The False Positive and Improperly Rated Site Epidemic

[db90h]

I have been a member of a malware working group at the IEEE of which almost ALL security vendors participate. I've therefore been in a position to create and propose this new Forum: http://falsepositivereport.com . This is only hours old, but one security vendor has agreed to take part. As the others wake, we'll see who will voluntarily take part in it. As long as Software Vendors take part, security vendors will eventually be forced to take part in order to respond.

OFFICIAL SITE:  http://falsepositivereport.com

I would like to congratulate Microsoft as the one company who takes the conservative approach, making their false positive rate the lowest in the industry. Kudos to them. All security companies should act that way! Causing collateral damage to innocent businesses/families is simply unacceptable. It will sometimes accidentally occur, but clearly not enough is being done to prevent this problem, as it has only gotten worse.

---------------------------------

Accountability. Transparency. Communication. Prevention.
Helping to prevent false positives and mis-rating of web sites, instead of merely retroactively addressing them

This is a new effort to help slow (and expose) the plague of false positives and mis-rated web sites that are destroying hundreds or thousands of small businesses every year. Some security companies do better than others, but never before has there been a place where false positives and mis-rated sites can be publicly reported. The security companies can then respond, fix the issue, then determine why it happened and work with the vendor to avoid it in the future. After all, once a false positive happens, the damage is already done. Some security companies will not even respond to reports of false positives and mis-rated sites, much less work to avoid them in the future. Other companies DO act much more responsibly.

This is NOT about crucifying security companies. They do have a terribly hard job. Still, many of them can and should do better. This site is about showing which companies are doing the best to avoid collateral damage. It is also intended to facilitate the mitigation of collateral damage when it occurs, and, through communication, help prevent collateral damage (FPs) from recurring. For instance, why did the FP or misrating occur? What can be done to avoid it in the future?

Ironically, malware authors are hardly affected by these aggressive tactics. After all, if these tactics really worked, why would there be so many malware infestations?

Also remember, public transparency and accountability will let consumers know which security companies care about the collateral damage they inflict. Is this not important in your purchasing decision? If not, it should be . By choosing carefully with whom you spend your money, YOU can force companies to start behaving ethically.

As always, the power is in the hands of the consumer. Choose carefully who you spend your money with and you can force these corporations to act ethically and responsibly.

At this site you can:

1. Report false positives and mis-rated sites in REAL TIME to a CENTRAL LOCATION. At this central location, companies will know where to find false positives and mis-rated sites, if they care to look.
2. You can then see which companies care to fix these issues, and how fast. You can also see which companies are interested in AVOIDING them in the future.
3. Communicate with security companies to fix these issues, and help avoid these problems from recurring.
4. Provide historical stories about damage inflicted to your innocent business and/or family.
5. Communicate with other software vendors with similar concerns and troubles.

http://falsepositivereport.com

[Renegade]

AMEN~!

I bought a few domain names a number of years ago because I wanted to try to draw attention to this problem, but never got around to it. (false-positive.com, scareware.net/org)

It's a tough job to detect real malware, but like you said:

Causing collateral damage to innocent businesses/families is simply unacceptable. It will sometimes accidentally occur, but clearly not enough is being done to prevent this problem, as it has only gotten worse.

I sort of see it like being hired to cut the grass in the park, but also mowing down the children. Y'know... Like who cares if a few patches of grass are red?

[db90h]

Thank you for your support .

[Renegade]

If you're an ASP member, post it there -- also -- post it in the JoS forums too.

There are more software forums like those (I've kind of stopped reading/visiting them as so many tech people there just seem to be looking for a fight) -- if anyone can remember some of those, post them as well -- it might help. I know a lot of people have been burned by false positives. Actually, thinking about it, if you've been around for long, it's almost impossible that you haven't... Just about everyone complains about it.

[db90h]

Good idea! I'm not a member of the ASP anymore, I quit years ago and never joined back. However, since I author developer tools, I know a lot of vendors personally, so will start contacting them. Please do spread the word. It is important. We must make a stand. The major security companies will be waking up in a few hours and reading this, so let's show them how much interest there is ASAP.

My personal story of FPs and misratings you wouldn't believe.. and I do NOT compress my software or use any protector. That is why I got so fed up. I finally was able to fix problems only through my direct contacts, because so many of these companies simply don't respond to their false positive or mis-rating reporting systems. They just ignore you, its absurd. Some others DO respond well, but the damage is done, and they don't make an effort to PREVENT it from happening in the future.

Let's change the world!

[Renegade]

Yeah... It can take MAJOR effort to get a false positive removed. I've done it before, but I also know other people that have major fights with the AV vendors trying to get their software delisted.

It's not just the damage, but the additional damage of also having to take out all that time and effort from real productivity and funnel it into what shouldn't be an issue in the first place.

FWIW - MS is pretty good, but they do have some false positives as well... Even with their own partners... But that's typical MS - the left hand doesn't know what the right hand is doing.

[db90h]

I did not make it clear.. if you want your comments to be seen by people who MATTER, then please post them at the thread I linked above. They will be waking soon, and visiting that thread. If it is just me, I look like a crazy person. If there is some user support, they realize users are fed up.

I have a real fear now that users, in general, don't care (not you guys, but others.. the average user).

[tomos]

I did not make it clear.. if you want your comments to be seen by people who MATTER, then please post them at the thread I linked above. They will be waking soon, and visiting that thread. If it is just me, I look like a crazy person. If there is some user support, they realize users are fed up.

I have a real fear now that users, in general, don't care (not you guys, but others.. the average user).

-db90h (September 23, 2011, 06:38 AM)

I'm not fully clear - you want false positives posted there.
Do you want "dissatisfaction with the way thing are in general" posted there as well?

[db90h]

Sorry for the confusion ... Just in the Sticky Topic, to get the ball rolling... I just want them to understand that USERS CARE ... that helps to then get the ball rolling on the whole project. If they realize their CUSTOMERS care, then they care 10x more. Sorry

EDIT: A big part of this is USER TRANSPARENCY, so users know what is happening to small businesses, and which security vendors are causing the most harm (like donationcoder, though it isn't a traditional business, it is still a form of business).

I would not be surprised to suddenly find my web site rated RED/DANGEROUS and all my software false positive'd on .. as paranoid as that sounds. To challenge some of the corporations is, risky...

[db90h]

What I meant was... if you have anything to say, now is your chance. Rarely do users get a chance to have their comments read by anyone who matters at these giant corps (sadly). I guess that was clear though. Oh well. I just get enthused, and hope for change. Apathy will kill us all.

[mouser]

It's great to see you moving on this front db -- the software world needs something like this badly.

We've discussed on this forum the abysmal and almost-criminal behavior of antivirus companies when it comes to false positives.

And i've made my own proposal for what I think would help move things forward here -- namely a set of standards to live up to and a kind of award/certification that would give security companies a positive incentive to do better -- which i think they crucially lack right now.

If you can make some progress in this effort you'd be doing us all a great service.  Go for it!

[db90h]

I will add that link to the forum post now, thanks mouser

[mouser]

I just want to reiterate what I think is an essential point: Fixing the incentive structure for the security companies.

There is huge competition in the security/antivirus world to build the best and most popular scanner.  These companies have very skilled coders working day in and day out, 365 days a year to improve their software.

Why then is every company doing such a horrible job with false positives and how they present alert information to the user?

Laziness, yes -- but at its core I believe the reason is simply that their does not exist an meaningful incentive for them to do better.

When comparisons of antivirus software is written -- no review puts much emphasis or effort into discussing false positives or the way heuristic/false alerts are presented and explained to the user.

And users don't seem to be aware of how important this issue is when choosing an antivirus engine.

So to me, the absolutely key part of reforming/rehabilitating the antivirus software industry in this respect is by creating both positive and negative incentives around this issue -- a carrot and stick approach.

The stick is the traditional one -- bring attention to the bad actors and provide a site where people can learn to avoid them.  The fear of damage to their reputation will cause them to do better.

But this is also a case where a VERY attractive positive incentive can be created to encourage the good companies -- allowing them an opportunity to set themselves ahead of the pack.  By creating a kind of certification/award that people recognize as the gold standard in security software.

Such a thing, if it could come to be seen as having some weight behind it, would be welcomed by the good security software vendors as a way for them to set themselves apart from their competitors -- and a way for them to get attention for their efforts at doing things the right way.  It would be a way to reward the good guys and help build the reputations of the companies that are doing the right thing.  And such an effort -- if done right, would be welcomed by the better antivirus companies as a way to separate the serious companies from the unserious ones.

[Renegade]

I did not make it clear.. if you want your comments to be seen by people who MATTER, then please post them at the thread I linked above. They will be waking soon, and visiting that thread. If it is just me, I look like a crazy person. If there is some user support, they realize users are fed up.

I have a real fear now that users, in general, don't care (not you guys, but others.. the average user).

-db90h (September 23, 2011, 06:38 AM)

Side note: If you could turn the CAPTCHA level down a bit, it would be much easier to post. I had to try 3 times.

[tomos]

I did not make it clear.. if you want your comments to be seen by people who MATTER, then please post them at the thread I linked above. They will be waking soon, and visiting that thread. If it is just me, I look like a crazy person. If there is some user support, they realize users are fed up.

I have a real fear now that users, in general, don't care (not you guys, but others.. the average user).

-db90h (September 23, 2011, 06:38 AM)

Side note: If you could turn the CAPTCHA level down a bit, it would be much easier to post. I had to try 3 times.

-Renegade (September 23, 2011, 08:10 AM)

+1 (well twice here)

[KynloStephen66515]

A couple of handy links for reporting False-Positives:

(More will be added when I find them )

Symantec	https://submit.syman....com/false_positive/
Microsoft Anti-Malware	http://www.microsoft...rtal/isv/fpform.aspx
Bit Defender	http://forum.bitdefe...ex.php?showforum=138
AVG	http://forums.avg.co...;act=show&id=395
Kaspersky	http://forum.kaspers....php?showtopic=13881
McAfee	https://community.mcafee.com/thread/2016
Comodo	http://www.comodo.co...-security/submit.php

[Renegade]

NICE~!

Let me add 1 there to your table:

Symantec	https://submit.syman....com/false_positive/
Microsoft Anti-Malware	http://www.microsoft...rtal/isv/fpform.aspx
Bit Defender	http://forum.bitdefe...ex.php?showforum=138
AVG	http://forums.avg.co...;act=show&id=395
Kaspersky	http://forum.kaspers....php?showtopic=13881
McAfee	https://community.mcafee.com/thread/2016
Comodo	http://www.comodo.co...-security/submit.php
NOD32	http://kb.eset.com/e...ntent&id=SOLN141

I got hit with a NOD32 false positive. Not very happy with that.

[KynloStephen66515]

Forgot about NOD32 tbh - The bigger we can get this list, the better!

[db90h]

Remember, it is about showing how bad the problem is - reporting them AFTER they occur directly to the company is fine, but we must also PUBLICLY report them in a CENTRALIZED location. We must remove their vested interest in generating FPs to start with, by embarrassing them, and showing which companies care about determining WHY it happened, and avoiding it in the future...and which do not.

The forum must be moved to a dedicated site soon. I also don't know if I have the time to maintain it (nor if I can stand being angry all the time).

[db90h]

@Renegade: CAPTCHA turned down, thanks for letting me know .. I had 'upped' it just the other day because I got sick of those 'SEO' (yea right) people ... ;o.

[JavaJones]

It's great to see someone finally tackling this. I hope the effort is successful. It sounds like you have some connections that will help. I'll do what I can to spread the word, though my networks are not necessarily large.

I also wanted to mention that I still think mouser's idea of a test and badge system rewarding good (low false positive) software/software publishers has a lot of potential. I think a combination of shaming the bad and rewarding the good could be most effective. Hopefully this effort can develop toward that long-term. But you have a good place to start.

- Oshyan

[db90h]

I also wanted to mention that I still think mouser's idea of a test and badge system rewarding good (low false positive) software/software publishers has a lot of potential. I think a combination of shaming the bad and rewarding the good could be most effective. Hopefully this effort can develop toward that long-term. But you have a good place to start.

-JavaJones (September 23, 2011, 04:03 PM)

I agree, and we should include that as well (already I linked to his post about it). One thing at a time though. FIRST, we must expose the problem, then we can work on solutions.

[JavaJones]

Yes, I agree. That's why I said I hope this effort can develop toward that. This is a good way to start, getting people to post their experiences and getting pledges from devs/publishers for support of the idea.

- Oshyan

[db90h]

Thanks to all of you, and please forgive me when I repeat myself. I move at 1000 miles an hour, so sometimes it is accidental --- but other times it is purposeful. In this day and age, everyone skims, so it is important to repeat things in order to get the point across .

I am happy to say that this effort has some major supporters already and is spreading like wildfire! Thanks to those of you who have volunteered your time or other services. I may very well be taking you up on that, as I have a business to run. Not spending half my time dealing with FPs and site rating issues will sure make that job easier.

I am now trying to get security vendors to publicly commit. They are scared publicly to do so at this time, but as it grows, they will .. I believe . Some have expressed their private willingness to participate, which is a great first step!

[Curt]

I sure hope this anti-FP action will go well. 

However, already been told that the thread will move to another domain, I am not inclined to register at Bitsum's, in order to upload a post or two. I think more people than me may have had a similar thought.