Antivirus false positives w/ packers
category: general [glöplog]
hey. great!
  
Zbynek Paulen är från Polen.
  
the true positivity on Antivirus false positives w/ packers - non sceners will be stuck :D
By the way, the amount of false positives increases more and more. Perhaps one day the antivirus companies will declare opensource products as false positives. A good possibility to influence market/users. Perhaps they get percents from some companies for that. ;)
  
By the way, the amount of false positives increases more and more. Perhaps one day the antivirus companies will declare opensource products as false positives. A good possibility to influence market/users. Perhaps they get percents from some companies for that. ;)
all calodox 4ks got rapped from my disk here by antivirus.
3615 MAVIE
panda warned me when I used it then sadly license expired
later on
installed avast as in great stuff for free, it wiped all calodox with no mercy
  
3615 MAVIE
panda warned me when I used it then sadly license expired
later on
installed avast as in great stuff for free, it wiped all calodox with no mercy
Like manko said above:
  
Quote:
i think anti-viruses are much worse than viruses.
Recently, the terrorist organization known as AVG was kidnapping a lot of 4k and 64k intros on my laptop.
The hell... ?
  
The hell... ?
Norton beeps on Calodox intros -as stated by EviL-, and NOD beeps on Bixo's ones (many of them in both cases).
  
"By the way, the amount of false positives increases more and more."
two reasons: first, they're identifying viruses by matching relatively short byte sequences, and as programs get continuously bigger and the number of sequences tagged as "malicious" goes up, so does the number of false positives (even though the space of e.g. all 10-byte-sequences is quite huge - same problem as with hashing: the probability of any particular hash table collision is very small, but the probability of there being at least one collision somewhere grows quite rapidly as the number of entries in a hash table grows).
and second, their heuristics get more and more paranoid - again, quite natural. they had the obvious telltale signs down 10 years ago, but they've obviously continued working on the heuristics after that, and what you do in that case is try and get the detection rates up, which boils down to increasing the set of operations you consider "suspicious behavior". by now, using an exe packer seems to be enough to be suspicious :)
  
two reasons: first, they're identifying viruses by matching relatively short byte sequences, and as programs get continuously bigger and the number of sequences tagged as "malicious" goes up, so does the number of false positives (even though the space of e.g. all 10-byte-sequences is quite huge - same problem as with hashing: the probability of any particular hash table collision is very small, but the probability of there being at least one collision somewhere grows quite rapidly as the number of entries in a hash table grows).
and second, their heuristics get more and more paranoid - again, quite natural. they had the obvious telltale signs down 10 years ago, but they've obviously continued working on the heuristics after that, and what you do in that case is try and get the detection rates up, which boils down to increasing the set of operations you consider "suspicious behavior". by now, using an exe packer seems to be enough to be suspicious :)
If you wear a mask on your face, people may look at you with suspicion.. and if you can't prove that you're not out to cause trouble and you won't take it off for them, you might get kicked out of some places.  I think it's a similar phenomenon with exe packers.  I wish more of the anti-virus vendors would allow for convenient user intervention when a heuristic becomes suspicious for what may be no good reason.
  
Well.. I suppose what I've just said is just part of the story.  I trust anti-virus authors are generally of the philosophy that false positives are an extremely bad thing.. but new exe packers that could be used to mask malicious code do make their job more difficult.  It's unfortunate.
  
bigcheese> AV-authors could also be of the philosophy that a lot of false positives makes their products better than another because the user says "oh look at my resource-eater it stops everything it's so cool!" and BS..Don't forget they must make money, not protect you from threats at every price
..and don't forget to come to inerciademoparty2005!!
  
..and don't forget to come to inerciademoparty2005!!
Did for a change full scan with AVG today... It seems like every time there's more and more demo stuff to be deleted with every scan, this time including 2 of my own intros (not that I tend to watch that stuff anyways :).
  
whoops... that listing was short of fr-034&hjb-104: time index and kb's tinyplayer (v2 command line player). 
  
melw, did it find any real viruses?
  
nopes... just demo releases. :)
  













