29 What are "false positives" and "false negatives"? (Computer virus)
Description
This article is from the Computer Viruses FAQ, by Nick FitzGerald n.fitzgerald@csc.canterbury.ac.nz with numerous contributions by others.
29 What are "false positives" and "false negatives"? (Computer virus)
A FALSE POSITIVE (or Type-I) error is one in which antivirus software
claims that a given object is infected by a virus when, in reality, the
object is clean. This is a failure of *detection* (see B15). A FALSE
NEGATIVE (or Type-II) error is one in which the software fails to
indicate that an infected object is infected. Clearly false negatives
are more serious than false positives, although both are undesirable.
Following from some of Fred Cohen's work, it has been proven that every
virus detector must have an infinite number of false positives, false
negatives, or both. This is expressed by saying that detection of
viruses, either by appearance or behavior, is UNDECIDABLE. The
interpretation and practical significance of this depends upon the
interpretation of the terms used, and as with Fred's definition of the
term "computer virus", there is some debate over this.
In the case of virus scanners, false positives are rare, but they can
arise if the scan string chosen for a given virus is also present in
some benign objects because the string was not well chosen. In modern
scanners, most false positives probably occur because some virus
encryption engines produce very "normal looking" code and scanners that
only try to decide if a piece of code could have been generated by a
known virus encryption procedure will occasionally detect "innocent"
code as "suspicious". False negatives are more common with virus
scanners because scanners will miss completely new or heavily modified
viruses.
One other serious problem could occur: A positive that is misdiagnosed.
As an example, imagine a scanner faced with the Empire virus in a boot
record that reports it as the Stoned virus. In this case, use of a
Stoned-specific "cure" to recover from an Empire infection could result
in an unreadable disk or loss of extended partitions. Similarly,
sometimes "generic" disinfection (see D1) can result in unusable files,
unless a check is made (e.g. by comparing checksums) that the recovered
file is identical to the original file. The better generic disinfection
products all store information about the original files to allow
verification of recovery processes.
A particular type of false positive, where (part of) an *inactive* virus
is detected, is known as a GHOST POSITIVE. Ghost positives usually
occur in one of four situations (the first two of which are examples of
antivirus programs "upsetting" each other):
Ghost positives can be caused when the disinfection routine of an
antivirus program "unhooks" a virus from its target (be it a file or
boot sector) but it does so in such a way that part of the virus code is
left intact (though that code will never be executed). Another
antivirus program might see this code and report it is an infection. In
this case the second antivirus program is seeing a "ghost"--part of a
virus that was there.
A scanner may "see" the unencoded scan strings of another scanner, left
in memory after the first has run or held in memory by a resident
scanner, and report these "ghosts" as active viruses (see C6 and C8).
As explained elsewhere (see E10) a copy of an infected diskette boot
sector, sitting in the disk buffers, may be detected and reported as an
active virus.
Disinfection procedures can result in virus "remnants" being left in
"slack space" (disk space allocated to files but not actually occupied).
As in the case of copies of infected diskette boot sectors being held in
disk buffers, these remnants can be detected and incorrectly reported as
being active. Ghost positives of this nature should disappear after
running disk defragmentation or "optimization" programs with the option
to "clean" slack space. Occasionally running a defragmenter (like MS-
DOS 6's DEFRAG) after a full data backup (see D10), is a good idea
anyway--especially before installing new software. Unfortunately, DOS's
DEFRAG does not have a "clean slack space" option, though some third-
party defragmenters do. There are also utilities that clean unallocated
and slack space and these should remove ghost positives caused by
"remnants".
Continue to:
My Books
