Your Anti Virus Program is a Virus

I had a couple of reports over the last few days that the Lookout install was infected with some sort of trojan or virus. This is very alarming, of course! So we looked into it seriously.

What we found, is a bug in Symantec. On Aug 9th, the corporate edition of their anti-virus software published a new definition file of viruses, which incorrectly diagnosed the Lookout installer as containing a virus. This has apparently been fixed in their Aug 10, rev 23 update of that file.

The particular file that was declared a virus was “nsisdl.dll”. Its a part of the NSIS installer, which is used by Lookout, but was written by the WinAmp team. From reading around the net, you can see that their product (as well as all other products that use NSIS) were suddenly hit by the antivirus product.

What the antivirus product does is to delete the files which contain “bad stuff” – and they do it automatically. And the definition of “bad stuff” is auto-updated behind your back. I sure hope they don’t make mistakes like this very often. What would happen if your trusted anti virus folks made a more serious blunder? What would happen if some hacker figured out how to edit that file (its probably signed to avoid tampering). Shoot – with this powerful antivirus software running on your system, who needs a virus program? If I were a hacker, I’d spend all my time disecting the virus definition file from Symantec, and trying to change it on their site. It would be hard word, but if you were successful, it would be the worst nightmare ever. Symantec has taken care of the distribution problem for you – just flip a couple of bits and that “anti” virus becaomes the virus itself.

But you know, I’m paranoid. I guess false positives are part of the world we live in. Sucks.