Anti-virus software can sometimes cause major headaches for developers trying to play with a new technology. Over time, we heard about many ways anti-virus software can interfere with Couchbase. This blog explains the commonly seen issues, the precautionary steps that Couchbase has taken to make sure that the downloads are deemed safe, and the best practices you can follow.

How can your anti-virus software interfere with Couchbase?

Here are some things we are aware of –

  1. Blocking Couchbase installation – In some cases, we have seen that anti-virus software’s can completely block Couchbase installations on Windows. In these extreme cases, we recommend temporarily disabling the antivirus software prior to starting the installation, and enabling the anti-virus software when installation is complete.
  2. Blocking known ports – Couchbase is a distributed NoSQL document database and communication across nodes and across clusters happens over network ports. We have seen scenarios where sometimes anti-virus software can block these well known ports used by Couchbase causing failures.
  3. Mistakenly flagging some code as malware / viruses – New generic analyzers, aggressive heuristics, and even older virus definition files in the anti-virus scanner can often mistakenly cause the anti-virus software to flag something as a malware or a virus. Now, this is not something new, but it’s history repeating again. Sometimes good and useful software can also be flagged under the Potentially Unwanted Application (PUA) category.

Steps taken by Couchbase

We take security seriously. Couchbase Server binaries are scanned with popular antivirus scanners to verify that the bits are virus/malware free before they are available.

Are you receiving an anti-virus detection with Couchbase Server ?

We’re not saying our software is immune to infection, but some anti-virus or malware scanners may sometimes mistakenly flag our software as malicious, or under the “potentially unwanted” programs category.  Security vendors do not explain what is, or what is not in the “potentially unwanted” category. Inevitably, sometimes well-known software gets put in this category for one reason or the other, creating further confusion.

If you seriously believe that your software is potentially infected, please try multiple scanners first to ensure that it is not a false positive.

Multiple results are generally a good indicator, as a high number of detections from vendors may reveal an infection, whereas a low number suggests a false positive. If this doesn’t help, you can also report your findings through our security response plan.

We also strongly encourage you to consider submitting a “false positive” report to your antivirus software vendor.  Typically, the anti-virus software allows submission of the detected samples along with gathered information for review and it gets added to the whitelist in the next virus definition updates. We will continue to work directly with anti-virus software vendors to add Couchbase to the software safe-list.

My personal favorite tool for scanning web sites is VirusTotal, a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners. At the same time, it may be used as a means to detect false positives, i.e. innocuous resources detected as malicious by one or more scanners.

Occasionally you will see one of those 22 programs produce a “false positive” report while the other 21 will report “no virus.” In these cases, go with the majority vote. In most cases, if you return a few days later and perform the same test again on the same file, all 22 will report “no virus.” That’s because the one program has recently had its anti-virus definitions updated.

Final thoughts

  1. Make sure you verify the md5 checksum of the binary of the download to make sure package integrity is maintained
  2. Make sure that the antivirus software does not block the known ports required for Couchbase operations
  3. Make sure you read through Couchbase security best practices

Stay safe !

Author

Posted by Don Pinto, Principal Product Manager, Couchbase

Don Pinto is a Principal Product Manager at Couchbase and is currently focused on advancing the capabilities of Couchbase Server. He is extremely passionate about data technology, and in the past has authored several articles on Couchbase Server including technical blogs and white papers. Prior to joining Couchbase, Don spent several years at IBM where he maintained the role of software developer in the DB2 information management group and most recently as a program manager on the SQL Server team at Microsoft. Don holds a master's degree in computer science and a bachelor's in computer engineering from the University of Toronto, Canada.

Leave a reply