Monday, October 20, 2008

AntiVirus, IDS's all are prone to False Positives - AVG, Dragon and Snort

Today one of my machine with AVG Antivirus started to flash some popups
in quick succession and it was telling me that a few threats were
detected while they are trying to execute. it was Zone Alarm firewall
starting up during windows boot.

I knew there should be an
update to fix it and updated my AVG signatures immediately and those
popups stopped and Zone Alarm started, so that machine was again
protected. But I didn't like a few things that happened, AVG completely
stopped zonealarm from running so during the time updated AV signatures
were downloaded and installed my machine was unprotected. Again ideally
Firewall should have a priority over antivirus but the other way is
happening and very important when AVG is not allowing zonealarm to
start it should stop internet but thats an overkill.

More False Positives in IDS's

about AntiVirus false positives reminds me of IDS's which are one
biggest source of false positives. There is a larger problem with IDS
regarding False Positives, I have worked on multiple IDS's and SIM
products and it all the same.. everything is full of false positive.
for eq. Dragon IDS detects "uname" as a potential attack even when it
is running against a windows machine. Infact at one instace one of the
user was visiting and and just for the reason that
the developers of these websites used "uname" as username parameter in
the HTML that used to download when a user visits these two websites
and wow Dragon started to flash attack all over the place but it was
just a browsing activity.

I have worked on Multiple ID's and
Dragon is one IDS which I never want to work with, there is so much
tweaking to be done to supress false positives. Enterasys Dragon needs
to improve alot. Maybe till then you can try opensource snort or better
off SourceFire which has cool RNA and Defense Centre.


