McAfee is not the first to suffer a false positive
Rail at McAfee for this week’s mis-identification of the Windows XP svchost.exe system file as malware, but at least be fair. McAfee is far from the first antivirus vendor to have screwed up in this way.False positives by antivirus software...
False positives by antivirus software are a common issue, and ones involving Windows system files are certainly not unknown, as daft as that might sound.
The best example is probably the 2008 incident when AVG’s antivirus software took against the user32.dll file, a fairly important part of XP. The effect of that was much the same as has been described by users of McAfee, with systems going into a reboot loop requiring, at worst, a system reinstall.
The argument, then as now, was how many people had been affected.
A less serious example of the same false positive phenomenon was last year’s glitch in Computer Associates’ antivirus suite which saw malware in innocent files, including, bizarrely, its own. Earlier in the same year, Microsoft Forefront took against Skype, claiming it was in fact a piece of malware called Vundo.
Further back in time, we come to Symantec’s branding of AOL traffic as suspicious, which allegedly caused the application to close Internet connections.
I could go on back in time, pointing to a small but consistent clutch of such incidents, but let’s not embarrass any more companies.
The notoriety of McAfee’s problem is first and foremost that it is McAfee, one of the two most widely-used antivirus programs out there. It also appears to have affected some business users, a group not known for their forbearance when it comes to unnecessary work on otherwise functioning PCs.
Rather than blame McAfee, perhaps we should be blaming the incredible complexity of the current antivirus software model that relies on signatures - digital fingerprints if you will - as its first line of defence against bad files. This model is failing us, not because it gives false positives, which are pretty rare on the whole, but because it simply doesn’t spot all the malware out there.
Will alternatives such as cloud antivirus be any better? As far as detection goes, in principle they should. But the odd false positive looks inevitable to me unless we adopt a whitelisting approach to apps that would of course be extremely constricting for most PC users.