False positive

Aspirant

False positive

What is not until the end of the antivirus developers do not think, it has a lot of false positives,I do not understand why, the antivirus is not new and can be modified. Changed to the engine Avira and false as they were and remained.

9 REPLIES 9
Superuser

Re: False positive

Hello,

 

I am only an F-Secure user too.

With my own experience - "Capricorn" engine with less false positive detections (although, maybe it is based on "reduced" detection count itself). All that were known for me are gone (not a lot. just as "random" average experience).

In addition, there is something as cloud-based design with reinterpretation for some detections (against wrong false positive detections). As a result, some false positives can be "one time" situation or temporary (not need to care about it by user).

 

In general, it is possible to use F-Secure SAS and ask F-Secure Labs:

maybe to provide some feedback for them or suggestions about; and to receive their own understanding.

 

Anyway, what are your situations / examples (if it is possible to provide by words)? For example, known software? Certain type of software?

 

In addition, what about false negatives? I think that this is more important.

 

Thanks!

Aspirant

Re: False positive

Hey!

Independent laboratories have been confirming false positives of the anti-virus for years, and the developers will not eliminate them.BitDefender he about no virus either,no Avira,but Norton the same thing about a bunch.

Superuser

Re: False positive


@Scorpion_1 wrote:

Hey!

Independent laboratories have been confirming false positives of the anti-virus for years, and the developers will not eliminate them.BitDefender he about no virus either,no Avira,but Norton the same thing about a bunch.


Hello,

 

So, yes, false positives indeed do still exist and can occur.

However, I think that most strangest are gone (some solutions even were not about any of such strangest detections). Thus, usually, detection is based on something specific and certain that can be suspicious indeed.

Of course, when application (executable) is rare or uncommon - it will most likely be treated as more suspicious item than others. In addition, 'generic' detection against broad of malicious tricks (type of trick) can be too generalized. As a result, false positive is still probable situation.

 

Or thoughts are about fully liquidated "false positive detection" as a situation? Perhaps, it will be good; but, maybe, it is only possible to reduce count of false positives. Since, in general, detection works as expected (when "signature"-based detection is discussed). Only signature itself with places for tweak (or even detected item for more "safe" own design).

Probably, fully liquidated false positives means detection only against known (analyzed) malicious items. What is not enough already.

All in all, false negatives are more critical point. And good to keep good rate against 'unknown' malicious items.

 

Anyway, based on next "Lab test" article:

F-Secure solution with good result about "false positive" (Windows). All tests with "zero" (for some checks it is better than industry average). But I am not sure whether it was Capricorn engine already or not.

 

Thanks!

Aspirant

Re: False positive

The leading vendors of anti-virus products false positives are reduced to almost zero, detection of viruses, encoders is several times higher than that of this product, and this product climbs due to false positives, i.e. it eliminates everything that is suspicious to it .This is not correct, because an inexperienced user will not understand why his normal program does not work, why deleted clean files.We need to work on these developers.

Superuser

Re: False positive


@Scorpion_1 wrote:

The leading vendors of anti-virus products false positives are reduced to almost zero, detection of viruses, encoders is several times higher than that of this product, and this product climbs due to false positives, i.e. it eliminates everything that is suspicious to it .This is not correct, because an inexperienced user will not understand why his normal program does not work, why deleted clean files.We need to work on these developers.


First of all, sorry for my long replies and my English!

Only just as discussion between users about subject. Just interesting to get your exact point.

 

I am not sure about certain leading vendors; but, perhaps, I do able to imagine that two or three (maybe four) other companies, indeed, with a much better situation with false positives and better detection rate (although, I am not sure "how much better"; since it depends on multiple points).

I think that this is based on larger size of user's base and count of their laboratory analytics (as the size  of company itself too). Thus, more user's feedback (samples / stories) - more good signature-based detection (or its advanced variations). And an ability to totally tweak completely own engine.

 

I feel that F-Secure Capricorn engine with "so so" situation about false positives. I do not meet any false positives yet (with my own "quiet" use). At least one organization did not encounter "false positives" during its tests. But, most likely, they can often be occurred.

What about things like F-Secure DeepGuard. I think - this module is always with tweaks and tune ups. Thus, there is a try to reduce false positives by DeepGuard. And attempts to increase situation to only expected detections.

With DeepGuard (and cloud-based detections) - there are some forms of false positives. As detection itself. And something as interruption.

due to false positives, i.e. it eliminates everything that is suspicious to it .This is not correct, because an inexperienced user will not understand why his normal program does not work, why deleted clean files.

This is not correct, indeed.

But does it indeed about "eliminates everything that is suspicious to it"? What is an an example of this?

 

In addition, I am not sure about its current state of default settings; but some detections are possible to "allow" (unblock), another ones are only quarantined (not deleted) and so on. However, if detection is practically about "real" malware - then, maybe, default action is more straight. What is good against indeed real malware. But if experience is about "false positive" - then good to know certain example of this (for discussion).

 

Thanks!

Aspirant

Re: False positive

As an example, I give vendors with minimal false positive and higher detection: BitDefender, Kaspersky,Avira, Emsisoft, ESET, Bulgard -it is better ,it is worse.And I'm talking about the leading vendors,I personally tested each and I know what I'm talking about.For this product I will say that there are problems in the transition to a malicious site, he gives the boot files and then deletes the one I described above block the site and do not give anything to download, are also faced with the fact that the testing and handling of several dangerous files more 7 product is simply hung and refused to work, restart did not help, only reinstallation,I reported about it in TP, it is also inconvenient made that from quarantine it is necessary to delete on one file, also there is no firewall, here it to me personally will not like.

Highlighted
Superuser

Re: False positive

Hello,

 

Thanks for your feedback!

 

As an example, I give vendors with minimal false positive and higher detection: BitDefender, Kaspersky,Avira, Emsisoft, ESET, Bulgard -it is better ,it is worse.

First of all, I am also tried (tried = tested / examined) most of these solutions (I am not experienced with recent and current solutions by Emsisoft; I did not use Bitdefender - since their design and situation is enough clear for me; all other solutions I tried a lot or tried recently).

I do not able to claim it as better. But I do not check their detection abilities. Thus, I can only read results of someone else checks; where, usually, vendors are around one level and F-Secure there is as a leading vendor too.

 

Kaspersky, ESET

Perhaps, indeed with better situation about certain fields.

 

BitDefender, Avira, Emsisoft,  Bulgard

Used engine (or one of engines) that F-Secure used or using too. Thus, I am not sure whether there is a large difference between them or not (I mean detection rate / false positives count by main engine; but, also, by additional engines that are usually unique for each solution). Browsing protection included.

 

But what about stability, reliability, quality of the software itself - I think most of things are better with F-Secure. For example, I really like idea and design of BullGuard; but I could not use their solutions on any of the computers where I tried. Based on their "bugs" or "deficiencies". But despite their overly simpliefied approach - some things are really relevant there.

 

For this product I will say that there are problems in the transition to a malicious site

With meanings - that malicious website is not blocked ("unknown" for F-Secure)?

Or how it is based on further description - incompleted "overwrite F-Secure decision and allowing website by own choice"?

 

gives the boot files and then deletes the one I described above block the site and do not give anything to download

Sounds that multiple domains (or subdomains) were rated as harmful or suspicious. Thus, need to allow all of them (or to transfer URL as false positive).

Or in addition to harmful-rated website - downloaded items were rated or detected as malicious. I am not sure if there are workarounds - but - maybe temporary exclusion for "Downloads" folder is a workaround. Since detection for file is happened there (or under "temporary" browser's folder for downloads).

 

But, by the way, what was the detection name? Perhaps, it was not false positive?!

 

the testing and handling of several dangerous files more 7 product is simply hung and refused to work, restart did not help, only reinstallation,I reported about it in TP

Interesting. My experience was also about something like that... but against hundreds files. But, probably, not so visible impact as with your description.

Does it about "launching" malicious files (where some of them are unknown / undetected)?

 

inconvenient made that from quarantine it is necessary to delete on one file

If this point is about inability to handle (Quarantine user interface) multiple quarantined items per one step, yes, I do not like it too.

 

also there is no firewall, here it to me personally will not like.

Yes, only Windows Firewall (for Windows platform).

 

BullGuard also switched their design (Windows Firewall in use; of course, if they are not back to "own" licenced third-party one). By the way, one reason for my inability to use BullGuard on certain device was their own firewall driver (outdated / incompatibility with certain platform).

 

In addition, I think that if "false positives" are misleading for users. Own firewall (with requirements to tweak it and do not use enough default level) is more dangerous. But if "default level" is enough - why basic and main functionality of Windows Firewall are not enough? F-Secure with some tweaks for uncovered places.

Anyway, recently, there was a small discussion about firewall (for F-Secure):

Sorry for my replies once again. And thanks for your feedback!

 

Thanks!

Aspirant

Re: False positive

So I say the engines are the same, and the development of their own and with these engines all have different triggers.What I wrote about the download of malicious files,I meant that it misses and it is not a false positive, namely the skip.So I think developers need something to think about, of course the settings for me are quite simple)))

Superuser

Re: False positive


@Scorpion_1 wrote:

So I say the engines are the same, and the development of their own and with these engines all have different triggers.What I wrote about the download of malicious files,I meant that it misses and it is not a false positive, namely the skip.So I think developers need something to think about, of course the settings for me are quite simple)))


Oh, OK! So, it was a mistake by security solutions if I understood it good now. Of course, it is incorrect when security solution allows to open malicious website or even to download malicious item.

 

Probably, not only developers need something to think about (although, it is pretty good to avoid such situations by something from them), but analysts and threat researchers (Labs team in general).

 

My own opinion is that with such situations good to inform company via their channels for it. For example, F-Secure SAS for F-Secure (URLs or files):

Layers against threats are pretty visible: do not allow visit harmful website where malicious item is (block it); but if so - do not allow to download malicious item (detect it); but if so - do not allow to launch it (prevent it). I think against a lot of malicious software, scripts or tricks - such approach is well.

 

Thanks!