Main Area and Open Discussion > General Software Discussion

The DonationCoder "Superior Antivirus" Award/Certification

(1/13) > >>

mouser:
In this thread, one of many on the DonationCoder forum where we are all screaming about the harm that lazy antivirus companies are doing with their false positives, I suggested that maybe we need to do something productive to encourage these companies to be more responsible about the alerts they show.

So today I want to begin that process by asking for your help in coming up with a short and clear list of requirements that would be worthy of our recognition for a new antivirus/anti-malware standard that is focused not on the number of virus detections, but on how users are told about alerts which may be false positives, and how well they deal with false positives.

Once we've got something I'd like to make an official web page about this, and then try to contact the antivirus companies and maybe get some other websites that want to join us in this movement.  And hopefully one day in the near future we will be able to give this award out to a company and lavish them with praise, recommendations, reviews, etc.

Let me start out with my first draft of requirements for what i'll call the DonationCoder "Superior Antivirus" Award/Certification:

When a suspected malware is found, the user must be presented with a dialog that clearly describes:

* The complete file path of the suspected file.
* A description of the suspected malware (not just some cryptic name), with an easy link to search the web for more info about this virus and the file found.
* A clear indication of the date that the antivirus signature matching the file was added, with a clear statement about the possibility that this may be a false positive, and telling the user some information about the confidence that the file is indeed a real malware vs a false positive.  this should be a statement like "this is a generic rule of thumb pattern that was recently added, so the chance that this is in fact a false alarm and not a virus is quite high."
* In the alert there should be a url to take the person to the antivirus company's forum where they can talk to others about whether the problem is real or not.
* The user must be given an opportunity to not delete the file.
* The user must be given an alternative to go to a page where they can report a suspected false positive
* The user must be given the alternative to upload the file to an online site like virustotal for a second opinion.
Thoughts? What am i missing? Anything here that is asking too much?

scancode:
Win32.Gen/DOCOVIR/PACK: A "detected threat"
[Heuristic] Application Packed with DoCoPack: Nothing to be worried about.

Which one do you think looks better in the stats?

mwb1100:
Let me start out with my first draft of requirements for what i'll call the DonationCoder "Superior Antivirus" Award/Certification:
-mouser (December 01, 2009, 10:55 AM)
--- End quote ---

That's a great list!  I hope this initiative gains some traction.

Off the top of my head, what I'd like to add (I hope this isn't taking the discussion off-topic) is that firewalls should use a similar set of guidelines for when they detect something fishy.  Often I get an IP address and port number and little else. I need the following information to have a hope of understanding whether I should be concerned or not.  I understand that not all of this information might not be easily (or even possibly) determined, but to the extent possible, I'd like to see:


* the process that's involved (including the full path of the .exe)
* the DLL(s) involved (again, including path)
* whether (and by whom) the binaries involved are signed
* a reverse DNS on the IP address - if there is no reverse DNS name available, some "whois" information on the subnet block the IP is in might be nice
* information on the port if it's a well-known (or commonly used for a particular purpose) port number
* links to web information and/or a user forum that discusses the program and the communication (if appropriate)
* a link to virustotal (or similar) for the binaries involved would also be nice   
Of course, not all of this data needs to be in the initial notification, but it should be made available at the click of a 'more information...' button.

f0dder:
Good idea, but it's never going to happen - for exactly the reason that scancode is hinting at (sorry to be a cynic, but that's the way the world works).

mouser:
I'm as pessimistic about these things having any effect as anyone, if not more so.  But I also view these things from a pragmatic cost-benefit analysis standpoint.  It costs us little more than a few hours of our time to set something like this up, and a promise that any antivirus company that lives up to the standard will receive some publicity and praise from us.  Surely worth a try.

Navigation

[0] Message Index

[#] Next page