AntiVirus, IDS's all are prone to False Positives - AVG, Dragon and Snort

Wednesday, October 15, 2008

Today one of my machine with AVG Antivirus started to flash some popups in quick succession and it was telling me that a few threats were detected while they are trying to execute. it was Zone Alarm firewall starting up during windows boot.

I knew there should be an update to fix it and updated my AVG signatures immediately and those popups stopped and Zone Alarm started, so that machine was again protected. But I didn't like a few things that happened, AVG completely stopped zonealarm from running so during the time updated AV signatures were downloaded and installed my machine was unprotected. Again ideally Firewall should have a priority over antivirus but the other way is happening and very important when AVG is not allowing zonealarm to start it should stop internet but thats an overkill.

More False Positives in IDS's

Writing about AntiVirus false positives reminds me of IDS's which are one biggest source of false positives. There is a larger problem with IDS regarding False Positives, I have worked on multiple IDS's and SIM products and it all the same.. everything is full of false positive. for eq. Dragon IDS detects "uname" as a potential attack even when it is running against a windows machine. Infact at one instace one of the user was visiting wayn.com and orkut.com and just for the reason that the developers of these websites used "uname" as username parameter in the HTML that used to download when a user visits these two websites and wow Dragon started to flash attack all over the place but it was just a browsing activity.

I have worked on Multiple ID's and Dragon is one IDS which I never want to work with, there is so much tweaking to be done to supress false positives. Enterasys Dragon needs to improve alot. Maybe till then you can try opensource snort or better off SourceFire which has cool RNA and Defense Centre.

Cheers,

2 comments:

Ravi said...

I am having the same problem avg is blocking my checkpoint zone firewall from running what to do ?

Ani said...

Ravi,

You should immediately update your AVG installation as they have issued an update for the mistake.

Once the AV Signature is updated, AVG will stop flagging Zone Alarm Firewall as a threat.

Anish

  © Blogger templates Newspaper by Ourblogtemplates.com 2008

Back to TOP