Hexagon Geospatial
MENU

Developers Knowledge Base

ERDAS IMAGINE, the world’s leading geospatial data authoring system, supplies tools for all your Remote Sensing and Photogrammetry needs.
Showing results for 
Search instead for 
Do you mean 

Antivirus False Positives on ERDAS IMAGINE

by Technical Evangelist on ‎12-16-2015 02:14 AM - edited on ‎03-24-2016 11:28 AM by cheryl.brantley (659 Views)

An extensive study is done on virus alerts raised by different vendors on ERDAS IMAGINE software. A Trojan malware threat is reportedly only by Avira out of 57 antivirus vendors that we ran scan using VirusTotal (a free service) on ERDAS IMAGINE. The prominent players viz., Kaspersky, McAfee, Microsoft, Symantec, TrendMicro and many others didn’t report this issue.

 

The problem is these prominent vendors within the anti-virus industry release far higher numbers of lower severity false positives as virus threats. It is also largely accepted across the software industry that false positives are inevitable. Various detection techniques that are employed by anti-virus players are Signature-based detection, Heuristics based detection, Behavioural detection, Cloud-based detection & Non-heuristic technology. It’s always possible that antivirus programs may occasionally say a file is a virus when it’s completely safe file. There is no way to avoid false positives completely, but we can try to limit it and its impact by taking some precautionary measures during development stage. 

 

The official Anti-virus engine that we use in HYD office is Trend Micro. After upgrading TrendMicro OfficeScan to version 11, the software started identifying one of the executables (eWkspace.exe) in ERDAS IMAGINE as malware. We immediately followed up with Trend and tried to understand from them the possible reasons for this alarm. In spite of we being an official vendor to TrendMicro they did not disclose the reason why the executable is reported as threat. The response what we received (in their own words is)

“The file was actually tested in-house by our Malware team. I cannot provide details on how they check it as they have their own parameters to consider to verify if file is malicious or not. Also as per our Malware team, they will add this application on whitelist globally to make sure that it will never be detected again in the future. But since if ever there will be upgrade on the file, I believe there's a possibility that this can be detected again since there will be changes like its hashes although it is already added on whitelisting globally. One of the parameters Trend use to make sure that a file is a legitimate one, is that if it is being signed digitally. So I suggest to make sure that the file you use will never be detected again, make sure that it has digital signature, proof that it is from your company and it is a legitimate one.”

 

When we requested for their suggestion on how to avoid this in future the response what we received is:

“This is because of the aggressive pattern added on Behavioural Monitoring to address the Ransom ware issue which is the most challenging malware that every AV has today. I believe all known applications which are digitally signed are whitelisted globally so as recommended, please make sure that the file/application has digital signature to avoid false detections.”

 

The key takeaways are:

  • Malware authors are aggressive, and the Virus Scanning industry must respond aggressively
  • Ransomware is the latest challenge affecting everybody, and the industry’s response has greatly increased the instances where legitimate software is misidentified as malware (i.e. a “false positive”)
  • We review every software release against an industry-leading Anti-Virus engine, to ensure our software is malware-free
  • Whenever a report is made, we cross-check that report against other engines.  Avira is the only vendor out of 57 antivirus vendors reporting such a problem
  • Malware continues to evolve.  We cannot prevent all false positive reports, but we will continue to work to assure our software remains malware-free, and minimize such reports where possible
Comments
by ParthaR.
on ‎06-09-2016 07:19 AM
The user may need to disable their antivirus in order to install and use ERDAS Foundation and IMAGINE. This is because some antivirus softwares delete those executable files causing improper functioning of the software.
Overview