I’ve been writing a lot about the flaws in the commercial security software business lately. Today, Joe Wilcox at Microsoft Monitor inadvertently provided an excellent illustration of why this industry is so fundamentally flawed. Joe had an experience with a Symantec software package today that made him think Symantec is doing a great job of protecting him. Based on his post today, I think he came to exactly the wrong conclusion. He wrote:
A few minutes ago, Norton AntiVirus 2005 warned that it had detected and blocked an attempted intrusion into my computer. Huh? I quickly clicked on the pop-up warning before it retracted into the Windows toolbar. My wireless router has a built-in firewall, Outlook wasn’t retrieving e-mail and the Web browser was closed, so I wondered from where the intrusion could come. According to NAV 2005: MSN Messenger 7 Beta.
NAV 2005 identified the virus as the “Master Paradise Trojan,” which is by no means new. If my flu-drugged memory is accurate, the virus is circa late 1990s. So, why am I seeing it now? That’s a question I’ll seek to answer later today.
But the attempted intrusion, assuming NAV 2005 correctly identified the virus, is reminder the many ways a virus can infect a Windows operating system–in this case through instant messaging. [emphasis added]
That’s a big assumption. I read Symantec’s write-up on the MasterParadise Trojan horse program, and I also read F-Secure’s description. This program runs on Windows 95, 98, and NT 4.0, none of which Joe is running. The remote user can configure it to use any port to make a connection. Symantec says, “There have not been any reports of this program breaking through a firewall.”
So what happened? I believe Joe got a false positive from a firewall. Now, I get annoyed when I get a false positive. I consider it a failure on the part of the security vendor. Missing a real threat is much worse, of course, but a false positive is still a failure and can lead to unpleasant consequences if it convinces you to delete a perfectly innocent file or remove a program that’s perfectly safe. At a minimum, a security program should give me the technical details of what it discovered so I can troubleshoot for myself.
Here’s what I think really happened. Any application installed on your computer can attempt to create an outgoing connection. When it does so, it uses the well-known port number for the remote service and assigns an arbitrary port number to listen on. You can see this very easily for yourself by running netstat from a command prompt. Each line shows a local (incoming) port number and the port used for the outgoing connection. In this case, it sounds like one connection from the Messenger beta used the arbitrary port number 3129, which turned out to be the same as the default port used by this ancient Trojan.
This recent post from a Java newsgroup quotes the following response from Symantec to a nearly identical issue:
I understand from your message that you are receiving the following
alert from the Norton AntiVirus (NAV):“Default Block Master Paradise Trojan horse” blocked communication.
Kenneth, this alert message does not indicate the presence of the
Master Paradise Trojan horse on your system. This issue can happen if
javaw.exe is using the local port 3129 on your system. This port is
usually used by Master Paradise Trojan horse program.Please note that there is a block rule for Master Paradise Trojan horse
under Trojan Rules section in Internet Worm Protection. This rule
monitors activities and communications through the local port 3129.
When it finds a communication through the local port 3129, it will
display this alert message.
Carl Siechert and I warn about this potentially confusing issue in Windows Security Inside Out:
Trojan horse programs often use port numbers that are also used by legitimate programs and system components. Do not assume that a system has been infected simply because you see a program listening on a port number that is known to be used by a particular Trojan horse. For example, the “Sockets de Trois” Trojan often uses port 5000, but so does the legitimate Simple Service Discovery Protocol (SSDP) Discovery Service. In addition, your computer assigns incoming ports using arbitrary numbers beginning with 1024. One of these dynamic port numbers might match a number that’s also used by a Trojan horse program; be sure to look at the port number on the destination computer before concluding that your computer has been compromised.
But that’s not what Joe did. Instead, he concludes (incorrectly, I believe) that he dodged a cyber-bullet:
NAV 2005 detected and quashed the attempted intrusion on my HP Pavilion zd8000 notebook. HP did right by shipping the portable preloaded with the security software and providing a colorful eight-page pamphlet, “Get Secure: Protecting Your Computer.” If not for NAV 2005’s instant-messaging monitoring, looks like the Master Paradise Trojan would have infected my test computer. So, I’m feeling quite charitable to both HP and Symantec. Perhaps the best marketing is the consumer’s good experience, and one no vendor should ignore.
This conclusion is misguided, in my opinion. And it illustrates everything that is wrong with the commercial security software business. Joe feels good because the software told him it had protected him, even though the likelihood that this was an actual attack is microscopic. The lesson that Joe is unwittingly sending to the vendors in question is, “Give me more false positives, because the more times you tell me you’ve protected me from something, the more I’ll feel like I’ve gotten my money’s worth from your software.” If he had a better security program, it would have realized that this outgoing connection was just fine and would not have given him any warning at all.
That is just wrong. On a healthy computer with multiple layers of security, most threats should be blocked or neutralized before the user ever sees them. Getting lots of warnings is a sign that one of those layers isn’t working as well as it should. But that’s exactly the opposite of what motivates developers of security software today.
Ed Bott 
Superb post Ed! This is difficult stuff to explain and you did a tremendous job. When Joe comes out of his TheraFlu coma, I’m sure he’ll agree.
Not to pick on NAV, but one of the reasons I gave up on it long ago was the serious false alarms it kept throwing at me.
I have a serious layered defense set up on my Tablet and I get no false alarms, successful intrusions, or spyware or virus infections… ever.
But you’re right – this is a problem that needs to be addressed at an architectural level… by Microsoft.
Excellent article!
I am using ZoneAlarm Pro firewall in which I can set it to be very sensitive to attempted intrusions. I sometimes do this just to see what some questionable sites may be trying to do. But, yes, constant messages of attempted intrusions can be very annoying. Thank goodness I can desensitize ZoneAlarm to go about its business of protecting me without the annoyance of seeing all the things it is doing in the background. In the less sensitive mode, if I want to know what happened, it keeps a nice log which I can go back and review.
Good job, users should feel good with “reporters” like you telling us the whole story. For me, I just wanted to know the “skinny” re: whether to use NSW2005 on my new Dell or TrendMicro’s PC-cillin, or some other? Read bad account5s on both. What to believe and which to use? Your reply would be greatly needed! Thanks! B.
Brooks,
I have personally experienced problems with Norton AntiVirus and especially with Norton Internet Security. As a result, I no longer recommend either one. I have used Trend Micro’s PC-Cillin for several years, and have no complaints at all with its core functionality. Good antivirus protection, good firewall. I don’t recommend the PC-Cillin anti-spyware module, however.