Anti-Virus Scanners and False Positives.

It's not really a question, it's more a proposal and it concerns all scanners, not just AV scanners.

As far as I know scanners use two methods to detect viruses/adwares/spywares/... based on
1. Fingerprints, which are safe as detection method
2. Heuristics, which are usually safe, but sometimes result in FALSE POSITIVES.

Knowledgeable users will normally report the false positive and the company will fix the false positive.
I assume that fixing ONE false positive, doesn't mean that all false positives are fixed. That would be too easy.
Less-knowledgeable users will remove these false positives as well, because they trust the scanner.

Would it be a help, when there was some kind of indication for each detected malware, that it was detected by
the fingerprint method OR the heuristic method. IMO the program should be able to do this.
Malwares detected by the fingerprint method are always safe to remove.
Malwares detected by the heuristic method need to be removed more carefully.

For instance :
Malwares detected by the fingerprint method in color GREEN or marked with "F", whatever.
Malwares detected by the heuristic method in color ORANGE or marked with "H", whatever.
The less-knowledgeable user would at least be warned, that an ORANGE malware could be a false positive,
which is always better than telling nothing.
Personally I think that even knowledgeable users would like to know this : fingerprint or heuristic ?
What do you think ?

 

Some programs already says if the detection is by signature or heuristics based, but even some programs that only use signatures have false positives, so you can't say that all the detections can be safely removed...

 

Even signatures give false positives, that's new to me.
This means that some malware signatures appear in legal softwares too, that's great. Pfff.
These scanners are even more unsafe, than I thought.
In that case, my proposal is useless for less-knowledgeable users. I give up.
I still have to meet the first security software, that makes me happy.

 

You can see the example of avast! that sometimes have false positives and it doesn't have heuristics...

 

No disrespect intended Eric but if False positives make you un-happy....the only way to solve that would be to program your own software. All scanners are going to have False positves from time to time but that does not make them useless as tissles on a boar hog IMHO.

 

Yes, I believe you. It doesn't matter anymore, at least not for less-knowledgeable users.
Both methods have false positives and that's the end of my proposal and thanks. I learned something new today, but it didn't make me happier

 

As you can see in my signature, I run these scanners myself and I have to live with these occasional false positives myself like anybody else, but that doesn't mean I like them.
I guess the only solution right now is to REPORT these false positives to the companies and fix them.

IMO, definition/Heuristic-based scanners/shields don't have a future :

1. There is absolutely no control over malwares, because they turn up from nowhere and need to be discovered first by researchers.
So what they collect in definition-databases is always INCOMPLETE, often too late and the bad guys won't stop creating new ones.

I would never collect malware objects, because they come from an unknown, inexhaustible, unpredictable and uncontrollable source (the bad guys) and not only that, you have to FIND these malware objects first somewhere on the internet.
That is a bad strategy and a solution, that is doomed to fail from the start.
Each time one of these scanners tells me I'm malware-free, I think "What about the malwares, you didn't find ?".
That's why I format my harddisk twice a year, to get rid of the malwares, that weren't removed by my scanners.

IF and I repeat IF I had to collect something, I would collect the objects of legitimate softwares, because these objects are well-known, controllable and created by the GOOD guys.

2. Due to competition all these scanners have a different definition-database in quantity and identity, which means you need more than one scanner for AV, AS, AT, AK, ..., let's say 10-12 scanners in total.
The security industry seems to forget that hardworking users, don't have the time to maintain and run so many scanners.
These scanners detect/remove grosso modo the SAME malware-definitions, but the companies refuse to combine all these definition database in ONE database, because that would be the end of the competition.
The only one that suffers is the hardworking user.

3. In the end these scanners will contain so many malware-definitions, that the total scan time isn't practical anymore.
Some scanners have already more than 200,000 definitions, what will it be next year 300,000 and after that 400,000 or 600,000 ?
So all these scanners will kill eachother in the very end and if the technical limits won't kill them, the angry users will kill them for sure, because they are not going to be happy with the TOTAL scan time.

Definition/Heuristic-based scanners/shield are just not good enough.
The security industry has to find other ways to protect computers.
They just took the most obvious, easy and unfortunately wrong solution without looking for better alternatives and without thinking about the consequences for the users.
I'm glad that some companies are trying something NEW, than just creating the n'th malware scanner.