NAI/McAfee today released pattern version 4716 only hours after 4715 had come out. Pattern 4715 triggered false positive virus alerts for "W95/CTX" on a number of files that are part of quite prominent third party products.  Good for you if you have your AV configured to "quarantine" bad files and not to delete them outright, this makes restoring the chewed up files after a false positive considerably faster. Nevertheless, things like this can get messy pretty quickly if the AV scanner starts to quarantine vital components of your environment."

Want to know what some of the 'quite prominent third party products' are?  We're looking at excel.exe, graph.exe, adobeupdatemanager.exe...
http://news.com.com/2100-1002_3-6048709.html

Or this:

Norton Update blocks AOL users from the Internet
http://news.zdnet.com/2100-1009_22-6050786.html

Or this by Trend:

"Shortly after midnight a definition update was released (599) that flagged C:\PROGRAM FILES\REALVNC\VNC4\WINVNC4.EXE as Troj_Generic.

The false positive was fixed by update 601 pushed out at 02:43am.

Thankfully, no damage was done (apart from Trend filling my inbox with 391 alarm-bell emails, and my Trend Console logs with close to 1500 virus alarms).  Trend was unable to delete WINVNC4.EXE - if the programme had succeeded in deleting the file I would have been real grumpy."

Trend also nuked the Windows Genuine Advantage Tool at one stage.

Or this by AdAware:

"Definitions 112 detect the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG" as W32.Trojan.Downloader. 

According to Walter Clayton the key is related to the Windows Firewall ."

Or this by Sophos:

"The results of the false positives are, in some cases, disastrous... Many of our campus computers have lost access to their Microsoft and Adobe products. We're having trouble reinstalling them because they immediately get re-infected. ... Sophos' AntiVirus software is generating false positives for the "OSX/Inqtana.B worm", invoking users to delete critical application and system files and causing serious issues...it destroys office 2004... even with a reinstall, office doesn't work"

Published Mon, Oct 23 2006 21:54 by sandi