Symantec triggers on World of Warcraft update

Published: 2010-05-16
Last Updated: 2010-05-17 03:41:37 UTC
by Rick Wanner (Version: 1)
10 comment(s)

We have had a couple of reports over the last 24 hour of users experiencing issues with Symantec anti-virus products triggering on scan.dll.new which is a component of World of Warcraft.

Judging by the traffic on this topic in the WoW forums it would appear these are not isolated reports.

The detailed version of the alert is:

Severity = High
Activity = Auto-Protect has detected Infostealer
Date & Time = 15/05/2010 (various times from 9:00 to now)
Status = Blocked
Recomended Action = Resolved no action

Risk Catagory = Virus
Definitions Version 2010.05.14.048
Severity = High
Component = Auto-Protect
Status = Blocked
File Name = c:userspublicworld of warcraftscan.dll.new

What I find interesting in this case is not that we have another anti-virus false positive, but that Symantec is listing scan.dll.new  as an InfoStealer and that it appears this false positive has happened on past World of Warcraft patches/updates that created a file called scan.dll.new. What exactly are they triggering on?  Is this an old signature from a previous issue? 

I have been interested for a while in the accuracy of Anti-Virus products in the modern computing world.  The Anti-Virus paradigm we have used since the 80's  is seriously flawed, and in my opinion is slowly unraveling. The rash of false positives in recent months is just one symptom of that.

I have been watching with great interest the attempts to develop a new paradigm that fits better in the modern computing reality.  Most of these are attempts at more heuristic or behavior based products that rely less on signatures. It seems to me that since these attempts require a little more "fuzzy" approach to anti-virus won't these sorts of false positives likely become more common, not less?

Are we getting to the point where software providers are going to have to start testing their updates against common anti-virus products before release?

As usual I am interested in your opinions.  You can submit them either via our comment mechanism at the bottom of this diary, or via our contact page.

 

-- Rick Wanner - rwanner at isc dot sans dot org

 

P.S.  If any anti-virus companies have any documentation on futuristic anti-malware research directions that they can let me read I would be fascinated to have it.

10 comment(s)

Comments

One thing I am massively annoyed by is antiVIRUS vendors that insist on purposely flagging NON-harmful files as harmful. Such flaggings range from sometimes-shady cracks and keygens, to legitimately useful utilities like CMDow.

Yes, sometimes such things can be used in hacking/virus toolkits, or ortherwise come with malware payloads added by a third party... but that is not how or why such files are getting flagged; in their original and -verifiably non-harmful state, these files are still marked as threats by a disturbingly high percentage of vendors, with such dodgy labels as "hacktool" or "suspicious" or even that the executables are "packed" (compressed, a common practice).

It is obvious that such files are detected via hashes and not any detected signature, all the while it is easy to detect that these files will not do ANY harm to a system without added code or payloads. I do not understand why this practice persists, or why customers put up with it. False positives do not help anyone, whatsoever.

At one point when looking for an anti-virus solution, I contacted Eset, maker of NOD32. I asked how their engine would handle a legitimate/working crack or keygen for their products, files which were ENTIRELY not a threat to a system. They openly admitted that their engine would claim such files to be a threat, and gave some limp reason about how running cracked versions of software is unsafe.

We don't pay Antivirus vendors to be ethics police, and false positives, ESPECIALLY ones that are done on purpose such as I have noted above, harm the vendors' credibilities all around.
Personally, I would take the extra time (12-24 hours?) to add scanning my new release of software to see if it triggers any of the major AV software as a false positive. I would much rather spend that extra time in development than have my customers inconvenienced, even if the problem is caused by another piece of software...

now as for the comment from Vision. Really?! if you're pirating software please just don't complain ok? thanks.
It is a continual source of amazement to me that the various legitimate security products do not detect the dubious and even fake antivirus/security products out there. Nor does the government seem to be doing anything about them either other than a useless information message from the FBI late last year.

And if "Vision" is correct that they do detect some illegally hacked software one must wonder why they detect that but not the fake AV software that is much more of a danger? I would certainly be interested in not losing loyal customers to products of dubious worth.
Personally, I'm happy to have the AV products detecting the greyware... I don't want it on my network, since it comes from dubious sources, has very little legitimate purpose, and may even open up my company to legal action. Every AV product I've ever worked with has the ability to exclude items-exclude it if you want to have it. Since I work in security, I have a lot of programs on my computer that AV would normally kill.

FakeAV: I really wish someone would do something about this, and it isn't the AV companies... they are doing a fairly good job (if you have a HIPS component of your AV product!) The bad guys are turning out different versions daily at least of these things. The place to hit it is at the source, or as close to the source as possible.
Vision,
Running cracked versions of software IS unsafe. Many software developers / publishers will not update their software if it's been cracked. And what is the primary reason for a majority of software updates....anyone....that's right Vision...vulnerabilities.
So I wouldn't call that a limp excuse, I consider it a completely legitimate reason.
That being said, I do agree it's annoying when SAV or SEP flags AngryIP as a hacktool...but I do like knowing when users on my network decide to download an IP scanner.
So I'll live with it.

But as info sec professionals we should never advocate for software piracy.
Vision,
Running cracked versions of software IS unsafe. Many software developers / publishers will not update their software if it's been cracked. And what is the primary reason for a majority of software updates....anyone....that's right Vision...vulnerabilities.
So I wouldn't call that a limp excuse, I consider it a completely legitimate reason.
That being said, I do agree it's annoying when SAV or SEP flags AngryIP as a hacktool...but I do like knowing when users on my network decide to download an IP scanner.
So I'll live with it.

But as info sec professionals we should never advocate for software piracy.
I think the issue is whether or not the anti-virus companies SHOULD be in the business of policing ethics.

Particularly since they seem to have done such a bad job of it with the Sony rootkit fiasco.
Most AV software (enterprise) contains a "PUP" grouping of detections and/or options. Usually these hacktool/ip scanners/etc show up in these detections which is everything any admin can ask for.

I'd love to say this is not, and should not be, an ethics battle but the "Sony rootkit" issue really bothers me. Common sense says, don't butt heads with Sony Legal, but ethical sense says (to me at least) that the Sony DRM crud really ranks worse than an IP scanner in my opinion.

As to the main story though, AV vendors SHOULD be testing their systems against common configurations. McAfee got a lot of egg on their face for not testing their DAT against a very common, and standard, XP SP3 configuration and you'd think other vendors would take note. I know it is not apples-to-apples, as WoW is a lot less common than Windows XP, but it really wouldn't take much effort for someone that size to build a testing sandbox that will run their updates (at LEAST definitions and detections) and check for snags.

Apparently, gone are the days to where a vendor tests anything in the common real-world situations...And also many other internal IT departments (whoops)!
Medication time...

What other options are there to signature or behavior based scanning? I'm hearing plenty of the "cloud" AV "model" but that really isn't something new... In the end it's sending a potential threat to an AV analyzer (automated analysis or human), churning out a signature and sending the signature through Q&A. Once through Q&A it gets posted, downloaded and sent to the end point. The AV engine gets the updated sig (in a day or so [supposedly] after Q&A is complete) and does it's signature based scan. Granted, the speed of the submission is increased, but it's still the same analysis/deployment process. If the process is further automated, there's also a potential for mass exploitation of that system.

Signature based scanning is done because it's quick. Behavior based (heuristics) is done to catch the rest. What else is there...

...Perhaps have a tcpdump type window open to show all traffic, but would the general population really be able to make a determination of what is going on?

Some AV vendors do have a service that you can submit a copy of your build and they will run their sigs against your build. It might be difficult keeping that build current though.

I agree that I prefer to have the option to detect the gray apps and make a determination on those. If you're the admin, perhaps consider an excluded folder and put your tools in there.

I'd like the blue pill please.
I had this happen to my system on the 16th, and immediately started reading around as to what it was and if it was legitimate from wow, or if something had happened to my system. After asking around to some guildies online and googling it was a "Legitimate" file from / for WoW, to collect processor usage, and other system information.

I actually am glad Symantec caught this, because it is a info stealer. And it is not necessary to use and play WoW.

I would rather have a "Opt in" approach to giving these kind of metrics and running such a file for legitimate reasons. More so just knowing its there and what it can do then let me decide to keep it or remove it.

Intent is the only difference between Legitimate and illegitimate, and the scanner.dll doesn't know the difference.

Diary Archives