False Positives

I use Symantec Corporate Anti-Virus 8.0, which I get for free from work (employer has long-term license with them).

This did not use to happen, but in the last year or so, it has quarantined an increasing number of false positives, files that I know are not malware, that I have to restore from the quarantine. It's getting to be a pain in the neck.

I figure, this is probably true for most AV programs. As they compete with each other, to get a higher detection rate score on tests by computer magazines, etc., the trade-off for higher detection rate seems to be more false positives.

The amount of false positives should be considered, in choosing an AV app, not just detection rate. For instance, if an app is flagging a lot of false positives, it is like the fable about the "boy who cried wolf", after a while you don't believe the app's warnings, and one could ignore a real threat.

Could anyone recommend an AV program with less false positives than the others, that still provides decent security?

 

Im afraid this type of thread is not allowed here due to ppl screaming their heads off promoting their favorite av over and over however you will not find an av that doesnt have false positives as you just proved yourself even those known to have few or none (nod32,macafee,norton) false positives in tests (AVC.etc.) do turn up plenty of fp's for some users. It might be better to just take a wild leap n pick 1 at random how silly that even may sound

 

IMHO, it's all about luck. All AVs have increasing false positives. I think it is showing the limitation of signature based protection. The database is now so big, that inevitably, common code can be found more easily than in the past.

Unless you are REALLY annoyed , i don't think it's a valid reason to change, because i don't think that the others are so much better than Norton...

Look at my PC. In the last days:

- Twister's on demand scan, flagged under Heuristics, as "suspicious" 2 files from Comodo (i suspect are part of Comodo's antivirus signatures).

- Dr. Web CureIT, flags as trojans, DTaskManager and a file from Twister antivirus!

http://img355.imageshack.us/img355/2200/46128126ya6.png

- Threatfire, then flagged DrWeb's file as threat!
http://img187.imageshack.us/img187/7144/61467279dd2.png

- Also Threatfire's on demand scanner, flags Universal Extractor as trojan.

http://img101.imageshack.us/img101/5884/36493846it4.png


It's RIDICULOUS, but this will be an increasing phenomenon in the future IMHO.

EDIT: The latest! Extra, extra! I had Twister disabled to scan with Cureit. As soon as i re-enabled it, FDD kicked in and killed DrWeb's process because it was "hidden" (same alert as Threatfire):

http://img185.imageshack.us/img185/6475/59989206ma1.png

 

Symantec shouldn't be prone to false positives much. At least for now they always kept FP's at a very low level.

 

Indeed.It would be useful if the OP would tell us if it's more on a special category of programs that FP's happen.Games? Developing applictions?
Except Asquared which happened once to detect one of it's files as malware (it's funny couldn't resist ),i don't know any other known product with such behaviours on mainstream software ,and i tried most of AV Comparatives products.

 

Your using V8. The current version is v10.2

v8 is outdated by a couple of years. Signature updates may no longer be issued.

Norton has historically had "few" FPs, however that was the consumer version.

As for me, I never encountered a FP ... maybe a few False Negatives .. yes.

 

Sorry I have to correct you, but the most current version is 11.0.4000.2295. Even version 10.2 is about 1 1/2 years old. Version 8 is about 4 years old.


Cheers

 

No wonder.

"Symantec Antivirus 8.0 reached its End of Support Life as of November 30, 2005 and Symantec Antivirus 8.1 reached its End of Support Life as of January 31, 2007, as defined in the Symantec Enterprise Technical Support Policy. Therefore virus definition updates are no longer supported for this product."

W/o update defs, the detection and FPs will constantly rise, until detection hits 0% and FPs go through the roof and you can't boot your computer.

It's been years since 8.0 has been issued an update. Surprised your system survived up to now.

http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=savce

 

When I click on "About", in the "Symantec Anti-Virus Corporate Edition" main window (in the Help menu), it lists the version as 8.1.0.825. That is probably the version my employer purchased from Symantec.

Yet, there are new virus definitions for it to download and install every day. Sometimes Live Update will download and install more than a definition update, such as virus engine update, etc.

My employer, by the way, is the Los Angeles Unified School District, one of the largest organizations in the country. All the computers of the district, including the IT department, etc., are all running that same version. I don't think they would leave their computers unsafe.

They probably purchased a long-term license that includes definition and engine updates, but not version updates.

Anyhow, I hope that clears that sidetrack up, and we can cease discussing what version of SAV I have, and get back to the main issue, which is false positives--a major problem IMO, which could cause one not to trust real detections by the app either.

Regarding the comments that SAV is less prone to FPs than others---I have been using SAV for years, and for most of that time, did not have this problem. In the last year, however, the problem has been increasing exponentially, with new definitions.

Can someone tell me, with the current definition sets, which AV apps flag less FPs than others?

The AV companies should really try to deal with this problem better. Not just to be concerned with having higher "detection rates" on tests, even if that means many more false positives. IMO, it is a real problem!

 

Norton historically has few FPs. Version 8.1 has not been issued updates since mid-2007. SAV has been replaced by Symantec Endpoint Security 11.1.

You can ask your employer if you can upgrade for free.

You can also switch AVs.

As for you continuing to receive updates, it may be the last set of updates released for v8.1.