Antiviruses facts

No,thats not the same.
False positive is a legit program(or perfectly clean) tagged as malware.
Damaged sample could be picked as part of generic detection,but it's not a working one. Some AVs even tag them as MalwareName.dam ,but thats pretty rare.
Also non working stuff doesn't necessary mean it's damaged. It can assemble itself to a final state with parts in some other file or something similar.

 

I know IBK knows what he's talking about, but I fail to see it.
Any AV detecting a broken or a garbage file is a F/P right?

It's not a real virus, so it's a false one - The scanner detects it as a positive..
You do the math

 

Not exactly. Look...

False positive is PERFECTLY clean file that has nothing to do with name malware.

Damaged samples are basically correctly identified,but they are just not functional because some parts are corrupted.
Now we can't talk about false positive here because file indeed does contain parts of malware and the thing was never clean (in case of non parasitic malware). Proper tagging of such samples is not a false positive,but simply a damaged sample.

Positive match = correctly identified malware
False Positive = perfectly clean file identified as malware
Damaged sample = sample that is indeed a malware,but it's in a non working state, ie. damaged

 

Ah! I'm just too slow today

 

Hmmm .. one wonders why VirusTotal is still using an *old* version {8.0} for Symantec? This is why, in your lower screenshot, Symantec is detecting the Trojan.ByteVerify {which is in its regular sigs} but in your upper screenshot is not detecting Win32/TrojanDownloader.1stBar {which is spyware, an expanded threat, not in its regular sigs}.

The current version for Symantec {home edition anyway} is 11.0.11.4 {see my screenshot}. Expanded threats, although in the database but not part of the regular sigs, are detected only by engines for NAV 2004 {version 10.0} and higher. Unless they are using corporate engine {whose version numbering is a little different}, that is a very old engine being used. Even with corporate, I think only 9.0 and higher will detect expanded threats.

This is no implied criticism of you FF, you do a good job, but I might point out that sometimes those who post that NAV is missing things don't get their facts straight, are using an old engine, are talking about spyware, etc. Just a subtle point I wanted to bring to everyone's attention here.

As for NOD32, my impression is that its signature detection is continuing to improve, and it still has by far the better heuristic compared to Kaspersky {or to most other AVs except possibly McAfee, BitDefender, or Dr.Web}. I do not think one can go wrong with either NOD32 or KAV.

Also note, regarding CoolWebSearch, that is a real nasty, the worst of the spywares, and just because an AV can *detect* it doesn't mean it can *clean* it. Cleaning CWS oftentimes requires HJT analysis and help from experts. BOClean, btw, is very good with spyware prevention and cleaning .. HTH ..

 

Thats correct. While Trojans or Viruses may be cleaned at least to some extent, cleaning spyware is a much more difficult job.

 

Maybe the definition between a Spy-/Adware and other trojan like nasties might be quite different thing with av-vendors after all. DrWeb is detecting the whole "Trojan.IsBar" family, as they named these, by the common bases only, not by using those Beta "risky or nasty" bases at all.

Best regards,
Firefighter!