Monday, October 20, 2008

AntiVirus, IDS's all are prone to False Positives - AVG, Dragon and Snort

Today one of my machine with AVG Antivirus started to flash some popups
in quick succession and it was telling me that a few threats were
detected while they are trying to execute. it was Zone Alarm firewall
starting up during windows boot.

I knew there should be an
update to fix it and updated my AVG signatures immediately and those
popups stopped and Zone Alarm started, so that machine was again
protected. But I didn't like a few things that happened, AVG completely
stopped zonealarm from running so during the time updated AV signatures
were downloaded and installed my machine was unprotected. Again ideally
Firewall should have a priority over antivirus but the other way is
happening and very important when AVG is not allowing zonealarm to
start it should stop internet but thats an overkill.

More False Positives in IDS's

Writing
about AntiVirus false positives reminds me of IDS's which are one
biggest source of false positives. There is a larger problem with IDS
regarding False Positives, I have worked on multiple IDS's and SIM
products and it all the same.. everything is full of false positive.
for eq. Dragon IDS detects "uname" as a potential attack even when it
is running against a windows machine. Infact at one instace one of the
user was visiting wayn.com and orkut.com and just for the reason that
the developers of these websites used "uname" as username parameter in
the HTML that used to download when a user visits these two websites
and wow Dragon started to flash attack all over the place but it was
just a browsing activity.

I have worked on Multiple ID's and
Dragon is one IDS which I never want to work with, there is so much
tweaking to be done to supress false positives. Enterasys Dragon needs
to improve alot. Maybe till then you can try opensource snort or better
off SourceFire which has cool RNA and Defense Centre.

-Abhiz

Powered by ScribeFire.

2 comments:

Anonymous said...

Pretty interesting blog you've got here. Thanx for it. I like such themes and everything connected to them. I definitely want to read more soon.

Anonymous said...

My friend and I were recently discussing about technology, and how integrated it has become to our daily lives. Reading this post makes me think back to that discussion we had, and just how inseparable from electronics we have all become.


I don't mean this in a bad way, of course! Ethical concerns aside... I just hope that as the price of memory falls, the possibility of downloading our memories onto a digital medium becomes a true reality. It's a fantasy that I daydream about every once in a while.


(Posted on Nintendo DS running [url=http://kwstar88.zoomshare.com/2.shtml]R4 SDHC[/url] DS FFOpera)