Automated False Positives [Archive] - Wilders Security Forums

PDA

View Full Version : Automated False Positives

IBK

June 2nd, 2010, 03:03 AM

http://research.pandasecurity.com/automated-false-positives/

AvinashR

June 2nd, 2010, 03:20 AM

Thanks for the link...BTW very informative article.:)

OlegSych

June 2nd, 2010, 03:48 AM

It's mean, that all vendors (including KAV) use analysing method like "scan at VT" (often - local scan system) :thumb:

I think - it's OK. The main reason - comparatives (test centres and users). All AV need (!) detect all files, detected other AVs, users call it.

shadek

June 2nd, 2010, 04:23 AM

I didn't see Avira on that list. :) So they're basically the only AV-company handling their business properly. :p

OlegSych

June 2nd, 2010, 04:37 AM

-{ Quote: "I didn't see Avira on that list. :) So they're basically the only AV-company handling their business properly. :p" }-
Or it's AVLab reaction to slow ;D

3GUSER

June 2nd, 2010, 04:43 AM

Important is that vendors known to care about false positives didn't made this false positive no matter if it is automatic system or human mistake.

ESET , Microsoft , Symantec are very cautious when releasing updates to their clients and they never made a signature about this .

From the European vendors , AVG is "known to steal signatures" (at least I have read somewhere that they try to steal from Avast , ESET , Kaspersky , perhaps others , too).

McAfee's cloud made this mistake because of high sensitivity . All other vendors menitioned in the blog article don't care much about FP alarms and except from Kaspersky , are too small vendors.

Symantec's detection at first has now gone because the file has gained good reputation:

CiX

June 2nd, 2010, 04:49 AM

-{ Quote: "From the European vendors , AVG is "known to steal signatures" (at least I have read somewhere that they try to steal from Avast , ESET , Kaspersky , perhaps others , too)." }-
What!! Are you sure??:o :o

3GUSER

June 2nd, 2010, 04:51 AM

-{ Quote: "What!! Are you sure??:o :o" }-

I wrote I have seen it somewhere on the net . Since I don't work at AVG's virus lab I can never be 100% sure BUT still there are many evidences that they copy detections from other vendors.

Anyway , back on topic , please :)

Sputnik

June 2nd, 2010, 06:13 AM

@3GUSER
Please don't spread such vague rumors. Consider that most AV's have detection ratios of 92%+ on huge testbeds; files detected as malicious by other vendors will have top attention by vendors witch don't recognize it as malicious...

Watching each others detections is something way different then copying other vendors signatures with can be defined as reverse-engineering.

yaslaw

June 2nd, 2010, 10:26 AM

-{ Quote: "I didn't see Avira on that list. :) So they're basically the only AV-company handling their business properly. :p" }-

Avast also isn't on that list :D

regards
y.

Ibrad

June 2nd, 2010, 10:31 AM

Well Trend Micro House Call is no longer detecting it and AVG it no longer detecting it either. Symantec no longer says it suspicious.

pabrate

June 2nd, 2010, 10:41 AM

ZoneAlarm Extreme Security (Kaspersky engine) is detecting it as Backdoor.Win32.Bredolab.djl

ESS474

June 2nd, 2010, 10:53 AM

Here a heuristic detection of ESET...

218561

fax

June 2nd, 2010, 01:10 PM

-{ Quote: "ZoneAlarm Extreme Security (Kaspersky engine) is detecting it as Backdoor.Win32.Bredolab.djl" }-

Will soon be detected as:

PandaCloudTestFile.exe - not-a-virus:Garbage.Win32.Panda-test-file.a

;D ;) :lurking:

Ibrad

June 2nd, 2010, 08:41 PM

PC Tools will have this fixed in a update shortly: http://www.pctools.com/forum/showpost.php?p=230508&postcount=2

I am to lazy to sign up for any more forums so please if you have some time submit this to the other vendors that are detecting this :P

Well I guess since the Nod32 forum is here I can go report it to them....I forget they are hosted here ::)

Update: Kaspersky is no longer detecting it

pabrate

June 2nd, 2010, 08:58 PM

-{ Quote: "
Update: Kaspersky is no longer detecting it" }-

I can confirm that with ZoneAlarm, it's not detecting it anymore :shifty:

Miyagi

June 2nd, 2010, 09:06 PM

Thank you Andreas. Great wake up call! 8)

3GUSER

June 2nd, 2010, 11:00 PM

-{ Quote: "PC Tools will have this fixed in a update shortly: http://www.pctools.com/forum/showpost.php?p=230508&postcount=2

I am to lazy to sign up for any more forums so please if you have some time submit this to the other vendors that are detecting this :P

Well I guess since the Nod32 forum is here I can go report it to them....I forget they are hosted here ::)

Update: Kaspersky is no longer detecting it" }-

It is not about fixing this manually (a.k.a. whitelisting the file) - the problem Andreas (IBK) and in this case Panda present is about "the speed" a non-malicious file is being added as detection by some vendors

Kees1958

June 3rd, 2010, 06:00 AM

;D good to see my freeware AV is lacking automated FP generation, on seconds thought I would not pay for such a feature ;D

ESS474

June 3rd, 2010, 09:22 AM

ESET is not detecting now :P

Ibrad

June 3rd, 2010, 10:12 AM

Thanks for confirming that ;D

Ibrad

June 4th, 2010, 09:24 PM

As fast as I am reporting this FP to vendors other vendors are detecting it. Now Avast! is detecting it, everyone one who fixes it three more detect it ::)

dawgg

June 4th, 2010, 09:53 PM

-{ Quote: "It's mean, that all vendors (including KAV) use analysing method like "scan at VT" (often - local scan system) :thumb: " }-
Wrong conclusion. This is not necessarily the case. It can be a false-positive by analysts or malware analysis robots.