9 November 2007 01:24 GMT
What NOT to detect
As someone who runs anti-virus software, you have certain expectations about the software. One such expectation would be that it try to detect malware wherever possible. Until recently, I had not come across one interesting exception to this seemingly logical rule. That changed however when I encountered other anti-virus vendors’ quarantine files.
Anti-virus products often quarantine suspicious files to prevent them from being run by users. These quarantined files propose a bit of a problem. Detecting malware within the quarantine is feasible, but could cause problems if users have multiple vendors’ anti-malware products installed.
To further complicate matters, it seems that many other vendors do attempt to detect malware in each other’s quarantines, so if we are not detecting these files, we are the odd one out. This sort of issue might also arise in comparative testing of products. In such cases, is a failure to detect considered a false negative, or is detection considered a false positive? Contact me via sophosblog@sophos.com if you’d like to share your opinion on the matter.
My personal feelings are that detection should be avoided if a vendor has clearly quarantined a file, and modified it in a way to prevent its execution. Doing otherwise feels a lot like running into a hospital and alerting everyone that there are sick people about.
mjc, SophosLabs Canada
