Why Should I Use Multi-Scanning in Release Management?

No matter what development model you use, release management is critical to ensure quality and consistency in your product. Whether you have a single large release each year, or are using continuous delivery with many releases each quarter, the same basic strategies apply to the test and release cycle. I realize that the number of tests available is overwhelming, so careful assessments must be made about which tests are important for your release management process. However, one aspect often overlooked during testing is malware scanning—quickly assessing the new code base to determine if anything malicious has been incorporated.

Why should you add malware scanning to your release management process? You might be thinking, "I'm not a malicious developer, and I trust the developers on my team, so why would I need to scan my own files for malware?"

Two key reasons:

  1. Insurance
  2. False positives


Insurance using Malware Scanners

Using a malware scanner you can check your executable build artifacts, or even just the third party libraries that go into your project. All it should ever do is confirm your code is clean. On the rare occasion that malware is detected, you would treat the detection as a release blocker and eradicate the malicious code, followed by an investigation of how it was introduced in the first place. You’ve just avoided a potentially disastrous incident.

Be assured that this threat impacts industry leaders and startups alike. Even Microsoft once distributed a virus along with their software. No one is immune. Scanning with a single malware engine will provide you some protection, but to catch a broader array of malware, including zero-day attacks, you should scan with multiple antivirus engines.

False positives

False positives, where your code is detected as malicious even when it is not, can occur with any malware scanning and can even cause operations to grind to a halt. This type of error can cost you time, money, and the trust of your user-base. Just imagine having to explain to all of your customers why your newly updated application is now flagged as malware by their security software!

To further complicate the issue, false positives are often only detected by a few antivirus software vendors at a time, and they are not necessarily consistent or replicable for testing. Antivirus software vendors implement their own unique heuristics logic, and while this variation is great for catching threats that that other products may not detect, it can also assume (mistakenly) that a new code base is malicious based on that specific heuristic analysis.

Because there is not always a clear or consistent cause for false positives by a given antivirus software vendor, there is not a reliable method to avoid having your code detected as malicious. However, prior to release you can scan any new code updates with a multi-scanning platform that contains multiple antivirus products to ensure that your code is not incorrectly detected as malware by any antivirus software vendors’ current definitions.

What do I do if a false positive is detected in my code?

False Positive

There are several options, including:

  1. Comparing the code changes to your previous build, looking for any likely triggers
  2. Scanning the previous build to see if it’s also now detected as a false positive, antivirus engine definitions are updated frequently and could have changed since your last release
  3. Contact the antivirus software vendor to whitelist your application

How do I scan my code for malware prior to release?

The simplest way is to manually scan your artifacts, but this is time consuming and impractical for anything but the slowest release cycle. A better method is to write a simple script, and run as part of your build process. Here are a few examples you can implement, or use to inspire your own solution:

  1. Triplecheck Reporter
    • An open source project for source code analysis that also integrates Metascan Online to scan components for malware.
  2. PHP Metascan Online Checker
    • This is a script we use internally as the last step in our TeamCity builds.
Sign up for Blog updates
Get information and insight from the leaders in advanced threat prevention.