Tuesday, June 7, 2011

What causes Anti-Virus False Positives

 False Positives from AV software can come up any time. Some major FPs have happened (Like an AV deleting an important Windows File) and some minor FPS have happened (an AV detecting a not very popular file). However as nice as it would be to not have to worry about the problem they do happen. So what causes these?

 File Behavior:

 Programs that hook deep into the system (like other security software) are one of the main causes of FPs. AV programs watch the behavior of files to see what action they take and compare them to the behavior of malware. System tools that hook deep into the system behavior like malware is some ways which is why they set off FPs.

 File Stealth:

  Online gaming has grown pretty large over the past few years with high speed internet becoming available everywhere. However with the rise the cheaters have came along also trying to "hack" the games to gain advantages. I really don't get what you get out of cheating on a game, you don't earn anything of real life value. You may get your online stats higher but that is not worth much.

 So with the rise of cheating the game devs came out with Anti-Cheat program. The Anti-Cheat programs run in the background as you play the game looking for "cheats" to launch so it can kill them and the game you are playing. The game devs really try to "protect" the cheats and add things like "randomly naming files on load" and "double packing/crypting" to keep the Anti-Cheat safe from people trying to get around it.

 However the work of the Anti-Cheats leads to many AV's detecting them as suspicious files. A lot of malware is randomly named so when a Anti-Cheat randomly names a file it makes it look suspicious. A lot of malware attempts to pack and repack its file to make it harder for AV engines to scan. When the Anti-Cheat does that it makes it look like malware to the AV. Also finally most Anti-Cheat attempt to hide so they can not be simply killed. A lot of rootkits do the same thing, this rootkit like behavior is one of the other things that set off the Anti-Malware engines.

 As today's threats continue to get more complex AV vendors continue to work on how to best prevent FPs from coming up. The cloud has allowed vendors to white list good files to prevent them from being detected. However that has not cut down every FP that could possibly come up. Even cloud products still get FPS.

 In my honest opinion every vendor is going to have FPS. However slight risks of FPs will have to be taken in order to keep detection rates up. However I am not saying go out and take a big risk in a detection pattern that could knock out Windows machines. It all depends on what its worth to you. Someone will not be happy either way: More Heru Patterns = More change of people getting angry over FP but less people angry over infection or Less Heru Pattern = Less people angry about FPs but more people angry about malware infections.

No comments:

Post a Comment