Does high detection rate mean more false positives

Discussion in 'other anti-virus software' started by steve161, Dec 20, 2007.

Thread Status:
Not open for further replies.
  1. steve161

    steve161 Registered Member

    Nov 22, 2006
    New York
    Much has been made of comparative detection rates among antivirus programs. Logically, an av with a higher detection rate would include more false positives, in theory at least. There has been at least one member who frequently makes an issue of the problems relating to Fp's, so my question to all my Wilders brothers and sisters (hey, its the holidays) is:

    Which would you consider more problematic for a newbie. An av with lower detection rates or an av that might erroneously alert the user to an important program or system file?
  2. sasa843

    sasa843 Registered Member

    Feb 1, 2007
    Serbia, Europe

    According to my findings I would propose AV with lower detection rate + one good antispyware tool + user education about main security issues and how to protect from them.
  3. dNor

    dNor Registered Member

    Oct 3, 2007
    Irvine, CA, USA
    If the false positive is something critical like an important system file then that'd have the potential to be pretty disasterous for an inexperienced user. For that reason I'd say it'd be the more problematic of the two.

    Education is more imporant, in my opinion, than choice of protection. If they have no idea what they're doing and get scared with a triggered alert and click Delete on a system file false positive or don't update their software and run scheduled scans then there's a chance of a big headache down the road. Even the best software can be rendered useless if it isn't used properly.
  4. Bob D

    Bob D Registered Member

    Apr 18, 2005
    Mass., USA
    ay, there's the rub!
    My suggestion would be to run a full system scan (with whatever AV you install) under the supervision / guidance of a reasonably experienced user, that hopefully will spot any potentially problematic FPs.
    Thereafter, if the AV falsly flags/quarantines an innocuous file, hopefully it is not a critical loss.
    I would prefer to err on the side of caution.
    For example, on the kid's puter here, I take a conservative approach w/ heuristics @ maximum.
    Infected: Cure, Action fails: Delete
    Suspicious: Block, Action fails: Delete
    Not concerned w/ FPs in that his DLs are not mission critical (i.e.: I don't care if one of his DL'd screensavers got falsly flagged/deleted).
  5. BlueZannetti

    BlueZannetti Administrator

    Oct 19, 2003
    Actually, the premise depends on how the detections are achieved (signature vs. generic signatures vs. "malware preferred" packer vs heuristics). Some are much more prone to false positives than others.
    It really depends on how that user reacts to things. Some jump to full blown panic mode at the slightest alert. Others will actually take some time to read the alert message. The calculus that I generally use presumes that - despite the claims here - most folks receive very few alerts over the course of years while a false positive often impacts a large population all at once - i.e. presumes a widely circulated program - so I'd tend to focus on false positives as an issue since:
    • it will likely be the first alert that many people see and
    • many folks have their AV's configured (or the default is) auto delete/cure, so they'll not get a chance to decline the "fix"
    Ironically, although lots of users here tend to update their AV's very frequently (say hourly or shorter), this actually renders them more likely to fall victim to a false positive. As mother said - do things in moderation - ask the user for any action and update every few hours (or use the default automatic mode if available).

  6. Diver

    Diver Registered Member

    Feb 6, 2005
    Deep Underwater
    The best AV's have a high detection rate and low false positives. The bad AV's have a mediocre detection rate and many false positives. Consult av-comparatives, one of the few testing labs that does a meaningful job testing for false positives on its proactive detection test.
  7. C.S.J

    C.S.J Massive Poster

    Oct 16, 2006
    this forum is biased!
  8. dawgg

    dawgg Registered Member

    Jun 18, 2006
    +1... Well said :)
Thread Status:
Not open for further replies.