Feb 20, 2013

Data collection software can be deployed in many different environments and each environment is setup to promote business activity.  The use of anti-virus software has become a big part of IT infrastructure with the desire of minimizing business interruptions.

Computer users depend on anti-virus products to detect and remove threats … but leave legitimate software alone.  When anti-virus products find potential threats they automatically quarantine files or prompt the user to choose an action.  Typically detections are categorized as viruses, Trojans, or potentially unwanted programs (PUPs).

Unfortunately not all anti-virus software products work equally well.  As some are provided free of charge, and others are not, differing amounts of care are taken to ensure that the level of threat posed by a file is accurate.

Anti-virus Software Companies

There are over 50 anti-virus software companies operating around the world today, most offering users multiple options for choosing the level of security or scrutiny to apply.  The higher the level the more threat detections generated.  Levels that are too high result in legitimate software being flagged as a threat.

All anti-virus software will from time-to-time incorrectly determine that virus-free files are a threat.  Detections such as these are referred to as ‘false positives’ and occur most often during or shortly after installation or when software applications upgrade.  They can also occur without warning since anti-virus companies release updates daily.

To prevent a ‘false positive’ from occurring, when permissible configure the anti-virus product to exclude legitimate software files from anti-virus scans by adding the software’s directory and/or key files to the anti-virus product’s exclude from scans / trusted files listing.  If the customers are reluctant to do so explain the software’s importance and that at some future date their anti-virus product could mistakenly stop the software.

To determine if a ‘false positive’ has affected meter collection operations, examine the meter collection software’s directory to see if any key files are missing, especially executable files.  If so, examine the anti-virus programs quarantined file listing or history log and look for meter collection software files.

To remedy ‘False Positives’

• Restore the quarantined file either from the anti-virus software’s user interface or by reinstalling the meter collection software (over the top / without uninstalling)
• Add the previously quarantined file or it’s associated directory to the anti-virus programs exclude from scans / trusted files listing
• Confirm the meter collection software is functioning again.
• If time permits submit a false positive report to the anti-virus software company.
• Notify the meter collection software company so they can contact the anti-virus software company. If possible provide:
  • Name and version of the ant-virus product
  • Name of the file found to be a threat
  • Date the file was quarantined
  • Threat description
  • If feasible include screenshots

When collection software companies are notified of false positives, they often notify the anti-virus software provider of the issue and request that they resolve the problem by fixing their virus definitions or software.  Some anti-virus software providers are very responsive, others are not.

Challenges

• Customer contacts
  • May not have access to anti-virus product’s settings
  • May not know how to make the appropriate  changes to the anti-virus product
  • May not want to make changes to the anti-virus product’s settings.
• Anti-virus companies
  • May offer several products that utilize different threat detection methods.  A file found safe by one of their anti-virus products, may be identified as a threat by another.
  • May evaluate each new version of a file without regards to the vendor’s history or digital signature.  Meaning the new version of a file that last month was safe is now a threat.
  • Offer varied levels of cooperation.  Many do not offer white-list programs.  Some do not process false positive reports in a timely manner or provide a disposition.
  • May have different false positive reporting requirements for each product.
  • May make it difficult to find details on how to submit false positives reports
  • May ignore reports that
    • Do not come directly from a licensed user of the anti-virus product
    • Do not include every one of a long list of details
    • Require details that the average user may not how to gather
    • Require submission of one or more file attachments in specific formats
  • May not automatically add restored files to the exclude from scans / trusted files list.
  • Do not offer a means to automatically restore quarantined files if the file is later re-classified ‘safe’.  Instead user intervention is required at each affected location.

… In Summary

Software providers do not control the environments in which their software is or will be deployed.  Although most collection software companies take steps to prevent deletion by anti-virus software, onsite IT people have the responsibility to maintain the integrity of their network environments.  If the anti-virus software they have chosen to deploy is deleting files, whether they are Microsoft files, collection software files, or other downloadable files, that anti-virus software is working against their business goal and is acting as a virus in itself.

Onsite IT people that have deployed anti-virus software have a contractual agreement with the anti-virus software provider and need to contact the anti-virus software company to resolve the problem.  Otherwise, the only alternative left to the customer is to deploy a different anti-virus solution.