Re: READ THIS BEFORE POSTING - answers to frequently asked questions

From: Alun Jones (alun_at_texis.com)
Date: 05/01/03 

Date: Thu, 01 May 2003 19:13:13 GMT

In article <3eb741d5.611384824@news.easynews.com>,
jcochran.nospam@naplesgov.com (Jeff Cochran) wrote:
>On Thu, 1 May 2003 09:34:28 +0100, "Kerry" <kliteuser@home.com> wrote:
>>"Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message
>>news:e6iInb4DDHA.1616@TK2MSFTNGP11.phx.gbl...
>>> http://securityadmin.info/faq.htm
>>>
>>When I click that link my Norton Personal Firewall icon starts flashing with
>>a security alert about a nimda_propagation and blocks the page, strange
>>behaviour from something called securityadmin.
>
>Actually, strange behavior from a product that's supposed to be a
>firewall... :)
>
>It's a classic Norton false positive. Really.

To put it in really simple language, if the page has text on it that says
something along the lines of "all infected machines will have a page with
'Drogna Rangdo' on it", then a scanner that looks for that as a sign of
infection will declare the page to be infected.

It's an occasional problem with anything that uses inactive signatures,
rather than active monitoring of activity, to determine what's virus / worm,
and what's not. A half-dozen years ago, I had a similar problem with a
"Trojan scanner" claiming that my software was a Trojan, because it
contained the same sequence of bytes as a worm - this wasn't as professional
an outfit as Norton, mind you, so when I complained to them and asked them
to let their customers know, they didn't bother replying, just released a
new version.

So, now, I take it upon myself to remind people every now and again that
security tools will generally return false positives, and let through false
negatives. Relying on a tool alone is no good security. It is aided by the
agile thought of a human mind to perceive an unusual pattern that hasn't
been anticipated by the programmer of the tool.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.] 

-- 
Texas Imperial Software   | Find us at http://www.wftpd.com or email
1602 Harvest Moon Place   | alun@texis.com.
Cedar Park TX 78613-1419  | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.

Relevant Pages

  • Re: READ THIS BEFORE POSTING - answers to frequently asked questions
    ... >It's a classic Norton false positive. ... infection will declare the page to be infected. ... Relying on a tool alone is no good security. ... Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers. ...
    (microsoft.public.inetserver.iis.security)
  • Re: READ THIS BEFORE POSTING - answers to frequently asked questions
    ... >It's a classic Norton false positive. ... infection will declare the page to be infected. ... Relying on a tool alone is no good security. ... Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers. ...
    (microsoft.public.win2000.security)
  • Re: READ THIS BEFORE POSTING - answers to frequently asked questions
    ... >It's a classic Norton false positive. ... infection will declare the page to be infected. ... Relying on a tool alone is no good security. ... Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers. ...
    (microsoft.public.security)
  • Re: After SP2 software will not work; Norton dragging their feet--a lot!
    ... reports of Live Update now downloading the proper fix so the Norton Internet ... Security 2004 is now compatible with SP2, ... Microsoft Windows MVP/Tablet PC ...
    (microsoft.public.windowsxp.customize)
  • Re: Some mail opens a blank page
    ... YW, Dan, and thanks again for your valuable feedback. ... Save that download link and Product or User ID for CA Internet Security ... and then run the Removal Tool to rid the machine of all Norton crapware. ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)