ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > General Software Discussion

Nirsoft's Antivirus Hall of Shame

(1/4) > >>

mouser:
Martin over at ghacks writes today about a recent essay posted on the Nirsoft site, discussing the issue of false positives, and ranking antivirus tools.

False positives are when an antivirus tool flags a program as being a possible malware when it really isn't.   They can be a huge pain for small developers, creating unnecessary fear among users.  And some antivirus companies are outrageously irresponsible about these kinds of detections, not explaining to the user the difference between a known malware and a complete half-assed guess about something they don't understand.

We've talked a LOT about this issue on the DonationCoder forum over the last 10 years, and have been bit by these lazy antivirus coders on more than one occasion.

Anyway, the nirsoft post goes into some detail ranking antivirus tools according to their false positives.

Full Nirsoft essay: http://blog.nirsoft.net/2015/10/18/antivirus-statistics-and-scores-according-to-false-positives-of-nirsoft-tools/

(see also the ghacks summary: http://www.ghacks.net/2015/10/19/nirsoft-publishes-antivirus-list-of-shame/)



I do think it's worth repeating what I've said many times -- I don't expect the antivirus tools to be 100% right all the time -- I understand that sometimes they want to be better safe than sorry.  But the thing is, if you want to tell a user that you have found a file that you haven no experience with, and it has some patterns that remind you of something similar you may have seen before which might be a malware, but might not, fine, i have no problem with that -- TELL THE USER WHAT YOU KNOW AND TELL THEM HOW TO GET MORE INFORMATION AND TELL THEM HOW TO LET YOU KNOW IF YOU ARE WRONG.

Just do not go throwing up a siren telling the user that malware was found in some program if you aren't damn sure it has been.

wraith808:
Just do not go throwing up a siren telling the user that malware was found in some program if you aren't damn sure it has been.
-mouser (October 19, 2015, 03:15 PM)
--- End quote ---

Let me preface this by saying that I totally agree with you... but to play Devil's Advocate, sometimes when new virii are released into the wild, there have been massive outbreaks because they just didn't know.  With this way, I'm sure that some have been caught that wouldn't have otherwise.  So how do you toe that line?

mouser:
Just do not go throwing up a siren telling the user that malware was found in some program if you aren't damn sure it has been.
-mouser (October 19, 2015, 03:15 PM)
--- End quote ---

Let me preface this by saying that I totally agree with you... but to play Devil's Advocate, sometimes when new virii are released into the wild, there have been massive outbreaks because they just didn't know.  With this way, I'm sure that some have been caught that wouldn't have otherwise.  So how do you toe that line?
-wraith808 (October 19, 2015, 04:18 PM)
--- End quote ---


I really don't think it's that difficult to do.  I think it's less a matter of changing the functionality than the communication with the user.

Let the user choose whether to include these highly-sensitive heuristic checks or whether not too (almost all do this already).

When such a heuristic detection is encountered, EXPLAIN TO THE USER THE HIGHLY UNRELIABLE NATURE OF SUCH HUERISTIC CHECKS.
Explain that this could very well be a false positive, and that the file analyzed could in all likelyhood be completely safe.
But block access to it by default, and give them some links to help them figure out whether the file really is malicious.  Help them perform a multi-engine analysis easily (auto upload to virustotal, etc.).

And make it easier for software authors to get their non-malware false-positived software excluded if it ever does trigger a false alarm, by having staff that can verify and whitelist software quickly.

rgdot:
Devil's Advocate part deux:

That is way too much for the typical user.

Shades:
Or the typical end-user should up their game and actually grow some sense!

While that would be the best direction to go, it will never happen, because of 2 reasons:
1). More savvy end-users do not benefit the coffers from anti-virus vendors.
2). Typical end-users either have an inability to grow some sense or worse, they don't care.

Strike fear in the hearts of typical end-users will make anti-virus vendors (more) money and common laziness from the same end-users makes sure this situation won't change soon, if at all.

Nowadays I only scan with on-demand (online) anti-virus scanners on my own systems at my convenience. The heuristics use quite a lot of real-time computational resources to get to the wrong conclusion anyway. So I don't bother anymore. This I can do as I am a reasonably competent user and I (as a non-admin user) am the only one touching my systems. Also, I don't run illegal software or games and haven't visited "Russian bride sites" that show their "intimacy" skills, while supplying you with keygens and such, for quite some time now.

In any other use case, you shouldn't. But most people here on DC already know this.

Navigation

[0] Message Index

[#] Next page

Go to full version