Related Resources • Part Two • Glossary of Terms • HomePage virus • Kournikova virus

Elsewhere on the Web • Sophos statement   • The Register article

Heuristic detection. The ability to detect unknown viruses. Notable pursuits on the part of any antivirus vendor. Now taken to new lows by McAfee VirusScan. Rather than attempting to detect viruses based on behavior, or valid signature string, or even file type, McAfee has resorted to calling anything a virus that contains certain text, including emails, legitimate virus warnings, even websites like this that merely describe a particular virus.

For example, if I were to include the words VBSWG and homepage.HTML.vbs in the same article (there, I just did), certain versions of McAfee would trigger on it as being viral. Reputable antivirus vendor Sophos was just the latest to get slandered by this method of detection. Sophos promptly issued a press release, alerting users to the false positive being generated, providing useful information on the cause and providing a link for users to update the offending McAfee .DAT file. In short, doing McAfee's PR work for them. When interviewed by The Register, Jack Clark, European Product Manager for McAfee, defended McAfee's brute force method, asserting that "Sophos is only criticising the technology because they don't have it themselves."

Sort of the grown up version of "you're just jealous!" (foot stomp)

In fact, it's not just Sophos who has to deal with McAfee's false accusations. It stems back at least as far as DAT file 4123 when McAfee tripped over text details of the Anna Kournikova worm, alerting on newsletters, media articles, and the like. At least then, there was a support article on their site detailing the problem and recommending an update of the .DAT files. That article can no longer be found on their support site and nothing about this latest faux pas appears either. Judging by Clark's response, it appears McAfee has decided not to consider this a false positive, but rather a feature (which other antivirus vendors should covet - NOT!)

Thankfully, affected users can look to Sophos for helpful information. Complete details, including affected .DAT files and links for updating can be found on the Sophos website at http://www.sophos.com/virusinfo/articles/homepage.html. Thanks, Sophos!

Next page > False Positives: Is it slander? > Page 1, 2