We have had a couple of reports over the last 24 hour of users experiencing issues with Symantec anti-virus products triggering on scan.dll.new which is a component of World of Warcraft.
Judging by the traffic on this topic in the WoW forums it would appear these are not isolated reports.
The detailed version of the alert is:
Severity = High

Activity = Auto-Protect has detected Infostealer

Date Time = 15/05/2010 (various times from 9:00 to now)

Status = Blocked

Recomended Action = Resolved no action



Risk Catagory = Virus

Definitions Version 2010.05.14.048

Severity = High

Component = Auto-Protect

Status = Blocked

File Name = c:userspublicworld of warcraftscan.dll.new
What I find interesting in this case is not that we have another anti-virus false positive, but that Symantec is listing scan.dll.new as an InfoStealer and that it appears this false positive has happened on past World of Warcraft patches/updates that created a file called scan.dll.new. What exactly are they triggering on? The filename? Shouldn't there be a secondary trigger? Is this an old signature from a previous issue?
Ihave been interested for a while in the accuracy of Anti-Virus products in the modern computing world. The Anti-Virus paradigm we have used since the 80's is seriously flawed, and in my opinion is slowly unraveling. The rash of false positives in recent months is just one symptom of that.
I have been watching with great interest the attempts to develop a new paradigm that fits better in the modern computing reality. Most of these are attempts at more heuristic or behavior based products that rely less on signatures. It seems to me that since these attempts require a little more fuzzy approach to anti-virus won't these sorts of false positives likely become more common, not less?
Are we getting to the point where software providers are going to have to start testing their updates against common anti-virus products before release?
As usual Iam interested in your opinions. You can submit them either via our comment mechanism at the bottom of this diary, or via our contact page.

-- Rick Wanner - rwanner at isc dot sans dot org

P.S. If any anti-virus companies have any documentation on futuristic anti-malware research directions that they can let me read Iwould be fascinated to have it. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.