Complete Transcript of Interview – Randy Abrams - ESET
Let’s Talk Computers Radio Talk Show
Host Alan Ashendorf
September 20 2008
Alan: If you yell, “Fire!” in a crowded theater and there is no fire, you can see for yourself the disastrous effects that this makes, but what if your anti-threat software pops up a box on the screen and says, “You have a virus,” and there is none? What happens then? Our guest today is Randy Abrams, Director of Technical Education with ESET. Welcome back to Let’s Talk Computers, Randy.
Randy: Thank you, Alan. It’s always a pleasure to be here.
Alan: Randy, in the virus industry, this is known as a “false positive,” and they can really be a major problem. Why?
Randy: There are a couple of different scenarios where it can be a major problem. For an individual user, a little education can help out quite a bit. It’s a matter of understanding what it is that your anti-virus software is telling you and what it’s verifying, because nothing in this world is perfect.
For a corporation, it becomes a really big problem, because then you’ve got a bunch of individuals who may not know much about the subject, but are clamoring at the same time and that is kind of where that “crowded theater” analogy really comes into play.
Alan: I know if I get a pop-up warning saying that such and such threat has been caught, there are two thoughts that go through my mind very quickly. 1) I’m so glad that our software caught this virus or this malware threat and 2) It’s like the wasp that gets into the house – I’m constantly looking around to see what else is maybe on my machine. I know that something is there; I’m just not sure where it is or what it is and now I’m going to run all kinds of tests on the computer to see if maybe something is there that I didn’t catch. That takes a lot of time and a lot of effort and a lot of downtime, doesn’t it?
Randy: Yes, it can - definitely. One of the things I recommend is that if your anti-virus software says that it caught some threat, do a quick Google search on it. There are a couple of reasons for it. 1) If it’s a false positive, these things don’t just happen to one person. It’s probably a known problem if it’s a known problem if it’s a false positive and you can quickly verify that other people are saying the same thing.
People that know a bit more, perhaps than you might know have already determined that and might say that, “No, this is a problem with a signature and if you wait a few minutes it will be something that breaks the false positive,” – although the file might be gone. This is why I recommend that your quarantine, not just delete. If it’s a false positive, you can restore the file from quarantine.
The other thing is context. If the indication is for a virus that only comes in email and you haven’t been using email recently, the odds are pretty high that it’s a mistake, a false positive. When I say that the odds are pretty high – the false positive rates for most anti-virus products is pretty low, overall, so it isn’t a high likelihood that you’re going to encounter this in them.
Alan: On Virus Bulletin you know that we subscribe to, we see a lot of major Anti-Virus/Anti-Threat companies that are constantly getting false positives for their software. I know that ESET gets hardly any false positives. As a matter of fact, you’ve been rated as getting the 100% Award more than any other company out there.
Randy: A lot of that has to do with testing. But, even ESET from time to time we will have a false positive and it’s extremely difficult. I mean, our justice system isn’t perfect; we have false positives where innocent people get convicted and that’s a lot worse than a file getting convicted.
There are a few reasons for it. One of them has to do with trying to detect unknown threats, “something that you have never seen before.” All of the anti-products today have to do that to some extent. In order to catch the most unknown threats possible, there is going to be a trade-off in sometimes saying that something that isn’t a threat, is.
It’s a very difficult thing to teach a computer how to think. We are just in the infancy of artificial intelligence and so there are going to be mistakes that happen. The important thing comes back to education, which is a common theme throughout computers and even life. You have to educate yourself in order to understand what’s going on.
Alan: In some case, you know while surfing the Web you will get a pop up that will say that, “Your computer has been infected with such and such virus and if you want to remove this virus you need to click - yes to scan your machine or no – don’t scan your machine.”
However, in reality that whole message is one huge button that basically says, “Yes, install malware,” - isn’t it?
Randy: Oh, absolutely. When you are just surfing the Web and you get a pop-up from something that isn’t your installed anti-virus product, it’s a scam. Someone is trying to steal from you! If you didn’t allow it, there are not scanning your computer.
And in fact, in most places it would be illegal for them to scan your computer without your permission in the first place. That’s a bit different from a false positive; that’s actually deliberate and malicious lying. When you see those pop-ups like, get the heck out of Dodge!
Alan: But, how do you do that? We had one person who said, “I clicked on the ‘no’ button and then later on I got all these pop-up messages, wanting me to join this club and wanting me to go to this website. My whole machine just had a life of its own and I said, ‘no’”
I was trying to tell him that what you really did was you had a message on the screen that says, “Click anywhere on the screen to install malware.” And you did!
Randy: In cases like that, I recommend control-alt-delete and then open up the task manager and kill the browser, whether it is Firefox or Internet Explorer. Just kill the browser. That will get rid of the problem; you won’t have to click “yes” or “no”, it is just really “yes” or “yes.” Those things can be pretty difficult to get rid of because virtually anything you click it will continue installing. If you have opened up Task Manager and kill the browser process, altogether you will get rid of it without it installing.
Alan: And sometimes if you are down to the bottom tray and right click on the Explorer, you can kill it, there. That belongs to your computer; that doesn’t belong to the Web.
Randy: Yes, sometimes you can kill it that way. However, I’ve seen cases where it didn’t appear to work. Yes, sometimes you can just right click on the Task Bar on the browser icon and say, “close.” That will get rid of it, too. The last thing you want to do is click on anything on the screen.
Alan: Well, I know false positives can really interrupt your day because I know that once when a little, bitty blue skink got into our house. Sandra was petrified of that and all day long, she was trying to get me with “Where is that thing? Where is that thing? Did you get it out of the house?” Well, I couldn’t find the thing, so finally I just told her, “Yes, we found it and put it out of the house.” Otherwise, she wasn’t going to sit down; she wasn’t going to walk into a new room; she wasn’t going to open up a door.
That’s the same thing with a false positive with a virus. After awhile, you get gun-shy, don’t you?
Randy: You definitely can. One of my favorite false positives wasn’t the anti-virus product that was saying it; it was back in the days of the mass mailers. What they would do in some cases is scour websites for email addresses and then send copies of themselves, forging the “primary address” and the “to address.”
I’m on the Board of Directors for AVAR, which is the Association of Anti-virus Asia Researchers, so my email address is up on the website. Well, someone got infected and it then sent a copy of the virus, saying that it came from me and it sent to another anti-virus researcher. He didn’t take a look at what the characteristics of that virus were and he then sent me an email saying, “Oops!” He thought that I had sent it. Well, the first thing that I did of course, was to pull the network cable from my computer because I didn’t want to be sending out mass mailing viruses and started looking around.
What I discovered was that my computer actually had none of the symptoms of that specific virus. There were specific registry keys that virus would create; there were specific files that would found on an infected computer – and I found that virus was known to forge “to” and “from” addresses, based on information from the website. It didn’t actually come from me, but I got an email from a researcher, saying, “I think you are infected,” - and I wasn’t.
Alan: So, you know you have all these false positives pop on your screen and you really don’t know where they are coming from. Then one of the side effects is you kind of turn it off. It’s like the story of “The boy that cried wolf,” and we all know how that ended. If we turn off our anti-threat software we can be in that same boat, can’t we?
Randy: Yes, you can. That is a really sub-optimal way to deal with the situation. Even in medicine, it’s not uncommon for people to get a “second opinion,” because there are false positives in medicine. That doesn’t mean that you stop seeing doctors, altogether; it means you verify. The false positive - for the person with the right mindset, can actually be a very good learning opportunity to help them understand better what things can happen and how to effectively deal with them. It’s really a good life skill to not just quit and give up. It’s always a lot better to take a negative situation and learn from it and improve your skills.
Alan: One of the reasons why we see a lot of other companies showing us false positives is they depend totally on virus definitions and if any other piece of software looks and acts like that virus definition or has the same signature that becomes a false positive. Is that why ESET in using their heuristics doesn’t get those?
Randy: The reason that you get them from signatures is that the signatures don’t look for the whole virus. They don’t look for the entire virus. They look for just enough of it to uniquely identify it. And in the training presentation I give, I use an example where we are searching for a very rude elephant named Rudy, but we can’t remember Rudy’s name.
If you Google the word, “elephant,” you get 83,000,000 hits. Now, you are looking for just 1 elephant, so that’s about 83,000,000 false positives. If you Google, “rude elephants,” you are down to under 1,000 hits, which is much better than 83,000,000, but it’s still pretty close to 1,000 false positives. But, if you Google “very rude elephants,” you will find Rudy. And Rudy lives in the textbook to teach kids how to deal with bullies.
Now, it would be really inefficient if you had to type in the entire textbook or even a chapter of the textbook, but by making a narrow enough search patter, you can find exactly what you are looking for. But, if it isn’t narrow enough then you will find the other stuff, which are false positives. So, with signatures part of the reason you get false positives is a false positive is that the signature was not quite specific enough.
With heuristics, the problem you run into is you are looking at behaviors and there is no single behavior that a virus or a trojan could perform that a legitimate program cannot also perform. So, you see combinations of behavior that look very suspicious and now and then there is a legitimate program that does exactly that same thing, but isn’t malicious.
Alan: But your heuristics goes even further, because if you are just using pattern matching or looking at different ways that a particular program is working, you would have a lot of false positives, but ESET’s Smart Security and NOD32 with your heuristics engine it catches all those.
Randy: It’s a really difficult thing to do heuristics, well, because it’s not just a matter of looking at behaviors. When you look these behaviors, you have to do two things - one you have to assess if there is a degree of risk and the other is how much risk. So, you have rules and you have weights and it’s a combination of how much weight you give to each rule, even combined with other rules until you decide that this is a bad program. It’s a very tricky thing to assess which rules get more weight than other rules.
Viruses will frequently write to the Registry, but what program doesn’t write to the
Registry, nowadays? So, just writing to the Registry isn’t enough to convict the program. There are hundreds, if not thousands of different behaviors that have to be accounted for.
You can put together some pretty intelligent combinations and based upon what you know, you can say that this combination is enough to say it’s probably a problem, but I’m not confident enough yet to say it definitely is and then narrow things down to the point where you can come up with some highly effective rules that yields very low false positive rates.
Alan: Well, let me just put you on the spot for a minute. What words of wisdom would you give our listeners on how to protect their computer system from say, false positives; from the virus; from the malware – what is the first thing that they need to do?
Randy: What you can do is educate yourself so that you better understand them and understand how to react to the false positives. You definitely need to keep your system patched – that’s one of the fundamentals, like breathing air in to keeping alive. You need to use high quality security software.
Education is a tool and smart people that have really good tools are better able to build wonderful things. If you want to build a wonderful computing experience, use good tools that software provides; but use education so you know how to use those tools properly.
Alan: Randy, if someone would like more information, where would they go?
Randy: They can come to http://www.eset.com and click on the link for the Threat Center. They can also email me at askeset@eset.com
Alan: Randy, as always, it’s our pleasure to have you as our guest here on Let’s Talk Computers, educating on us viruses and malware and how to prevent all these nasties from getting into our computer system. We look forward to having you back on the air again, real soon.
Randy: Thank you, Alan. It’s always a pleasure to be here.
Visit ESET on Facebook
Follow ESET on Twitter