DonationCoder.com Forum

Main Area and Open Discussion => General Software Discussion => Topic started by: mouser on December 01, 2009, 10:55 AM

Title: The DonationCoder "Superior Antivirus" Award/Certification
Post by: mouser on December 01, 2009, 10:55 AM

In this (https://www.donationcoder.com/forum/index.php?topic=20667.0) thread, one of many on the DonationCoder forum where we are all screaming about the harm that lazy antivirus companies are doing with their false positives, I suggested that maybe we need to do something productive to encourage these companies to be more responsible about the alerts they show.

So today I want to begin that process by asking for your help in coming up with a short and clear list of requirements that would be worthy of our recognition for a new antivirus/anti-malware standard that is focused not on the number of virus detections, but on how users are told about alerts which may be false positives, and how well they deal with false positives.

Once we've got something I'd like to make an official web page about this, and then try to contact the antivirus companies and maybe get some other websites that want to join us in this movement.  And hopefully one day in the near future we will be able to give this award out to a company and lavish them with praise, recommendations, reviews, etc.

Let me start out with my first draft of requirements for what i'll call the DonationCoder "Superior Antivirus" Award/Certification:

When a suspected malware is found, the user must be presented with a dialog that clearly describes:

• The complete file path of the suspected file.
• A description of the suspected malware (not just some cryptic name), with an easy link to search the web for more info about this virus and the file found.
• A clear indication of the date that the antivirus signature matching the file was added, with a clear statement about the possibility that this may be a false positive, and telling the user some information about the confidence that the file is indeed a real malware vs a false positive.  this should be a statement like "this is a generic rule of thumb pattern that was recently added, so the chance that this is in fact a false alarm and not a virus is quite high."
• In the alert there should be a url to take the person to the antivirus company's forum where they can talk to others about whether the problem is real or not.
• The user must be given an opportunity to not delete the file.
• The user must be given an alternative to go to a page where they can report a suspected false positive
• The user must be given the alternative to upload the file to an online site like virustotal for a second opinion.

Thoughts? What am i missing? Anything here that is asking too much?

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: scancode on December 01, 2009, 11:03 AM

Win32.Gen/DOCOVIR/PACK: A "detected threat"
[Heuristic] Application Packed with DoCoPack: Nothing to be worried about.

Which one do you think looks better in the stats?

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: mwb1100 on December 01, 2009, 01:48 PM

Let me start out with my first draft of requirements for what i'll call the DonationCoder "Superior Antivirus" Award/Certification:

-mouser (December 01, 2009, 10:55 AM)

That's a great list!  I hope this initiative gains some traction.

Off the top of my head, what I'd like to add (I hope this isn't taking the discussion off-topic) is that firewalls should use a similar set of guidelines for when they detect something fishy.  Often I get an IP address and port number and little else. I need the following information to have a hope of understanding whether I should be concerned or not.  I understand that not all of this information might not be easily (or even possibly) determined, but to the extent possible, I'd like to see:

• the process that's involved (including the full path of the .exe)
• the DLL(s) involved (again, including path)
• whether (and by whom) the binaries involved are signed
• a reverse DNS on the IP address - if there is no reverse DNS name available, some "whois" information on the subnet block the IP is in might be nice
• information on the port if it's a well-known (or commonly used for a particular purpose) port number
• links to web information and/or a user forum that discusses the program and the communication (if appropriate)
• a link to virustotal (or similar) for the binaries involved would also be nice

   
Of course, not all of this data needs to be in the initial notification, but it should be made available at the click of a 'more information...' button.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: f0dder on December 01, 2009, 06:22 PM

Good idea, but it's never going to happen - for exactly the reason that scancode is hinting at (sorry to be a cynic, but that's the way the world works).

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: mouser on December 01, 2009, 06:26 PM

I'm as pessimistic about these things having any effect as anyone, if not more so.  But I also view these things from a pragmatic cost-benefit analysis standpoint.  It costs us little more than a few hours of our time to set something like this up, and a promise that any antivirus company that lives up to the standard will receive some publicity and praise from us.  Surely worth a try.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: f0dder on December 01, 2009, 06:32 PM

Well, it is worth a try - and after all, AnandTech got OCZ to do The Right Thing^TM and optimize their Vertex SSD firmware for random access at the cost of the (pretty irrelevant) sustained transfer rates... something marketing probably didn't like :)

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: mouser on December 01, 2009, 06:33 PM

anyone want to try to make a nice fancy professional looking graphic logo for the page?

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: JavaJones on December 01, 2009, 06:53 PM

I too like this idea a lot and would be glad to contribute anything I can. I think your list is pretty good as-is. The idea is to provide as many resources as possible for people to find more info, which of course they don't have to use, they can still just trust the program. I don't know how possible it would be, but some kind of "certainty rating", with a little graphic, on a 1-5 or 1-10 scale, or perhaps a percentage, would be great. E.g. "Win32.Gen/DOCOVIR/PACK has been detected as a threat. Avast is 35% certain that this is a genuine security threat." which would be based, at least in part, on similarity to predicted malicious behavior and code, for example.

- Oshyan

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: mouser on December 01, 2009, 07:02 PM

i think the rating idea is a good one -- but i'm trying not to "require" any details in this list that we don't feel are mandatory.  so we might say that the program needs to report SOME estimate of certainty in some form.  this is not going to be easy to put into a numerical form.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: JavaJones on December 01, 2009, 07:31 PM

Fair point.

- Oshyan

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: scancode on December 02, 2009, 01:49 AM

"Win32.Gen/DOCOVIR/PACK has been detected as a threat. Avast is 35% certain that this is a genuine security threat."

-JavaJones (December 01, 2009, 06:53 PM)

Then "detects 100% of on-the-wild threats" becomes "detects 100% of what it thinks could be on-the-wild threats".
Doesn't look good on product pages :)

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: mouser on December 02, 2009, 06:30 AM

yeah how does this sound on the marketing page:

"We are the only antivirus program to meet the stringent requirements of the 'Superior/Honest Antivirus' certification -- which establishes the highest standards for reporting possible threats to users. read more.."

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: app103 on December 02, 2009, 09:19 AM

While false positives are frustrating to those that are having their work flagged, it can be more frustrating to the user when the messages they get from their antivirus leave them confused as to whether or not they should delete it or keep it. Anything that confuses the user more will raise the potential of a real threat slipping through, due to user ignorance.

Anything that could make a real threat seem not so threatening, potentially will lead to the user making the wrong choice.

So, while I understand and share your frustration, it has to be balanced with the need for the security product to effectively do it's job on both the computers of the more savvy power user, as well as the complete newbie, and everyone in between.

The more text, info, and options you give the user at the time of detection, the more they will be confused, the more will go wrong, and the more infected people there will be.

Any alert from an antivirus no matter how simple is likely to put the user in a state of panic, in which they potentially will not think clearly. Yes, this info may help them but more likely the panic will make them unable to mentally process that info at the time it is given.

Now I am not saying this info should not be available to the user. It would be great if it was, but not at the time of detection or bothering the average user. If it were included in an "advanced mode" then I could agree with it and would even welcome it.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: mouser on December 02, 2009, 09:27 AM

one of the rare times i have to disagree with you app, about this being only for an advanced mode.
i could agree to an alert box with a very simple message and then a button to click for this more full info.

but my reasoning is based on agreeing with your statement:

Any alert from an antivirus no matter how simple is likely to put the user in a state of panic, in which they potentially will not think clearly.

these virus alerts scare the hell out of people.
and it is my impression that most of the time they are false alerts.

it is imperative that these bright red scare-the-death into you alert boxes tell people the concise information they need to know to make an intelligent decision.

the false positives are like the story of the boy who cried wolf -- you can't keep showing false positives and expect people to take you seriously when you really do find something wrong.

so the alert box, in default mode, has to help the user understand the real nature of the thread and HELP THEM make a decision about what to do.

the purpose of these guidelines are to establish a standard for information that needs to be available to users when an alert comes up.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: Carol Haynes on December 02, 2009, 09:45 AM

I would like to add that any warning should be accompanied by the method of identification of the risk. For example if heuristic checking is responsible for the alert it should be made clear with a message like "No actual threat has been detected but some behaviours of this software suggest the possibility of unwanted activity" then all the other information you suggested.

Further if they are using pattern matching I think there should be a score on how many elements of the pattern match the found issue.

I have spent hours tracking down 'viruses' and 'trojans' only to discover that of all the possible indicators of malware presence there was only one possible marker - which turned out to be legitimate.

I am not saying that viruses and trojans exist but in the last few years I have not come across a single genuine attack on any of my computers (other than the odd spam with bad attachments which have almost entirely been removed by googlemail before they got to me). I have had plenty of false positives though and almost always involving dodgy heurisitics.

I have to say I haven't had any false positives with free AVAST!


Personally I think there is a bit of psychology going on here - if expensive secuity apps don't appear to be doing something useful customers will decamp to free solutions consequently almost all of the companies trying to cash in on cyberfear have to promote that fear in faulty heuristics. Maybe I am too cynical but the only people that gain anything from the general public by false alarms are the companies producing those alarms.

In recent months I have been to quite a few clients with viruses. Most are running one of the most popular solution (N or M) and can't understand why there was no warning and they got infected - generally these are the ones that are infected. A large number however have received warnings and been scared and generally these are the clients that have experienced false positive syndrome.

PS: Why don't we just set up a new website called starvethegreedybastards.com and have it is a gereral rant site for this sort of behaviour. Would fit in well with the donation ethos.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: Carol Haynes on December 02, 2009, 08:24 PM

Oooo err ... its all my fault mother. A few hours after I posted the message above AVAST updated automatically (free and Pro versions) and promptly went into meltdown.

Since VPS/091203-0/3.12.2009 was automatically installed this evening apparently every user of Avast is now manically fighting false positives on their computers. So much so that the suipport section on Avast's website is impossible to get onto because of massive traffic.

The symptoms are that just about everything is classed as Win32:Delf-MZG [Trj] and the prompts come so thick and fast that you can't get to the icon to turn the AV off. The only solution I have found is to disable the software as soon as the icon appears in the system tray (not easy if it is usually hidden!).

I'm sure there will be a fix in the morning but it is a bit ironic that I had only just waxed lyrical about the reliability of Avast.

I suspect my phone will be ringing off the hook in the morning with customers complaining they have a mass of viruses - if I was unscrupulous I could make my fortune ;)

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: biox on December 03, 2009, 01:04 AM

Oooo err ... its all my fault mother.

-Carol Haynes (December 02, 2009, 08:24 PM)

Thanks for the info....I knew it was your fault  :D

Avast provided me with some much needed exercise this morning by having me jump between rooms. 'The-one-that-has-to-be-obeyed' sits in another room with XP pro and Avast pro only to scream every 2 seconds. Even the FW update is a virus.

When a suspected malware is found, the user must be presented with a dialog that clearly describes:

• A clear indication of the date that the antivirus signature matching the file was added,

-mouser (December 01, 2009, 10:55 AM)

that applies for FWs as well, anyway please tell me when it got there NOT when you found it because I know when, after all I'm sitting right in front of the computer.[/list]

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: cmpm on December 03, 2009, 02:46 AM

So can we offer products up on this thread, and see/dissect if any of these expectations are met by any AV/security software?

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: mouser on December 03, 2009, 08:39 AM

A write-up about the avast freakout:
http://www.downloadsquad.com/2009/12/03/avast-has-a-freak-out-goes-on-a-false-positive-spree/

cmpm let's leave this post for working out the details of the award -- i dont think any antivirus company meets these requirements at this time.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: cmpm on December 03, 2009, 09:51 AM

Ok, sounds good to me.
All these points are good ones if any 1 can achieve them all, I would be surprised.
I think it would have to a combination of more then one product.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: nudone on December 03, 2009, 10:10 AM

would be nice of an open source project managed to complete the task.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: barney on December 03, 2009, 10:31 AM

Just ran across this thread.  Interesting concept.

'Fraid it would be useless to some of the folk I know, though, for purely physical reasons.  They are touch typists.

Problem I've had with every AV I've used is that a warning window with a default action pops up and steals focus when the AV thinks it's found something.  If I happen to be typing notes I've made into an editor, or perhaps copying a bit of PHP out of a book, I'm not looking at the screen.  Even with an audible alert, I'll probably hit a hotkey or enter before I can stop typing & check the monitor to see what just beeped.  Even if I am looking at the monitor, I may not be able to stop typing before I've dismissed the warning.

When that happens, I've just initiated whatever default action the AV uses upon I know not what file.  [Sidebar.  Have you ever quarantined/deleted a kernel file?  It's fun.]

So, as long as the AV steals focus, any information it provides is frequently going to be useless.  That said, the information would indeed be useful during, say, an intentional scan, or maybe during boot-up.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: mouser on December 03, 2009, 10:49 AM

barney, i think thats a really good point -- maybe we can add to the list that the alert cannot be accidentally triggered by a keyboard press.
there should be no way to accidentally hit a key to have some action take place.  maybe a time delay before it responds.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: barney on December 03, 2009, 11:11 AM

Actually, that one's pretty simple. 

Make certain no button has focus or can be triggered with a single key press, i.e., Quarantine would be Alt-Q, not just Q.  Alternatively, make the default button perform no action, let it be a dummy. 

The alternative is chancy, since the keyboard folk will wanna be able to tab to the button of their choice, so inadvertent action is still a possibility.

Don't think time delay would work unless there's some way to circumvent if the wrong action is taken.

There was something I used in Linux, don't remember what, that would pop up a window on top of all others, but did not steal focus from whatever was being done.  It got your attention when you looked at the screen, but let you keep doing what you had been doing ... kinda weird, looking at a top-level window, but still typing into the window below it.

Maybe that could be done ... not that I'd expect the AV folk to buy it, but, still ...

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: mwb1100 on December 03, 2009, 12:17 PM

The focus-stealing problem can be solved by having the notification take the form of 'toast' popups (I'm not sure what the official name of this UI element is).  The notification is visible, and I can interact with  it if I like, but it doesn't steal focus from what I'm currently working on.

Outpost Firewall notifications do this for me today.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: superboyac on December 03, 2009, 01:06 PM

anyone want to try to make a nice fancy professional looking graphic logo for the page?

-mouser (December 01, 2009, 06:33 PM)

I can make a logo.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: superboyac on December 03, 2009, 01:48 PM

How's this?

[ You are not allowed to view attachments ]

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: mouser on December 03, 2009, 01:56 PM

Thanks AC! but i think we may need something a little more polished and slick and unique looking in order to make the pr people at these companies drooling to have the award image on their page.. this is one of those cases where the award image really has to be something crave-worthy.  no offense meant, just this might be one of those things that few people can really pull off perfectly outside Nick Pearson and a few of the top designers who hang out at DC.  Well at least if we're going to make a real go of this.  In the same vein, we should probably de-emphasize the "DonationCoder" part -- we're not trying to advertise ourselves here, but rather make something that anti-malware companies would want to put on their pages.  Also i might add that my title for the award may be a bit lame.. i wonder if we can't come up with something more appealing "Honest Antivirus Award" maybe? but it lacks punch.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: JavaJones on December 03, 2009, 02:11 PM

The focus stealing issue is an excellent one. Far too many apps do that, and with AV apps it's all the more critical to not accidentally confirm a default action without reviewing it first.

- Oshyan

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: superboyac on December 03, 2009, 03:41 PM

Thanks AC! but i think we may need something a little more polished and slick and unique looking in order to make the pr people at these companies drooling to have the award image on their page.. this is one of those cases where the award image really has to be something crave-worthy.  no offense meant, just this might be one of those things that few people can really pull off perfectly outside Nick Pearson and a few of the top designers who hang out at DC.  Well at least if we're going to make a real go of this.  In the same vein, we should probably de-emphasize the "DonationCoder" part -- we're not trying to advertise ourselves here, but rather make something that anti-malware companies would want to put on their pages.  Also i might add that my title for the award may be a bit lame.. i wonder if we can't come up with something more appealing "Honest Antivirus Award" maybe? but it lacks punch.

-mouser (December 03, 2009, 01:56 PM)

I still might be able to pull it off.  If you want, let me know what it is you're looking for, and I'll try to do it.  The reason why i attempted it is because I've been learning Illustrator and doing a lot of art lately.  So just let me know.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: mouser on December 04, 2009, 06:20 AM

Let's come up with the right name for this award/certification ("Superior Antivirus Award" or "Honest Antivirus Award"? must be something better!) then we can create a standalone website for it and focus on creating a nice logo.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: SKA on December 04, 2009, 07:18 AM

DC Hall of Fame Antimalware Award

DC Best Antimalware Design Award

SKA

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: mouser on December 04, 2009, 07:33 AM

i dont want to make this about DC -- it should be something that other sites can get behind and support.
i think it should convey a kind of Certification, rather than just another meaningless web site award.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: Carol Haynes on December 04, 2009, 07:57 AM

Clear Speaking (or Info) Security Award

Then it could be broadened to suites, firewalls etc. You could have subclasses for the different app classes

How about a Crystal mark  (Crystal clear security) - see http://www.plainenglish.co.uk/

The Plain English campaign really came alive when they started issuing Crystal marks. The whole point is to remove legalese and obfuscation especially in official documents.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: cmpm on December 04, 2009, 12:41 PM

"Secure Security Points Aware"

Or something that you can check the points it will do or not do, listed here in this thread. Like checking a box that 'Yes' or 'No' is covered.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: mouser on December 05, 2009, 03:21 PM

I think another feature that all antivirus/antimalware programs should support is the ability to install them alongside other antivirus programs and use them only in an ondemand scanning capacity.  Most antivirus programs may already do this, though most warn you not to install them in combination with other such tools.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: Josh on December 05, 2009, 03:27 PM

Why install more than one AV? That is just asking for problems. I laughed when my security+ instructor told me he used 3 A/Vs on his PC at one time and then later in the class complained about how slow his system was.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: mouser on December 05, 2009, 03:33 PM

That's sort of getting at my point -- installing an antivirus and being able to configure it ONLY for ondemand scanning should be doable without leaving any resident processes running, without causing any slow down at all.

The value of it is being able to get second opinions about possible threats, without slowing down your system.

But the problem is, as you described -- that even when antivirus programs have an option to disable background scanning, they often seem to eat up resources and conflict with other background scanners.

So i am proposing that a high quality antivirus program should be configurable to install without any background processes running and without any impact on the system when not being asked to scan.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: JavaJones on December 05, 2009, 04:03 PM

I like the idea of that Mouser, but I don't think it should be a requirement or anything. Maybe a separate award or just a check list item that isn't necessarily scored on.

- Oshyan

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: mouser on December 05, 2009, 04:16 PM

fair enough -- it is sort of outside the scope of the other requirements.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: Stoic Joker on December 06, 2009, 01:29 PM

fair enough -- it is sort of outside the scope of the other requirements.

-mouser (December 05, 2009, 04:16 PM)

I'm not so sure...as it falls heavily into the user friendliness category. Many installs/updates require or at least strongly suggest that the AV software be temporarily disabled while they are running. If the AV software can not be disabled (uninstalling doesn't count here), then the AV software is basically begging-for-a-fight with what ever may innocently need its draconian iron glove out of the way for a moment. Who suffers? ...The user.

Proactive vs. reactive scanning mode availability is directly related to that central (key) point.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: JavaJones on December 06, 2009, 03:13 PM

Most AV apps I've ever seen or worked with can be temporarily disabled. That's different than being explicitly friendly to co-existing with other AV apps or having a mode where they're easily installed but have all "active" scanning disabled, and only available for "on-demand".

Something I forgot to mention also is that an increasing number of AV vendors now have scan-only (i.e. "on demand") solutions in the form of web-based (though in many cases not really web-based) on-demand scanners. BitDefender, Kaspersky, TrendMicro, Panda, NOD32, and more. So maybe these are the solution?

- Oshyan

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: longrun on December 10, 2009, 06:47 AM

I think this discussion misses the point to some extent: the goal is to eliminate false positives, not explain them. Given a choice between product A, which produces almost no false positives but offers no explanation, and product B, which produces reams of them but explains them perfectly, I'd choose A.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: mouser on December 10, 2009, 07:55 AM

I think this discussion misses the point to some extent: the goal is to eliminate false positives, not explain them.

Well sure, but the problem is that it's hard to think of concrete "regulations" or guidelines that would reduce false positives.  In addition the antivirus companies are scored based on number of detections and rarely if ever on the number of false positives so they have little motivation to reduce them.

So I think this award is a recognition that we can't get rid of "false positives" but instea is an attempt to make sure that when an antivirus does alert, it is honest with the user about the assessment of the situation.

In my opinion, I would rather have an antivirus pop up an alert to me saying that it found something that *might* be problematic, and give me enough information to decide if it is, than to keep quiet or scream that the house is on fire.

EDIT: One thing that would reduce the number of false positives is if antivirus benchmarking sites evaluated and scored and reported on the number of false positives in antivirus products.  I'm not sure how our award could address that though.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: DocSavage on December 10, 2009, 08:26 AM

RANT!
probably off the true topic, but I often wish for an AV UI that is understandable to non-experts. (me). i wish there were some agreed on naming convention. What in the world is "Resident Shield" anyway & do I need a "Network Shield, P2P Shield, Standard Shield or Web Shield" also? Am I going up in smoke without a "Link Scanner" or a "RootKit" warning? Is "Defender" enough? Do I need "MS Security Essentials" also? Or will all these guys fight each other & send my machine up in smoke?
Oh Well. I guess I have stumbled on a good mix since I don't seem to get Virus or Trojan infections. (that I know of!?) :huh:
dk

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: longrun on December 10, 2009, 08:53 AM

One thing that would reduce the number of false positives is if antivirus benchmarking sites evaluated and scored and reported on the number of false positives in antivirus products.  I'm not sure how our award could address that though.

-mouser (December 10, 2009, 07:55 AM)

AV Comparatives AV-Comparatives (http://www.av-comparatives.org) prominently displays a false positives rating which seems accurate, based on my limited experience.[ You are not allowed to view attachments ]

I agree with the goal of the certification, but it can result in recommending an otherwise lousy product, particularly one that produces lots of fully explained false positives.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: JavaJones on December 10, 2009, 04:33 PM

Certainly this "certification" would be just one of the criteria a program is rated on. I would never make a recommendation to anyone *solely* on this factor. But it is a useful idea not yet handled well by most AV soft I've seen.

- Oshyan

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: RedPillow on December 19, 2009, 05:33 PM

I have used F-secure for couple of years now, I like it because it has this "File could not be removed, file renamed" function, which is really REALLY great.

Maybe you should add something like that to it?

Also, scanning at startup-function is very good too.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: sciagent on December 19, 2009, 06:21 PM

During the recent years I used F-Secure Internet Security. Mainly because it was reliable (one should check this from time to time as it is seen now) - it uses few databases from different suppliers including Kaspersky.

That continued till last spring when I got a free copy of Advanced System Protector Pro, which found plenty of threats in my PC running F-Secure.

A bit later I came through this info:
http://www.finjan.com/MCRCblog.aspx?EntryId=2237 (http://www.finjan.com/MCRCblog.aspx?EntryId=2237)
and gave a careful look to AVG free. First run after installation - ant it found many more threats - just on a PC running both, F-Secure, and Protector Pro. F-Secure has even "informed" me of some viruses as soon as AVG located them - but after that. Why not before?

Now I use AVG free on all my Windows-based PCs and do not have any problems as it is seen from occasional tests with different AVs or that kind of software.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: housetier on December 20, 2009, 12:06 AM

The award could only go to a company that does not try to sell "security". They should be honest about what their product really does: attempt to lessen the likelihood of catching a worm, virus, or whatever. When they "guarantee 100% security" they are making fools of their customers.

But if they do educate their customers and try to raise their awareness about those "dangers" without resorting to panicking them, I think that should have a positive impact on the uhm awardiness(?).

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: Stoic Joker on December 20, 2009, 11:33 AM

The award could only go to a company that does not try to sell "security". They should be honest about what their product really does: attempt to lessen the likelihood of catching a worm, virus, or whatever. When they "guarantee 100% security" they are making fools of their customers.

But if they do educate their customers and try to raise their awareness about those "dangers" without resorting to panicking them, I think that should have a positive impact on the uhm awardiness(?).

-housetier (December 20, 2009, 12:06 AM)

110% agreed ... The various AV companies seem to pit their marketing & legal departments against each other ... Granted they never really flat-out say 100% effective. But, most seem to use the cleverest forms of word play to get as close to the razor edge as po$$ible without causing anybody in legal to have a seizure.

Truth-in-Advertising should most definitely be considered, and weigh heavily on any award(s) given.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: mouser on December 20, 2009, 11:39 AM

regarding the suggestions that companies not be evil in terms of trying to trick people into a false sense of security, all well and good -- but for this award i think we want it to avoid any kind of subjective judgement.

there's plenty of room for full reviews written by lots of sites to tell us a more detailed description of what's good and bad about a particular antivirus and the company.

but what i have in mind for this particular thing is a kind of certification/award that describes a very clear and concise set of objective and strict requirements that a company can decide that they want to meet in order to get this certificate, and have it mean something important.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: Stoic Joker on December 20, 2009, 03:41 PM

regarding the suggestions that companies not be evil in terms of trying to trick people into a false sense of security, all well and good -- but for this award i think we want it to avoid any kind of subjective judgement.

-mouser (December 20, 2009, 11:39 AM)

Understood, but I really don't think it would hurt the awards veracity if there was some mention of how well (acurately...) their product was presented. Are the features (/claims) Touchy-Feely (new-bestest-friend-forever) ...or pragmatic (Meat & Potatoes) fact. There should be some way to quantify (Reality Check) how straight they are with the products presentation.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: f0dder on December 20, 2009, 03:49 PM

Stoic Joker: make the award too hard to achieve and not many companies would want to participate, though... I'm not for yet another meaningless "this'll look good on an awards page" kind of thing, but I do believe it should be something attainable with a product aimed at end-users and not "geekboy powerheads" like the participants on this forum.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: Stoic Joker on December 20, 2009, 05:04 PM

Stoic Joker: make the award too hard to achieve and not many companies would want to participate,

-f0dder (December 20, 2009, 03:49 PM)

So... you're saying honesty is too much to ask for? ...Mind you given the marketing environment today I'm inclined to agree with you. I just don't know that is best to ignore the hideous monster and take-it lying down (in a comfortable position).

though... I'm not for yet another meaningless "this'll look good on an awards page" kind of thing, but I do believe it should be something attainable with a product aimed at end-users and not "geekboy powerheads" like the participants on this forum.

Right... and explaining just how paper thin a given (advertising) claim is, is something I could easily do to my mother (who is neither powerful, geeky, or a boy).

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: mouser on December 20, 2009, 07:16 PM

From my standpoint, i dont think we should try to make this award tell you everything you know to decide if an antivirus program is for you.. it's not meant to evaluate the # hits and misses, or the cpu load, etc.. I think those are things that are better saved for a detailed review.

What i'm interested in is motivating these companies to stop the deceptive alerting that scares people like the boy who cried wolf, is harmful for developers because of all the false positives, and currently is without incentive to correct.

By providing a meaningful award that focuses on the issues i suggested, i'm hoping that we might be able to get some antivirus companies to take this certification seriously, and see the benefit of having it.

Think of it as an effort to establish a new BARE MINIMUM standard that all good anti-malware programs will need to live up to if they are to be viewed as serious contenders.  Initially no product meets these standards, but the first one that does will be able to honestly say, this is a real reason to choose us over the others.

And for our part we can help by promising to review and draw positive attention to any anti-malware that meets this standard.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: Stoic Joker on December 20, 2009, 09:22 PM

What i'm interested in is motivating these companies to stop the deceptive alerting that scares people like the boy who cried wolf, is harmful for developers because of all the false positives, and currently is without incentive to correct.

-mouser (December 20, 2009, 07:16 PM)

Hm... So, you're shooting for kinder gentler heuristics. (or rather...) If the AV companies are forced to (justify) clarify exactly what they're on about and why, they'll start being a bit more careful about flipping (erroneous) messages on the screen (to avoid looking foolish) and much of the other stuff will get ironed out in the resulting ripple effect.

I still think it would be more fun to storm the castle...  :-\ ...but your way has a better chance at a lasting (positive) effect.  :(

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: JavaJones on December 20, 2009, 10:57 PM

There's nothing stopping the creation of 2 awards either. The thread started with a good idea which I'd really like to see implemented, but honest advertising is also very worthwhile to encourage. It's not unique to AV soft though. And, as you said, is a much harder battle. ;)

- Oshyan

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: iphigenie on December 22, 2009, 09:12 AM

What i'm interested in is motivating these companies to stop the deceptive alerting that scares people like the boy who cried wolf, is harmful for developers because of all the false positives, and currently is without incentive to correct.

-mouser (December 20, 2009, 07:16 PM)

Hm... So, you're shooting for kinder gentler heuristics. (or rather...) If the AV companies are forced to (justify) clarify exactly what they're on about and why, they'll start being a bit more careful about flipping (erroneous) messages on the screen (to avoid looking foolish) and much of the other stuff will get ironed out in the resulting ripple effect.

-Stoic Joker (December 20, 2009, 09:22 PM)

It doesnt even need gentler heuristics as much as qualified heuristics - heuristics with a confidence rating perhaps showing simple scales showing a)how active the suspected menace is at the moment, how precise (large) the matched signature is (i.e. could it be a fluke) leading to a rating going from "this is very serious even if you trust the program the file came from be very very paranoid" to "if you know and trust the program in question then you might ignore this warning"

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: mouser on April 27, 2010, 11:23 AM

Article today about the sad state of antivirus:
http://arstechnica.com/software/news/2010/04/problems-caused-by-anti-virus-software-not-going-away.ars

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: 40hz on April 28, 2010, 10:38 AM

Is it even worth attempting to bring some light to the topic of antivirus software when the companies that are creating the AV products are taking such pains to cloud the issue?

Maybe it would be a better idea to just recommend one (or two) 'best of breed' products ala Gizmo (with the rationale for their selection) and let it go at that?

There's so many bogus and misappropriated award badges out there that I seriously wonder if an "award" means all that much any more - no matter who is conferring one.

Title: Re: The DonationCoder "Superior Antivirus" Award/Certification
Post by: superboyac on April 28, 2010, 11:02 AM

40hz hits on a good point.  That's why I found it so hard to say this is the best, or that's the best.  When I was making my recommended software list on my website, I found the most practical way to keep it up was to just loosely talk about my favorite software and leave it at that.  I don't bother with a consistent article format, or meticulously going through each feature, comparing it with the alternatives, benchmarks, etc.  I found it was too much work and impossible to keep up without making it a full time job.  So I just talk about why I like it, tell a couple of hopefully entertaining stories, maybe point out a favorite feature.  My intent is to get the user to think, "hmm, that looks pretty good, I'll try it out."  And hopefully, they have enough trust to believe that if I like it, there must be something to it.

Anyway, I know that's a little off topic.  but whenever I see people talking about badges and reviews and comparisons, it gets me thinking about this.  There are a lot of review sites and forums out there.  But many of them are unreliable to me.  That's why I liked Zaine's old list, before he went Linux.  I trusted him, so I knew i could look for something on that list, and it was probably a safe bet that I would like it.