Avoiding False Positives?

Fellow Creatures,
Recently there have been some rather heated debates on false positives, which have done harm to the user's systems. It would appear that some, unless I have misunderstood, default settings on many AVs are set to delete without user decision, which is understandable because the average user would not know how to decide. I remember one I was using that was set to: if can not clean then delete, can not remember which one.

My question is do the AV producers run their signatures through any testings on real systems before releasing them for download to their customers. I would think yes, but am not sure. This could and would also be the same for ATs too. Or any malware program. But AVs are so must have. I'm really restricting the question some what. Certainly we all agree that there are false positives, but how do the companies avoid them. What makes one AV company have fewer then another? You would think extra care would be taken to avoid a release that would cause system damage no matter how rare an event, because the damage to the AV's reputation would be worse then missing a nasty or being a little later then your nearest competitor with you signature release? Of course an occassional software conflict due to a signature release is understandable. Also some are quicker then others to fix. Of course deciding which are legitimate and which are false reportings from ones customer base in and of itself would be a real task I would think.

I would like to know these things as I just do not know.

And this issue most certainly would effect my decision on AV purchase.

 

The av companies certainly do test their virus signatures. They try very hard not to release them until they are pretty sure they are all right. and as far as the hot discussion you mentioned it is very possible that it is a hardware or software specific problem on just this one computer. The AV in question is a quality product that has never given this particular computer any problems before. Several files will be sent to the AV company to be analyzed to see if the specific reason for the problem can be found. until then life goes on.

 

Understood. But I was just wondering how they do these things. Do they have banks of computers with various other products running with their AV product on them, all with various configurations. And then make various changes to the AV as needed including and especially signature data base additions and then wait to see the reactions. Burn testing in a fashion. And then after a certain amount of time, they say the signature detections work with no conflicts or ill effects on system. This is good for release load it on the servers.

It would appear to me the care,man and machine power dedicated in this effort may make the difference.

And of course then there are those like you BigC and others who turn in specific problems. I would think this would be of tremendous help.

The KAV debate you reference was one example and indeed it was on my mind but not the only one, it is one of several that have taken place over the years.

Please do not misunderstand me I am not attempting to start something. I see Avs getting closer and closer to a commodity yet some are clearly better then others. All have their strengths and weaknesses. I am just attempting to figure out what really makes one AV better then the other. The best way in my mind is to learn what they are doing in the lab.

Thanks for your reply.

 

Im pretty sure that there are a lot of testing machines available.

I work in a web development team of 5 people. We have 2 test machines for testing products we purchase and playing with them, 2 machines for development of the products I write, then 2 for testing them, plus we have 2 local live servers, plus various remote servers... similar story for the other companies Ive worked for in the past 5 years (and the others i have visited or my friends work for). Basically any serious development company will invest a decent chunk of the project time/money into testing, this is especially important where there are on going projects with customers who have contracts with support and updates, where version bug fix and updates have to be made on a continous basis.

Ta Nick

 

Here we go! Thanks NICK. That is the type of nuts and bolts, on the ground, in the lab reply I am looking for. Hope to see some more stories like this one.

 

False positives are indeed a SERIOUS problem in many softwares and they shouldn't exist at all.
The consequences of deleting a false positive can be even worse, than malware.
Security softwares are supposed to fix problems, not to create problems.

Security experts and knowledgeable users already know the difference between false positives and real malware, they don't really need safe security softwares.

Ignorant users (the majority) need safe security softwares without false positives.
So the security industry has to work very hard on that problem.

I sincerely hope that nobody will ever consider false positives as a necessary evil, because that kind of attitude is totally wrong.

 

Well put Erik Albert !!

HR