Closed FP thread

I wish the False positives / Missing detections thread could have remained open. I get the feeling that if members had used it strictly for what it was meant for, rather than for discussion, it might still be open. I think it was a tremendous benefit when used in the manner in which it was intended.

 

well page, chalk it up to "Marketing."

 

I agree, but because it generally only takes a minute or so to fix an FP, we feel the usefulness of the thread is diminished, especially when most of the posts require us to just get a scan log from the user anyway.

We may end up changing this but currently it seems like the thread largely outlived its usefulness.

Of course, this won't negatively impact our reaction times at all - quite the contrary as it will improve them by us being able to have more "hands on deck" to analyze each file as it comes in.

We're definitely interested in any feedback on this, so feel free to comment further!

 

As moderator, can't you delete all the superfluous stuff and keep it on topic?

 

Somewhat yes, but it would be like having every piece of software hold each bugfix ever made in the changelog for the user to read - its unnecessary and obscures what the user actually gains from the software. They would end up looking at it and think: "My, there are a lot of bugs in this software" but they would never see that behind those bugs there are thousands/hundreds of thousands of new pieces of functionality/lines of code.

Once a FP is fixed, it won't be "unfixed" so as soon as it is corrected, it is history and irrelevant moving forward.

 

I don't think that a comment like this is accurate, nor fair -->

and I wonder if it influenced Joe's decision to shutter the FP thread?

 

We still can make new threads if we have any problems if they are FP's or not so I feel that Joe did the right thing as the old saying goes no product is perfect and always check the file before you do any cleanings or deletions!

TH

 

It did - being that we don't have a voice enough to be able to post every newly found threat every day (and I'm fairly sure Wilders would run away from us quickly as we'd be sucking up their bandwidth out of control ), the voices of Prevx having "too many FPs" fall to the negative side very quickly, which is why I suspect most AVs do not have these threads (and because of the redundancy involved being that there are many other submission methods).

Honestly, I feel it is a waste of everyone's time to have to rejustify our highly infrequent misdetections on a near-daily basis. If you look through the last posts in the FP thread, you'll see that, trjam's and mhob's FPs (2 in total) were the only FPs today, there were none yesterday, 1 on the 30th, none on the 29th, 2 on the 28th, none on the 27th, none on the 26th... all falling inline with 1-2 FPs per day (less on average actually).

Across a community of 6+ million users, seeing more than 250,000 brand new programs each day, automatically determining more than 30,000 of these new programs as malicious every day (not to mention detecting the millions which we already know as bad historically), I'd say if we were to have less than 2 FPs per day we would have a problem

 

Before anyone wants to run me through the grinder, which is ok as I have no motive in all of this but to protect the consumer. Joe you just said none on the 26th,

26th, 26th

 

I think the FP thread was allright.

Joe, my girlfriend is in e-mail contact with you cause the default.sfx (winrar) FP is not fixed yet but your research says it is. It is not very comfortable to do those discussion in a very unpersonal enviroment like e-mail with unknown persons. I often would like to have some background view on some detections or misdetections cause PrevX's methods are like a secret.

So i see following problems:

PrevX doesnt say clearly how it works. You say this and that but never came out with real informations. That is not a big problem if the prog is working fine. But if the user gets into trouble (FP) the user wants to know why. He paid for.

The User has to trust a prog he is using especially he has to trust his av prog. So how can we trust an AV without further information about how it works? See Norton has a very large knowledge base where nearly every information can be found. Avast has a good forum where even detailed informations are shared. And i could go on.
That is why users trust those programms.

I trust PrevX and i think it's detection rate is great but i do have to say that the number of FPs is higher than in every other product i used before. And i used a lot.
That is not a big problem for me as long as i can talk to You gathering more information and a fix fast.

But without the thread, reporting each FP by e-mail (taking quiet a long time) FPs are a problem for me. Especially if the problem isn't fixed.

 

Are they due in large to high heuristics settings?

I've grown accustomed to false positives with other vendors taking at least four hours to fix, and often times maybe a day or two. But I agree with Habakuck, having the ability to connect with Joe here at Wilders is better than support emails or tickets or whatever the other options are.

 

We have fixed the default.sfx FP (I responded to it) and instructed her to right click and select "Report as a false positive". After that, we haven't heard anything back yet. Let me know if something hasn't worked with that, however

Other AVs also do not say clearly how they work. It is a matter of heavily proprietary technology used in the AV/security industry which is why there isn't a lot of transparency about the technology. We do have some 3rd party white papers being released in the coming weeks, however, which should help with some clarity on the technical side of Prevx

We have our help file here: http://info.prevx.com/edgehelp.asp which, granted, doesn't get into too much technical information but it gives an overview. 99.9+ of users don't care/know/want to know about anything on the more technical end - they just want it to work. However, as mentioned, we will be soon adding more whitepapers/documentation about Prevx for the < 0.1%

I've now set it up so that the notification I would receive by email would come exactly the same way as the FP notification I would have received from Wilders so I don't think there would be any added delay. The problem which your girlfriend had is a strange one and we don't have a real answer for that yet but indeed the file is clean/good/trusted in our database but was not showing clean on her PC (which is why we recommended reporting it as a false positive locally which will correct it from there).

 

Fair enough, I'm also working on ~3 hours of sleep and its midnight here There was 1 FP reported on the 26th (the other, heuristic FPs are on the 25th from my timezone).

 

no problem, just asking for honesty and you are a busy dude. Get some sleep, just trying to debate what I see and if I am wrong, I will always be the first to apologize.

 

Ok, he missed a couple, but it's only a couple more. Not the multitude that's being implied.

What we seem to be forgetting is that being here on Wilders is kinda niche. It's Wilders members who may or may not report missed detections or FPs here, and judging by the stats relating to the users here, not that many are reporting FPs really.

I'm actually surprised you let Prevx clean your system if you knew the iebrshim.dll file was a FP. I wouldn't have let it do the cleanup; I'd have checked it out first in a number of ways. Having said that, there'll be some users out there who would have gone ahead and let Prevx clean their system of the said file if they had got that alert. It's just that you'd expect guys like you and me that post here to be a bit more savvy in this regard.

 

Let's be honest... the fact that you jump around from one security application to another, alternating on any given day (or any given minute) between high praise and then fault-finding, may not necessarily lend itself to any particular motive, but to dress it all up as protecting the consumer is a bit of a stretch for me.

 

well Joe, you do have your friends.

Page, let me explain, again, I have 3 computers 2 with FD-ISR so I have 21 snaphots of different software combos that I have purchased. Purchased is the key. I find that interesting and the quickest way to make a change to a combo on the fly to see what happens. I dont know alot about this stuff, never claimed I did. I have learned by listening to others.

Avatars and changes to, are nothing more then a game to me. It doesnt from my standpoint mean that I am so devoted to that product that I will never change. I do have a list of about 10 softwares that I respect and feel are very good. Protecting the consumer? Yeah, maybe a stretch, but if you really, really knew me, as some do here, then you would know that I do care more for members here then you are ever going to be entitled to know. And I will leave it at that because it is a private matter.

I respect Joe, and closing that thread was the right thing to do. I do know Prevx has a FP issue and I do know that with subsequent versions it will be corrected. So, like me or not, I am who I am and with my age, dont plan on changing anytime soon.

 

It is his prerogative to do so, but it does worry me a bit. No one security application is the best, and they all have their pros/cons. They all miss something at any given time, and some report FPs, some more than others, and yet by the same token, there are many users who report no FPs with their AV/AM program of choice at all. I personally think that a lot of that is down to demographics and what users are doing with their computers as well as what they have installed on them.

 

I think we are staying on topic pretty good here, trjam. I am not denying you the right to use as many security apps as you wish... not at all. This thread is about the closure of a FP thread, and that closure seemed to occur immediately after you took issue with Joe about your perceived high number of FPs happening with Prevx. So we are not discussing you here, but your assertions are part of what is being discussed. If you can keep the two separate, then we all are good, the way I see it. I still view you as a friend here at Wilders, but I simply take exception to you saying that you are harping on the false positives because you want to protect the consumer.

 

well then, just who do FPs respectfully hurt?

 

They only "hurt" the user if they intentionally go ahead and clean their system after getting the alert. That may, of course, cause a problem with the affected program if it malfunctions after that or doesn't work at all. If a user knows such and such a file is a FP, they shouldn't be cleaning it off the system anyway.

I thought most AV/AM programs now have features to quarantine/halt/override these detections until they are confirmed as genuine or not. If they are deemed to be malware, then yes, go ahead and remove it, but not if it's determined to be a FP. Prevx itself has the option to right-click the detected file and report it as a FP as well as reporting through email channels, which is the preferred method.

However, I think the real issue here is the belief there is a high level of FPs with Prevx; the question has to be asked: to whom does this apply, and at what level of protection are they using Prevx at i.e. low, medium, high etc.?

 

They don't hurt me, especially when I have a place readily available at my fingertips to converse with a company representative who is doing everything he possibly can (including starting a thread specifically for reporting false positives). But when people use that very thread creation against the company by saying things like, "The very fact that there is a thread specifically devoted to Prevx users self-reporting FPs indicates a problem", then that does impact me. I love the accessibility of this company and I take exception to the people here who, whether by design and intent or not, drag down those efforts.

 

I stand by my statement. And for users or consumers I am not talking so much about members, but folks who get one, and dont know what to do. I have been there. And as far as dragging Prevx down, I think even Joe knows my assistance here. Again, all we have done is create a continuation of the thread he chose to close and that isnt right either. Now is it?

 

Actually, Joe seems to want input...

 

I do And I welcome this exchange and think it is necessary.

This is very true - and all FPs reported here are niche FPs. Our systems are designed to undeniably prevent a false positive from existing that could affect more than ~50 users. When we create a new signature or rule for detection, we are given a screen which will show us exactly what will be detected by that rule - down to every single file/component that will be marked as Good or Bad. This is what sets Prevx apart from other security products: we know exactly what our detection is and where the FPs lie.

Granted, no one in Prevx is psychic so sometimes new programs are caught by old signatures and sometimes new signatures do catch fringe programs - we can only be "so" accurate: many signatures literally catch 500,000+ malicious signatures in a single signature and if we see that it isn't creating any FPs that would affect more than a very small number of users.

Frankly, every FP we encounter is a headache - we have to issue refunds or walk users through the "Undo Cleanup" feature and they always generate support costs/complaints/hurt our product image. But we are not alone in this: every AV/AM/HIPS/etc. which is able to detect files has FPs. There is absolutely no signature type which will prevent all FPs. Even 1-to-1 signatures can produce false positives or false negatives (granted they would be mathematically very rare but still very possible). It is rare to find a company these days that hasn't had a public disaster of a wide-reaching FP that affected thousands/millions of users - we haven't and will never have this because of our preventative systems in place.