False Alerts: Do AVs become less reliable?

Discussion in 'other anti-virus software' started by comma dor dash, Jul 2, 2006.

Thread Status:
Not open for further replies.
  1. comma dor dash

    comma dor dash Registered Member

    Joined:
    Jun 5, 2005
    Posts:
    146
    1.
    Are you aware of any independent tests showing that the increased use of heuristics has also increased the number of false alerts?

    Example: FastStone Image Viewer ( http://fileforum.betanews.com/detail/FastStone_Image_Viewer/1106292852/1 )

    "Eager beaver" AntiVir believes that the program's uninstaller installs the zlob Trojan. Can you confirm that this is a false alert and, if yes, does anyone know whether this alert results from the use of heuristic signatures?

    Also Ikarus produces an alert.

    http://img56.imageshack.us/img56/3750/avr1sp.png

    2.
    Are you aware of any independent tests showing that second- or third-rate scanners produce more false alerts than the cream of the crop?

    3.
    Are you aware of any independent tests demonstrating the impact of the types of signatures used (i.e., code-based, string-based, etc.) on false alerts?
     
    Last edited: Jul 2, 2006
  2. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    False positives are and will always be present. And are certanly not limited to heuristics only. If you say it was detected as Zlob, then it's most probably a signature based FP. Most of AVs give you a clear hint on how it was detected. AntiVir tags such detections as Heuristic/MALWARE_NAME or lately HEUR/MALWARE_NAME

    Oh, above file is false positive for sure.
     
  3. Suggers

    Suggers Guest

    In my experience, AVG is the worst, by far, out of all I have used for false positives - And according to recent results on proactive/retrospective they also have the least heuristics:
    http://www.av-comparatives.org/

    When using nod32 I have never had a single false positive, and it has the best heuristic. So I personally dont think heuristics have too much of an effect on false positives.
    Regards
     
    Last edited by a moderator: Jul 2, 2006
  4. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    As you mentioned, it seems to depends on the AV. Further, actual scan settings are also important.

    In the recent av-comparatives test, Avira AntiVir, VBA32 and Dr Web had in general a lot more false positives than other AV's (25-73), using the " best possible detection settings".

    As shown in this test, there was generally a positive correlation between the number of FP's and the proactive detection rates.

    However, IME, using default heuristic settings, these 3 AV's have given me very few FP's.
     
  5. comma dor dash

    comma dor dash Registered Member

    Joined:
    Jun 5, 2005
    Posts:
    146
    As regards, AntiVir I have looked into this issue.

    I have created a simple .txt file containing the following data:

    http://rapidshare.de/files/24720339/dumbsigtest.txt.html

    AntiVir detects it as zlob. This is because AntiVir (i) interprets any file beginning with "MZ" as an executable and (ii) AntiVir looks whether huge monster signatures are somewhere contained in a file.

    This is probably because it's scan engine does not (because it can't ?) scan for a signature at a specific offset. Generally, I would say this is a rather antique & dumb scanning method. An exception might apply to specific signatures (e.g., string-based signatures). In such case, it might be a good idea to look for the sig at any location in the file.
     
  6. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Lol? You don't know much about antiviruses right?
     
  7. comma dor dash

    comma dor dash Registered Member

    Joined:
    Jun 5, 2005
    Posts:
    146
    Maybe. But other scanners like Kaspersky, BOClean or Ewido scan at a specific offset. And they do not need to use monster sigs.

    I thought this single-point scanning method is used in order to improve the speed of the scanner and to reduce false alerts.

    Can you please further explain your comment and educate me?
     
    Last edited: Jul 2, 2006
  8. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    nod32 seems to do well in both on demand and heristic dectection with few false alerts. but i wonder how well kaeprsky will do in the heristic dectection with its new engine when it comes out?
     
  9. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    So as to assure the thread remains useful at a future time....dumbsigtest txt file uploaded locally....given the fact RapidShare deletes Free files "30 days after no download!"
     

    Attached Files:

  10. comma dor dash

    comma dor dash Registered Member

    Joined:
    Jun 5, 2005
    Posts:
    146
    @Bubba Hmm...I would say this comes very close to software piracy :D
     
  11. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    How did you come to that conclusion :doubt:
     
  12. ASpace

    ASpace Guest


    Same here ! :D
     
  13. ASpace

    ASpace Guest


    Hi ,.-
    Would send this file to a company for real analyze . Kaspersky Labs are really fast in this . Attach it and send it to newvirus@kaspersky.com
    Let us know if it is not a virus or what . Then , you ca do good if you submit it to AntiVir and Ikarus with Subject False Positive

    https://www.wilderssecurity.com/showthread.php?t=132843


    Let us know how it goes :)
     
    Last edited by a moderator: Jul 2, 2006
  14. comma dor dash

    comma dor dash Registered Member

    Joined:
    Jun 5, 2005
    Posts:
    146
    @Bubba

    You wrote me a PM and asked me not to discuss this issue in this particular topic. Have you changed your mind?

    @HiTech

    Good idea. Have you already sent the FastStone program (see the above link) to the developers? This program bundle includes the uninstaller flagged as a virus by AntiVir and Ikarus. I do not want to submit the same file twice.
     
  15. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    Isn't it somehow ridiculous that you join all other threads in the other antivirus forum promoting in almost every single thread your choice of reselled product and if it comes to something "special" that you recommend especially kaspersky for analysing a "unknown" file (it's a false positive anyway) with the comment that they are very fast?
     
  16. ASpace

    ASpace Guest


    No , I haven't but there will be no problem if we send it twice :D
     
  17. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    First and foremost I did write you a PM but I never asked you "not to discuss this issue in this particular topic". I sent you an initial PM that said...."Instead of taking the thread off topic to ask....Please explain"....nothing more nothing less.

    As for your question...."Have you changed your mind?"....I wouldn't necessarily call it changing my mind....I simply now feel it is appropriate to this thread that you share with us and for all that use rapidshare webhosting of files your reasoning for the accusation you made of "software piracy" by downloading this dumbsigtest.txt file you have made available for download on rapidshare :doubt:

    edit
    I have edited to add that I do take Private Messages between individuals seriously but I have relented this one time to place a portion of a PM in public.
     
    Last edited: Jul 2, 2006
  18. ASpace

    ASpace Guest

    Well , it definitely seems ridiculous but it is true that they are fast in analyzing samples .It is well-known the reselled company I have chosen doesn't reply at all for something suspicious sent . There is no need of blaming for something good they do :D
     
  19. comma dor dash

    comma dor dash Registered Member

    Joined:
    Jun 5, 2005
    Posts:
    146
    @Bubba

    Please feel free to post my PMs. As always, there is nothing to hide. I took your PM as a clear hint not to discuss this issue here. And because it is very important to me not to violate the TOS or get into conflict with mods or admins in this particular forum I did not comment any further on this topic until you posted again :shifty:

    But I am glad that we can continue.

    1.
    I did not accuse you of software piracy. Instead I said that it comes "close" to software piracy to drag external content into this forum. (In addition, I posted a smily and, moreover, I gave you the permission (if required at all) for the local upload via PM. You did not mention that.)

    2.
    In my opinion, it is an interesting question what kind of content you are allowed to locally upload. I think it goes too far to assume that any files uploaded to rapidshare can be locally uploaded. Perhaps the author of such file does not want to share this file for more than 30 days or wants to retain the control over such file with the help of the rapidshare "delete file" option. (You can compare this with software available for download at the developers website. You cannot simply assume that you can also host such software on your own site.) Therefore, it is important to determine whether locally uploaded content is protected by a copyright or not. It goes without saying that software, photographs, lyrics, articles etc. are protected. It is not so clear whether, for instance, VirusTotal screenshots or my dumbsigtest.txt file are protected. I could imagine that they are not protected because they do not contain a clear individual expression. But there is no bright line test. For instance, if I also included the expression "Signature Test File Powered by Nautilus. Bow wow!" into the dumbsigtest.txt file it would probably be protected by an intellectual property right. Consequently, I would be rather careful to drag external content into this forum.
     
  20. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    Could we please stop this wussy sissy talk style about a silly rapid share file?
    I mean, if word would crash and the crash-dump-file contains the text of a new rock song created randomly via strange CPU Register Values whose copyright would that be? Microsoft's because word crashed? The Rapid Share File serves no purpose at all. It's something like copyrighting a "Hello world" text file created with notepad.
     
  21. comma dor dash

    comma dor dash Registered Member

    Joined:
    Jun 5, 2005
    Posts:
    146
    @Gladi LOL.
     
  22. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    As I stated above in my post edit....I view PM's as private messages but relented that one time for that one quote.
    Unfortunately we all assume wrongly sometimes.

    "Close" only Counts in Hand Grenades and Horseshoes but I'll go with your word and believe you did not infer I was a software pirate.

    Correct you are concerning "via PM. You did not mention that" and the reason being, I mentioned above concerning my views on private messages. However....without quoting or paraphrasing what I said in the PM I'll simply state here concerning your above mention of "permission" that I did not need your permission to upload the file locally as far as I am concerned if for no other reason than I assumed it was not copyright or you wouldn't have uploaded it to rapidshare.

    I think it's wrong of you to assume that if you make a file available on a webhosting site and then provide said link in a Security Forum or any forum for that matter for the avaiability of download that said file can then not be uploaded locally :blink:

    Bottom line....I am definetly not interested in nor am I qualified to discuss the subject of copyright in general or as it relates to this file you made available on rapidshare. About all I can do is claim ignorance when it comes to copyright issues such as this. I also stand by the belief that if this file was copyright then you erred IMHO of uploading it to rapidshare where it clearly states one is not to upload copyrighted files to be shared.

    http://rapidshare.de/en/faq.html
    Of course....with my ignorance of copyright law I'll let rapidshare and you discuss your position if you have one on that matter and whether or not you feel there are holes in their position concerning their "UPLOAD-RULES".

    Regards,
    Bubba
     
  23. comma dor dash

    comma dor dash Registered Member

    Joined:
    Jun 5, 2005
    Posts:
    146
    @Bubba They mean files being subject to someone else's copyright. Of course, you may upload, for instance, your own pictures to rapidshare.
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I have downloaded the file and my Antivir does not detect anything in it, neither in real time nor on-demand.
    Can any body confirm this?
     
  25. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    The important thing is to use AV products that allow you to choose the action to be taken and not silently modify/delete anything.
     
Loading...
Thread Status:
Not open for further replies.