1. Technology
Send to a Friend via Email
W32.Nimda.enc(dr)
Maybe. Maybe Not.
 Related Resources
• Virus Encyclopedia
• Glossary of terms
 
 Elsewhere on the Web
• InstallShield KB Article
• Un-quarantining Items
 

InstallShield, the company that standardized software installations on hundred of millions of Windows® PC's, became the most recent victim of a Norton AntiVirus false positive problem. Norton virus definition files released on 11/09/2001 and 11/11/2001 mistakenly identified the InstallShield Professional 6.31 script engine (ikernel.exe) as being infected with the Nimda virus. Considering that InstallShield is the installation software used by the majority of software vendors throughout the world, one can only imagine the support nightmare this created for those companies. In short, any program using that version of InstallShield for its setup routine would have been identified by Norton AntiVirus as being infected with Nimda.

When Norton detects the non-existent Nimda virus in iKernel.exe, it first attempts to repair the file. Of course, this attempt fails (as there is nothing to repair) and Norton then offers to either quarantine or delete the file. The end result is a setup program that will no longer function. While Symantec does provide instructions for restoring quarantined files, this will only work for programs that are not self-installing. Those programs that are self-installing will need to be replaced.

Symantec released new definition files on 11/12/01 to alleviate the false positive reporting of W32.Nimda.enc(dr) in iKernel.ex_ and iKernel.exe.

The problem of false positives is not unique to Norton. In May 2001, antivirus Sophos was victim of a false positive rendered by McAfee VirusScan. The false positive triggered on the simple use of the name of the virus, in pure text form, in an alert Sophos had sent to customers. Jack Clark, European Product Manager for McAfee, defended McAfee's false alert, asserting that "Sophos is only criticising the technology because they don't have it themselves." Apparently McAfee also decided that particular technology was best abandoned, as they quickly released a definition update that did not trigger on plain text.

InstallShield, the latest victim of an antivirus vendor's false positive, responded quickly to the problem. Alert pop-ups greeted visitors to their website, informing them of the false positive and providing links for additional assistance. Unfortunately, Symantec did not follow suit, simply releasing new definition files with no explanation as to why.

You can opt-out at any time. Please refer to our privacy policy for contact information.

©2014 About.com. All rights reserved.