Jump to content

December 2011 False Positives


siketa

Recommended Posts

  • Staff

Hi,

If you don't mind, can you only post the FPs where you are certain they are FPs? Because it doesn't mean, because the major vendors don't detect them, but we do, that it is an FP. We don't mind to doublecheck them again, but we rather want to spend our time in analysing the load of actual malware samples we receive daily, so detection for these can be delivered faster.

Thanks

Link to post
Share on other sites

For example:

If you would have a file that only MBAM and one or two less-known vendors detect, what would you think about it?

Take first file in this submission.

It is detected by MBAM and Kingsoft.

BTW, Kingsoft is known to have lots of FPs.

Well.....is it FP or not?

Link to post
Share on other sites

I hope you do bother to add detection for older files. Malware is malware. It doesn't have to be downloaded from a web page. It can silently sits on my removable drive, CD or NAS.

And I want my antimalware product to detect it, no matter hiw old it is.

In the same way, FPs should be fixed.

Link to post
Share on other sites

I hope you do bother to add detection for older files. Malware is malware.

This simply is not true and this notion is the result of corrupt AV testing over the years. What the AVs wont tell you is that a huge chunk of their DBs never hit anything at all other than samples in the corrupt tests.

The truth is that a legit malware sample will have real world statistical hits. If there are no hits IRL then the samples are not valid.

We remove definitions all the time that have no IRL hits for several years.

Link to post
Share on other sites

Ok....to make a long story short...

I will send you files considered to be possible FPs.

I'm not interested in guessing why other vendors detect something or not.

I have chosen you and your paid product.

And I just want to improve it and contribute as much as I can.

I did the same thing with Avira and Comodo.

You can re-analyze them if you want to or not.

It is up to you, guys.

Link to post
Share on other sites

So, you are saying that downloaded and stored malicious file can not harm your system if you execute it after one or two years?

Millions of scans around the world are done every day. If none of those scans see something for 2 years it is dead and defining it does not help our users.

You will notice that many of the largest security apps perform poorly against current malware. This is because they subscribe to the idea of defining everything forever. Their poor performance IRL against current malware confirms that this is a useless endeavor.

Link to post
Share on other sites

You can re-analyze them if you want to or not.

You do not understand how this works. A detected file does not mean that it was ever analyzed to begin with. For example if someone uses a cryptor to build their game trainer and that same cryptor is used to build loads of malware the trainer may be detected even though it was never the intended target. Poor choices when it comes to building an executable is the cause of most FPs. In reality it is common for 1 def to hit millions of malware samples, 99% of which we wont ever see in our actual lab.

In reality a lot of these will be analyzed for the first time and we may be able to make adjustments for these but it wont be at the cost of real world detection of real malware.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.