[Esa-l]false positives on VirusProtection

John D. Hardin jhardin at impsec.org
Wed May 23 06:30:43 PDT 2001

On Wed, 23 May 2001, Chris Edsall wrote:

> We appear to be getting quite a few MS Word .doc files rejected
> with high scores because they get 99 points from the string
> VirusProtection. If we save these out and open them on a machine
> with Norton AntiVirus and current definitions, NAV doesn't
> complain and there don't appear to be any malicious macros.

Take a look at the file in a text editor (e.g. vi).

It has been my experience that AV tools simply mangle the macros into
submission and leave them in the document. The scanner doesn't know a
whit about the structure of Office documents, so it doesn't know to
scan just valid macros, so it can generate hits off the bits of the
virus that remain.

You may want to suggest that they save the document as RTF and reload
it in order to strip all remaining bits of the virus out.

You can also decide to rely on your desktop antivirus tool and disable
the macro scanner.

> Are we safe to comment that line out, or will it leave us open to
> some other (extremely, judging from the score) nasty files?

Doing so reduces the capability of the scanner to detect infected
documents. Whether or not you do this is your decision.

 John Hardin KA7OHZ   ICQ#15735746   http://www.wolfenet.com/~jhardin/
 jhardin at wolfenet.com      pgpk -a finger://gonzo.wolfenet.com/jhardin
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  An entitlement beneficiary is a person or special interest group
  who didn't earn your money, but demands the right to take your
  money because they *want* it.
                                  -- John McKay, _The Welfare State:
                                     No Mercy for the Middle Class_
   1259 days until the Presidential Election

More information about the esd-l mailing list