False Alerts: Do AVs become less reliable?

1.
Are you aware of any independent tests showing that the increased use of heuristics has also increased the number of false alerts?

Example: FastStone Image Viewer ( http://fileforum.betanews.com/detail/FastStone_Image_Viewer/1106292852/1 )

"Eager beaver" AntiVir believes that the program's uninstaller installs the zlob Trojan. Can you confirm that this is a false alert and, if yes, does anyone know whether this alert results from the use of heuristic signatures?

Also Ikarus produces an alert.

http://img56.imageshack.us/img56/3750/avr1sp.png

2.
Are you aware of any independent tests showing that second- or third-rate scanners produce more false alerts than the cream of the crop?

3.
Are you aware of any independent tests demonstrating the impact of the types of signatures used (i.e., code-based, string-based, etc.) on false alerts?

 

False positives are and will always be present. And are certanly not limited to heuristics only. If you say it was detected as Zlob, then it's most probably a signature based FP. Most of AVs give you a clear hint on how it was detected. AntiVir tags such detections as Heuristic/MALWARE_NAME or lately HEUR/MALWARE_NAME

Oh, above file is false positive for sure.

 

In my experience, AVG is the worst, by far, out of all I have used for false positives - And according to recent results on proactive/retrospective they also have the least heuristics:
http://www.av-comparatives.org/

When using nod32 I have never had a single false positive, and it has the best heuristic. So I personally dont think heuristics have too much of an effect on false positives.
Regards

 

As you mentioned, it seems to depends on the AV. Further, actual scan settings are also important.

In the recent av-comparatives test, Avira AntiVir, VBA32 and Dr Web had in general a lot more false positives than other AV's (25-73), using the " best possible detection settings".

As shown in this test, there was generally a positive correlation between the number of FP's and the proactive detection rates.

However, IME, using default heuristic settings, these 3 AV's have given me very few FP's.

 

As regards, AntiVir I have looked into this issue.

I have created a simple .txt file containing the following data:

http://rapidshare.de/files/24720339/dumbsigtest.txt.html

AntiVir detects it as zlob. This is because AntiVir (i) interprets any file beginning with "MZ" as an executable and (ii) AntiVir looks whether huge monster signatures are somewhere contained in a file.

This is probably because it's scan engine does not (because it can't ?) scan for a signature at a specific offset. Generally, I would say this is a rather antique & dumb scanning method. An exception might apply to specific signatures (e.g., string-based signatures). In such case, it might be a good idea to look for the sig at any location in the file.

 

Lol? You don't know much about antiviruses right?

 

Maybe. But other scanners like Kaspersky, BOClean or Ewido scan at a specific offset. And they do not need to use monster sigs.

I thought this single-point scanning method is used in order to improve the speed of the scanner and to reduce false alerts.

Can you please further explain your comment and educate me?

 

nod32 seems to do well in both on demand and heristic dectection with few false alerts. but i wonder how well kaeprsky will do in the heristic dectection with its new engine when it comes out?

 

So as to assure the thread remains useful at a future time....dumbsigtest txt file uploaded locally....given the fact RapidShare deletes Free files "30 days after no download!"

 

@Bubba Hmm...I would say this comes very close to software piracy

 

How did you come to that conclusion

 

Same here !

 

Hi ,.-
Would send this file to a company for real analyze . Kaspersky Labs are really fast in this . Attach it and send it to newvirus@kaspersky.com
Let us know if it is not a virus or what . Then , you ca do good if you submit it to AntiVir and Ikarus with Subject False Positive

https://www.wilderssecurity.com/showthread.php?t=132843


Let us know how it goes

 

@Bubba

You wrote me a PM and asked me not to discuss this issue in this particular topic. Have you changed your mind?

@HiTech

Good idea. Have you already sent the FastStone program (see the above link) to the developers? This program bundle includes the uninstaller flagged as a virus by AntiVir and Ikarus. I do not want to submit the same file twice.

 

Isn't it somehow ridiculous that you join all other threads in the other antivirus forum promoting in almost every single thread your choice of reselled product and if it comes to something "special" that you recommend especially kaspersky for analysing a "unknown" file (it's a false positive anyway) with the comment that they are very fast?

 

No , I haven't but there will be no problem if we send it twice

 

First and foremost I did write you a PM but I never asked you "not to discuss this issue in this particular topic". I sent you an initial PM that said...."Instead of taking the thread off topic to ask....Please explain"....nothing more nothing less.

As for your question...."Have you changed your mind?"....I wouldn't necessarily call it changing my mind....I simply now feel it is appropriate to this thread that you share with us and for all that use rapidshare webhosting of files your reasoning for the accusation you made of "software piracy" by downloading this dumbsigtest.txt file you have made available for download on rapidshare

edit
I have edited to add that I do take Private Messages between individuals seriously but I have relented this one time to place a portion of a PM in public.

 

Well , it definitely seems ridiculous but it is true that they are fast in analyzing samples .It is well-known the reselled company I have chosen doesn't reply at all for something suspicious sent . There is no need of blaming for something good they do

 

@Bubba

Please feel free to post my PMs. As always, there is nothing to hide. I took your PM as a clear hint not to discuss this issue here. And because it is very important to me not to violate the TOS or get into conflict with mods or admins in this particular forum I did not comment any further on this topic until you posted again

But I am glad that we can continue.

1.
I did not accuse you of software piracy. Instead I said that it comes "close" to software piracy to drag external content into this forum. (In addition, I posted a smily and, moreover, I gave you the permission (if required at all) for the local upload via PM. You did not mention that.)

2.
In my opinion, it is an interesting question what kind of content you are allowed to locally upload. I think it goes too far to assume that any files uploaded to rapidshare can be locally uploaded. Perhaps the author of such file does not want to share this file for more than 30 days or wants to retain the control over such file with the help of the rapidshare "delete file" option. (You can compare this with software available for download at the developers website. You cannot simply assume that you can also host such software on your own site.) Therefore, it is important to determine whether locally uploaded content is protected by a copyright or not. It goes without saying that software, photographs, lyrics, articles etc. are protected. It is not so clear whether, for instance, VirusTotal screenshots or my dumbsigtest.txt file are protected. I could imagine that they are not protected because they do not contain a clear individual expression. But there is no bright line test. For instance, if I also included the expression "Signature Test File Powered by Nautilus. Bow wow!" into the dumbsigtest.txt file it would probably be protected by an intellectual property right. Consequently, I would be rather careful to drag external content into this forum.

 

Could we please stop this wussy sissy talk style about a silly rapid share file?
I mean, if word would crash and the crash-dump-file contains the text of a new rock song created randomly via strange CPU Register Values whose copyright would that be? Microsoft's because word crashed? The Rapid Share File serves no purpose at all. It's something like copyrighting a "Hello world" text file created with notepad.

 

@Gladi LOL.

 

As I stated above in my post edit....I view PM's as private messages but relented that one time for that one quote.

Unfortunately we all assume wrongly sometimes.

"Close" only Counts in Hand Grenades and Horseshoes but I'll go with your word and believe you did not infer I was a software pirate.

Correct you are concerning "via PM. You did not mention that" and the reason being, I mentioned above concerning my views on private messages. However....without quoting or paraphrasing what I said in the PM I'll simply state here concerning your above mention of "permission" that I did not need your permission to upload the file locally as far as I am concerned if for no other reason than I assumed it was not copyright or you wouldn't have uploaded it to rapidshare.

I think it's wrong of you to assume that if you make a file available on a webhosting site and then provide said link in a Security Forum or any forum for that matter for the avaiability of download that said file can then not be uploaded locally

Bottom line....I am definetly not interested in nor am I qualified to discuss the subject of copyright in general or as it relates to this file you made available on rapidshare. About all I can do is claim ignorance when it comes to copyright issues such as this. I also stand by the belief that if this file was copyright then you erred IMHO of uploading it to rapidshare where it clearly states one is not to upload copyrighted files to be shared.

http://rapidshare.de/en/faq.html

Of course....with my ignorance of copyright law I'll let rapidshare and you discuss your position if you have one on that matter and whether or not you feel there are holes in their position concerning their "UPLOAD-RULES".

Regards,
Bubba

 

@Bubba They mean files being subject to someone else's copyright. Of course, you may upload, for instance, your own pictures to rapidshare.

 

I have downloaded the file and my Antivir does not detect anything in it, neither in real time nor on-demand.
Can any body confirm this?

 

The important thing is to use AV products that allow you to choose the action to be taken and not silently modify/delete anything.