OSX/Inqtana False Positive

It’s old news that Sophos briefly took their corporate eye off the ball and released an IDE (virus identity file) that incorrectly detected Inqtana.B in some application files on OS X Macs. While the incident seriously inconvenienced some users and sites by necessitating reinstallation of some misdiagnosed programs, the vendor did replace the offending file very quickly, apologised, and put in place measures to avoid a recurrence.

Worryingly, however, some have seen this incident as an argument for jettisoning commercial anti-virus in favour of an open source solution. Is there a place for volunteer AV in the workplace, though? As a supplement, sure, as long as the organization and the end-user realise the limitations of the genre. I don’t doubt the motives of the public-spirited purveyors of AV freeware. The AV commercial vendors are not whiter than white, and of course they have a commercial agenda, but they have to meet standards of functionality and support in order to stay in the market place. Perhaps now, when malware authors seem to have rediscovered the Mac platform, is not the best time to put all your worm-free Apples in one basket, or entrust the corporate crown jewels to software that doesn’t detect all known malware on that platform, offers no guarantees of freedom from future FPs, and doesn’t offer professional levels of service and technical support?

  • http://www.utdallas.edu Paul Schmehl

    We tested McAfee’s uvscan, clamav and Sophos’ sophie side by side at our mail gateway for three months. (We run Postfix and amavisd on Solaris 9.) Amavisd fed each incoming email to each of the three scanners. The results of our tests showed that clamav was as good as McAfee and better than Sophos.

    Granted, it’s anecdotal evidence, not controlled testing, but it was live, real world results, and we were impressed.

    We don’t see clamav as replacing our existing solutions but complementing our coverage. Clamav is now our primary scanner at the gateway and mcafee is the backup. If clamav doesn’t catch it, uvscan will.

  • http://blogs.securiteam.com/index.php/archives/author/mattmurphy/ Matthew Murphy

    There are greater factors than profit motive, IMO. The only problem with community solutions is that they depend upon the dedication of the community members supporting them. There’s no profit motive.

    While profit motive is more consistent, it can sometimes be a little weaker than pride in one’s own project.

    Open projects like ClamAV with a respected history shouldn’t necessarily be discounted just because they’re community-driven.

    I do agree, however, that people should be careful about putting their faith in a community AV. However, I don’t believe you should necessarily put your faith in any one product, community or commercial — no matter what the guarantees are, there’s still a chance it will miss something. Or, in the case of Inqtana, the chance it will royally hose you if you rely on it.

  • Pingback: Clint's Security Blog

  • Pingback: Someone Else

  • David Harley

    I did try not to focus on a single community product: I’m trying to highlight a general principle here. I certainly wouldn’t want to say that there isn’t a place for ClamAV in the savvy admin’s toolkit, or that not being in the mainstream industry indicates a lack of competence.

    I think the profit motive vs. pride in one’s project argument is a little simplistic. Being a professional doesn’t preclude pride in one’s work, or contributing on a pro bono basis. One of the things I miss about alt.comp.virus (Hi, Robert!) is the no-strings input of the AV research community. I’m not saying the AV industry is entirely staffed by angels, only that community spirit isn’t the exclusive property of the security non-professional.

    The question is, can you afford to place all your trust in a community project? The answer is going to be highly variable, according to what sort of ship you run, your self-sufficiency, and your own understanding of the risks.

  • http://www.BeyondSecurity.com aviram

    Our experience is very similar to Paul’s – ClamAV seems to be at least as good as any commercial AV.

    Maybe the question should not be Clam vs. a commercial solution, but relying on a single AV versus combining two solutions from different vendors.