AV firms caught copying each others' work

Harmless files found flagged up as malware in various anti-virus products due to lack of verification.

Sources claim AV firms were asleep at the wheel
Sources claim AV firms were asleep at the wheel

Anti-virus firms were caught flagging up harmless files as malware without checking them first. 

The news comes after anti-virus firm Kaspersky was alleged to have mislabelled sample files in a bid to derail rivals' anti-virus efforts, a claim Kaspersky strenuously denies.

According to a report by Krebs On Security, Dr.Web CEO Boris Sharov said that his firm sent out modified but harmless files to anti-virus testing labs as an experiment.

“We went to the [antivirus] testing laboratories and said, ‘We are sending you clean files, but a little bit modified. Could you please check what your system says about that?'” he told the publication.

Within days, half of Dr. Web's rivals' antivirus products were detecting these modified yet harmless files as malware. Sharov said that he reiterated that the files were completely harmless although modified, but the problem continued. He added that the experiment highlighted that a lot of anti-virus firms were simply copying others' work without testing the files themselves.

The incident took place around three years ago but has only recently come to light. In 2010, Kaspersky highlighted a similar experiment where anti-virus firms had been caught by a clean file falsely detected as malware as part of an investigation by a German computer magazine. Recent claims by an anonymous source said the Kaspersky had been alleged to have faked malware in a bid to harm rivals. Eugene Kaspersky was moved to post a blog denying the story.

Sharov said that firms that carried out their own analysis of files would not be caught out like this.

“Some products prefer just to look at what others are doing, and they are quite successful in the market, much more successful than we are,” he said, adding that he was upset by this but such activity would harm consumers.

David Flower, managing director EMEA for Bit9 + Carbon Black, told SCMagazineUK.com that it is hard to say whether or not it is right for security firms to call out rivals who are not doing their job properly.

“While on the one hand, it is important that organisations are informed about potential gaps in their security and have information to hand. On the other, no defence system is bullet proof. This is why taking a layered approach is so vital,” he said.

Flower added that it would be a real shame if the incident led to less cooperation between companies.

“Information sharing is becoming an increasingly important part of security – the more data and information we have, the stronger the defences we can build. More open APIs and specific integrations enable you to use your endpoint data any way you want – integrate and correlate it with network security products, analytics and SIEMs, and even your own home-grown tools. This requires integration, cooperation and a degree of trust between key players in the market, which makes competition bashing a bit counter-productive to the mood in the industry at present,” he said.

Gavin Reid, vice president of threat intelligence at Lancope, told SC that the incident “could easily lead to groups of vendors sharing in a closed circles”.

“This could impact end users that use free services that depend a lot on external samples,” he said.

Reid said that this could add to the myths around anti-virus companies and shady business practices.

“The first well known, but less proven, myth was that vendors would release viruses that only their company could detect. This will add credence to the rumblings that some vendors don't want to fix the problem but instead only continue to profit,” he said.

Szilard Stange, director at OPSWAT, told SC that as thousands of new malware samples are created every day, to properly process this amount of samples, complex automated processing systems and huge amounts of human resources are needed.

“It was hard to follow the amount of new malware for smaller AV companies even ten years ago. These smaller AV companies sometimes are trusting more on third-party results than they should, which could lead to situations like this. It is not a new thing. This has happened several times in the AV industry, but it's hard to measure and test issues like this. There is no single reference collection that contains almost all but double-checked malware samples only. Creating such a collection is not realistic so we should trust independent test organisations or we can get second opinion from systems using many anti-malware engines to mitigate missing detections and false positives,” he said.

We approached Kaspersky for comment on this article but none has been forthcoming at the time of publication.