I ran a couple different AV's yesterday as it's coming down to just using Norton or renewing some other licenses. I was interested in some findings as some ( I will NOT use names) AV's had significantly more FP's than others. I will say that scanning speeds for what I use (Norton09, nod3, kaspersky, F-Secure , Avast) seem to all be all the same, however what each called or didn't call a problem was a different matter. My question is, is it better to have an AV suspect something and call it suspect (FP) or skip it & leave you open to possible infection? I have always to be honest fallen into the 2nd category but I am now seeing merits to believing that perhaps it's better to error on the side of caution. I would also note that this 'IS NOT" for inexperienced users, this is more for those that know what processes belong & what doesn't & what can be & what shouldn't be deleted or moved...I'm curious how folks feel. Remember no comparisons! or this will be shut as all who visit here know...

one has to think about the harm of the infection and the time it is needed to recover from it so it would be better to have a FP than a system reformation

Assuming the FP's are not excessive, I would prefer to have the AV pick up something questionable and let me check it out. That is why I usually run the AV on max settings.

Its better to have some false positve providing its not excessive FP.There is always summit for further analysis but you can not summit whats not detected.

my question is that inspite of using a massive white listing why common programmes are still being flagged..?

I for one would rather be a bit paranoid than complacent and pay for it. Of course using common sense and personal judgement based on experience is the key here.

Better a false positive than a false...negative.;D

Hi :)

I Don't Know! :-\

I'm no where near as experienced, as some of you guys.
If I had a False Positive ... I know I'd - Panic! :argh:
After All...
I wouldn't know it was a FP :-[


If My AV / AS Ever Found Something - I'd Either...

1/ Presume it was real Malware :o
And end up with my computer in a real mess.

2/ Presume it was a FP ... And set it Free ::)
It would most likely.. End Up Being - Real!
And Again... I'd end up with my computer in a real mess :'(


I Don't think False Positives have anything Positive about them at all :(
I think they just cause confusion.
Is It Real ... OR ... Is It A False Positive :doubt:

Also!
Just because an AV / As might come up with a FP from time to time...
That doesn't mean it's any better at catching the - Real Thing! :(

I would never bother using an AV / AS that was prone to giving me False Positives :thumbd:

but I gues smy question is what is excess, 5 -10-15-20...if you ran a scan by a top notch AV & it gave 14 files that were good process' is that good or bad & if it called excel a piece of malware where does that fall?

-{ Quote: "but I gues smy question is what is excess, 5 -10-15-20...if you ran a scan by a top notch AV & it gave 14 files that were good process' is that good or bad & if it called excel a piece of malware where does that fall?" }-

If it detected so much files which are normally legit, first of all I'd take a look at the detection name. For example, if it's a Virut or another File Infector I would clean the infected files. If the detections are about different viruses, or if they were heuristic detections, I guess I'd change av.

Hi larryb52 :)

You Said...
-{ Quote: "if it called excel a piece of malware where does that fall?" }-

I Say... In The Bin! :thumbd:

Coz..
That's where I'd put any AV / As that was going to cause me nothing but -Worry & Confusion >:(
And Maybe Even... Damage To My Computer :'(

everything messes up at somepoint. its how fast the issue is fixed that is the real key.

There was a case where a legit program caused massive problems n was glad my av mistakenly took care of it.

Eh; I can live with FPs as long as

- they are not excessive (unlike certain AV starting with "I" or similar)
- they are fixed fast by the vendor

Generally, I'd say FPs are more acceptable in corporate environment which is generally centrally managed, they are pretty annoying on your home desktop box.

-{ Quote: "Eh; I can live with FPs as long as

- they are not excessive (unlike certain AV starting with "I" or similar)
- they are fixed fast by the vendor

Generally, I'd say FPs are more acceptable in corporate environment which is generally centrally managed, they are pretty annoying on your home desktop box." }-
depends where the fp is tbh. if it deletes an important document by mistake then thats bad. but if it deletes a program by mistake you can just restore an image. hopfully you have a backup of documents as well just incase.

-{ Quote: "depends where the fp is tbh. if it deletes an important document by mistake then thats bad. but if it deletes a program by mistake you can just restore an image. hopfully you have a backup of documents as well just incase." }-

Well, I guess this needs a clarification - I never let any AV delete allegedly infected files. They go to quarantine. (If an AV doesn't offer such setting, it's unusable for me.)

-{ Quote: "Well, I guess this needs a clarification - I never let any AV delete allegedly infected files. They go to quarantine. (If an AV doesn't offer such setting, it's unusable for me.)" }-
my av sends the file to qurantine and deletes the file so i can restore it if i need to.

-{ Quote: "my av sends the file to qurantine and deletes the file so i can restore it if i need to." }-

Uhm... move to quarantine != delete. By delete, I mean a real delete. ;)

-{ Quote: "Uhm... move to quarantine != delete. By delete, I mean a real delete. ;)" }-
oh i wouldnt let it delete without a backup lol

I find it quite annoying that more often than not av's flag legit programs as malware. As a result i usually always turn heuristics off or onto low, its probably not the safest option for the average user but works best for me.

-{ Quote: "Well, I guess this needs a clarification - I never let any AV delete allegedly infected files. They go to quarantine. (If an AV doesn't offer such setting, it's unusable for me.)" }-

This seems to be the best way to deal with the FP problem.
In 4 years of monitoring my system with several top notch scanners I have never had 1 -one- single FP performing an overall scan. I've had some situations downloading stuff and browsing, but the FP detection was so obvious that it wasn't even worth the trouble investigating it. I personally prefer an AV which has some FPs than one too lax as a result from trying to be accurate all the time.

IMO
1.fp's are direct consequences of heuristics
2.sadly more and more av vendors, in order to play safe...cover all the bases lest should they miss a trojan or virus and slide in certification ratings, are catching more legitimate apps.
3.do i mind it...yes for tomorrow my av might commit hara-kiri or kill my OS then who would need a malware to cause harm
4.tomorrow a smart ass malware writer may create a piece which could trigger multiple fp's and a vigilant av set on automatic would kill the good the bad and the ugly.....result...kaput...finito..history...BSOD..dangerous scenario...na!

while many do believe that, I however see more fp's from signature detections, across the field, rather than heuristics.

I definatly see it has a problem, one that people shouldn't sugar coat for the developers.

Most need to work on it, period.

Its only the people that have been hit with a really bad FP that deals an OS file that have a real appreciation for products with low FPs. All the rest couldn't be bothered until they join the club.

For me, low FPs are a must. It really speaks to the quality of the security vendor that you are buying a product from. Because after all, its a lot easier to design a AV product with 100% detection and 100% FPs (just call all PE files bad), than it is to design one with 100% (or near) detection and almost ZERO FPs. Looking at all the test results, there is only one product that comes close to the latter.

I don't agree with Zombini. I am happily using AntiVir with few FPs of late.

I've never admitted this to anyone, especially my wife. :-[ Several years ago I was using f-prot for dos with a switch that created extra strong heuristics. It flagged explorer.exe. as a trojan. Without thinking at all, I had f-prot delete it.
Man was I upset at myself!:wacko:
I learned the hard way to pay attention.

PS. I still haven't told my wife.

-{ Quote: "you can not summit whats not detected." }-You should be able to submit a file if you think it's suspicious. I submitted a file to KL a few days ago as it had a double extension i.e. .doc.exe with a long space between the .doc and .exe. Scanning it at the highest settings yielded no alerts, but I was wary of that file so I sent it for analysis. It turned out to be malware and KL added detection for it to their database.

fp's should be minimized as much as possible since most users wont be able to tell and just follow the reccomendation of there AV.

-{ Quote: "I've never admitted this to anyone, especially my wife. :-[ Several years ago I was using f-prot for dos with a switch that created extra strong heuristics. It flagged explorer.exe. as a trojan. Without thinking at all, I had f-prot delete it.
Man was I upset at myself!:wacko:
I learned the hard way to pay attention.

PS. I still haven't told my wife." }-

Thats exactly what I was referring to. As soon as you get hit with a really bad FP, you then start questioning using any products that have lots of FPs.

Here is one example of how easy it is for a product to be "trigger happy" and cause customers issues:

http://forum.kaspersky.com/index.php?showtopic=88904

-{ Quote: "Here is one example of how easy it is for a product to be "trigger happy" and cause customers issues:

http://forum.kaspersky.com/index.php?showtopic=88904" }-
Here's another:
http://www.pcworld.com/article/132050/millions_of_chinese_hit_by_symantec_foulup.html
http://www.liquidmatrix.org/blog/2007/07/17/symantec-false-positives-again/
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9019958

;D

I'm starting to change my mind here as I use Nod32v3 & of course extremely low FP's but my machines have been hit hard & clean up is timely. Granted FP's for the untrained eye is NOT good & those that are inexperience using 'say' kaspersky will not be 'techie' enough to know there exe's & processes & create a nightmare for their machines. I have become a convert to kaspersky but I'd like to think I know my stuff. NO I'm not all intelligent but I will say I respect the fact the kaspersky forum is there & answers come quickly. In these trying times of new malware you can't be too careful & I'm starting to see the value of a ounce of caution (FP) is worth a pound of cure (or time & effort)...

Avg gave me some hard time today so i finally ditched it . It finds Bitdefenders files as spyware (some installation files of BD free ) and i checked it then with some other Av and it was a false alarm. recently i had 6 false alarms. back to trend micro

-{ Quote: "You should be able to submit a file if you think it's suspicious. I submitted a file to KL a few days ago as it had a double extension i.e. .doc.exe with a long space between the .doc and .exe. Scanning it at the highest settings yielded no alerts, but I was wary of that file so I sent it for analysis. It turned out to be malware and KL added detection for it to their database." }-
Yes absolutley agree,I am just refering to If one does not see a suspicious file or the antivirus does not see it either.

-{ Quote: "I've never admitted this to anyone, especially my wife. :-[ Several years ago I was using f-prot for dos with a switch that created extra strong heuristics. It flagged explorer.exe. as a trojan. Without thinking at all, I had f-prot delete it.
Man was I upset at myself!:wacko:
I learned the hard way to pay attention.

PS. I still haven't told my wife." }-

Hey do not feel bad when first started computing,I went on a trigger happy deleting stuff that should not have been deleted.OPPS:blink: what a Mess.If we Do Not make mistakes then whats there to learn.Once my friend and I took a car engine apart to replace a cam shaft,the valves and lifters and some other things We put a 3/4 race cam and performanced the engine when we where done it started up;D but we had a few extra bolts we discoverd laying around:blink: Needles to say the car ran for yrs with out problems at least that we new about.

-{ Quote: "the antivirus does not see it either." }-My point was the AV didn't see it initially, but I was clued up enough to submit the file to be checked just in case.

As a more "experienced" user I like to have aggressive heuristics and then decide myself if a file is malicious or not. Therefore I have no problem using Dr.Web that is somewhat known to produce false positives. Had a few during my time with it and all were quickly fixed.

-{ Quote: "My point was the AV didn't see it initially, but I was clued up enough to submit the file to be checked just in case." }-
I Understand what your saying but keep in mind that you have the knowledge to spot something of a suspicious nature or a file that may not look wright,even if your uncertain its infected you where aware of something but Not everyone does have this knowledge.

-{ Quote: "I'm starting to change my mind here as I use Nod32v3 & of course extremely low FP's but my machines have been hit hard & clean up is timely. Granted FP's for the untrained eye is NOT good & those that are inexperience using 'say' kaspersky will not be 'techie' enough to know there exe's & processes & create a nightmare for their machines. I have become a convert to kaspersky but I'd like to think I know my stuff. NO I'm not all intelligent but I will say I respect the fact the kaspersky forum is there & answers come quickly. In these trying times of new malware you can't be too careful & I'm starting to see the value of a ounce of caution (FP) is worth a pound of cure (or time & effort)..." }-

I had the same experience with NOD32 V3. Way too much time spent cleaning up or restoring images. My machines now either have Avira or Kaspersky and I get occasional FP's but no infections. So, I don't mind researching an alert once in a while. That's a good trade off to me.