false positives a question of taste or is it?

Discussion in 'other anti-virus software' started by larryb52, Oct 20, 2008.

Thread Status:
Not open for further replies.
  1. larryb52

    larryb52 Registered Member

    Joined:
    Feb 16, 2006
    Posts:
    1,126
    I ran a couple different AV's yesterday as it's coming down to just using Norton or renewing some other licenses. I was interested in some findings as some ( I will NOT use names) AV's had significantly more FP's than others. I will say that scanning speeds for what I use (Norton09, nod3, kaspersky, F-Secure , Avast) seem to all be all the same, however what each called or didn't call a problem was a different matter. My question is, is it better to have an AV suspect something and call it suspect (FP) or skip it & leave you open to possible infection? I have always to be honest fallen into the 2nd category but I am now seeing merits to believing that perhaps it's better to error on the side of caution. I would also note that this 'IS NOT" for inexperienced users, this is more for those that know what processes belong & what doesn't & what can be & what shouldn't be deleted or moved...I'm curious how folks feel. Remember no comparisons! or this will be shut as all who visit here know...
     
  2. gery

    gery Registered Member

    Joined:
    Mar 8, 2008
    Posts:
    1,785
    one has to think about the harm of the infection and the time it is needed to recover from it so it would be better to have a FP than a system reformation
     
  3. Ed_H

    Ed_H Registered Member

    Joined:
    Nov 10, 2004
    Posts:
    662
    Location:
    Chicago, IL
    Assuming the FP's are not excessive, I would prefer to have the AV pick up something questionable and let me check it out. That is why I usually run the AV on max settings.
     
  4. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Its better to have some false positve providing its not excessive FP.There is always summit for further analysis but you can not summit whats not detected.
     
  5. thathagat

    thathagat Guest

    my question is that inspite of using a massive white listing why common programmes are still being flagged..?
     
  6. Arup

    Arup Guest

    I for one would rather be a bit paranoid than complacent and pay for it. Of course using common sense and personal judgement based on experience is the key here.
     
  7. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    Better a false positive than a false...negative.:D
     
  8. Zeena

    Zeena Registered Member

    Joined:
    Apr 25, 2008
    Posts:
    409
    Location:
    UK
    Hi :)

    I Don't Know! :doubt:

    I'm no where near as experienced, as some of you guys.
    If I had a False Positive ... I know I'd - Panic! :argh:
    After All...
    I wouldn't know it was a FP :oops:


    If My AV / AS Ever Found Something - I'd Either...

    1/ Presume it was real Malware :eek:
    And end up with my computer in a real mess.

    2/ Presume it was a FP ... And set it Free :rolleyes:
    It would most likely.. End Up Being - Real!
    And Again... I'd end up with my computer in a real mess :'(


    I Don't think False Positives have anything Positive about them at all :(
    I think they just cause confusion.
    Is It Real ... OR ... Is It A False Positive :doubt:

    Also!
    Just because an AV / As might come up with a FP from time to time...
    That doesn't mean it's any better at catching the - Real Thing! :(

    I would never bother using an AV / AS that was prone to giving me False Positives :thumbd:
     
  9. larryb52

    larryb52 Registered Member

    Joined:
    Feb 16, 2006
    Posts:
    1,126
    but I gues smy question is what is excess, 5 -10-15-20...if you ran a scan by a top notch AV & it gave 14 files that were good process' is that good or bad & if it called excel a piece of malware where does that fall?
     
  10. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    If it detected so much files which are normally legit, first of all I'd take a look at the detection name. For example, if it's a Virut or another File Infector I would clean the infected files. If the detections are about different viruses, or if they were heuristic detections, I guess I'd change av.
     
  11. Zeena

    Zeena Registered Member

    Joined:
    Apr 25, 2008
    Posts:
    409
    Location:
    UK
    Hi larryb52 :)

    You Said...
    I Say... In The Bin! :thumbd:

    Coz..
    That's where I'd put any AV / As that was going to cause me nothing but -Worry & Confusion :mad:
    And Maybe Even... Damage To My Computer :'(
     
  12. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    everything messes up at somepoint. its how fast the issue is fixed that is the real key.
     
  13. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    There was a case where a legit program caused massive problems n was glad my av mistakenly took care of it.
     
  14. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Eh; I can live with FPs as long as

    - they are not excessive (unlike certain AV starting with "I" or similar)
    - they are fixed fast by the vendor

    Generally, I'd say FPs are more acceptable in corporate environment which is generally centrally managed, they are pretty annoying on your home desktop box.
     
  15. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    depends where the fp is tbh. if it deletes an important document by mistake then thats bad. but if it deletes a program by mistake you can just restore an image. hopfully you have a backup of documents as well just incase.
     
  16. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well, I guess this needs a clarification - I never let any AV delete allegedly infected files. They go to quarantine. (If an AV doesn't offer such setting, it's unusable for me.)
     
  17. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    my av sends the file to qurantine and deletes the file so i can restore it if i need to.
     
  18. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Uhm... move to quarantine != delete. By delete, I mean a real delete. ;)
     
  19. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    oh i wouldnt let it delete without a backup lol
     
  20. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    I find it quite annoying that more often than not av's flag legit programs as malware. As a result i usually always turn heuristics off or onto low, its probably not the safest option for the average user but works best for me.
     
  21. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,212
    This seems to be the best way to deal with the FP problem.
    In 4 years of monitoring my system with several top notch scanners I have never had 1 -one- single FP performing an overall scan. I've had some situations downloading stuff and browsing, but the FP detection was so obvious that it wasn't even worth the trouble investigating it. I personally prefer an AV which has some FPs than one too lax as a result from trying to be accurate all the time.
     
  22. thathagat

    thathagat Guest

    IMO
    1.fp's are direct consequences of heuristics
    2.sadly more and more av vendors, in order to play safe...cover all the bases lest should they miss a trojan or virus and slide in certification ratings, are catching more legitimate apps.
    3.do i mind it...yes for tomorrow my av might commit hara-kiri or kill my OS then who would need a malware to cause harm
    4.tomorrow a smart ass malware writer may create a piece which could trigger multiple fp's and a vigilant av set on automatic would kill the good the bad and the ugly.....result...kaput...finito..history...BSOD..dangerous scenario...na!
     
  23. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    while many do believe that, I however see more fp's from signature detections, across the field, rather than heuristics.

    I definatly see it has a problem, one that people shouldn't sugar coat for the developers.

    Most need to work on it, period.
     
  24. Zombini

    Zombini Registered Member

    Joined:
    Jul 11, 2006
    Posts:
    469
    Its only the people that have been hit with a really bad FP that deals an OS file that have a real appreciation for products with low FPs. All the rest couldn't be bothered until they join the club.

    For me, low FPs are a must. It really speaks to the quality of the security vendor that you are buying a product from. Because after all, its a lot easier to design a AV product with 100% detection and 100% FPs (just call all PE files bad), than it is to design one with 100% (or near) detection and almost ZERO FPs. Looking at all the test results, there is only one product that comes close to the latter.
     
  25. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    I don't agree with Zombini. I am happily using AntiVir with few FPs of late.
     
Loading...
Thread Status:
Not open for further replies.