Studies against AV false positives

[Didelphodon]

I wasn't being dismissive ... If your daily business is malware analysis it would have been somewhat obvious to you too.

So how would you call that?

The truth. If this is a "study" and you are a malware analysis type of person, you would have known from the very beginning you can't analyze a 'false positive' (or even an actual malware positive) while specifically excluding the conditional environment because it gives unreliable results when you do so.

We're not analysing false positives, we're analysing and trying to detect what leads to such in terms of Purebasic. It's the classical trial and error concept and the approach of finding some specific clues that lead to further ideas and impressions - as I said, the black box approach.

It must be really charming to work with you in a team as you obviously try to not miss one chance to treat one without any respect if she doesnt agree with your opinion.

Stop being offending, now, and please start to contribute to this topic or let it be.

Didel

[SFSxOI]

I wasn't being dismissive ... If your daily business is malware analysis it would have been somewhat obvious to you too.

So how would you call that?

The truth. If this is a "study" and you are a malware analysis type of person, you would have known from the very beginning you can't analyze a 'false positive' (or even an actual malware positive) while specifically excluding the conditional environment because it gives unreliable results when you do so.

We're not analysing false positives, we're analysing and trying to detect what leads to such in terms of Purebasic. It's the classical trial and error concept and the approach of finding some specific clues that lead to further ideas and impressions - as I said, the black box approach.

It must be really charming to work with you in a team as you obviously try to not miss one chance to treat one without any respect if she doesnt agree with your opinion.

Stop being offending, now, and please start to contribute to this topic or let it be.

Didel

My daily business is malware analysis, reverse engineering and computer forensics, so what. No need to be that dismissive!

If your daily business is malware analysis it would have already been somewhat obvious to you and you would not be "trying to detect what leads to such in terms of Purebasic" and would not need what you are calling a "classical trial and error concept" because you would have already either proven it or disproven it and you haven't and you would not have relied on Virus Total for any "study" analysis. You don't have a 'black box' problem here, if you were a malware analysis person you would have already known that.

[Little John]

Stop being offending, now, and please start to contribute to this topic or let it be.

+1

[heartbone]

{snip}If this is a "study" and you are a malware analysis person and its your daily business you would have known from the very beginning you can't analyze a 'false positive' (or even an actual malware positive) for a study while specifically excluding the conditional environment yet you specifically excluded such by using and then indirectly declairing 'Virus Total' as correct when you have no empirical proof that it is and you would have known that depending on the cosmetic results of if something is reported as or not reported as a false positive does not tell you if the cause still exists or not when in reality the cause still exists.{snip}

I'm not trying to be mean here, but come on man are you freaking shitting me?
That's not even a sentence!
Your first post in this thread was gobbledygooked enough, but come on man!

[IdeasVacuum]

Stop being offending, now, and please start to contribute to this topic or let it be.

+1

[BorisTheOld]

There is one simple solution to false positives and false negatives -- don't use an anti-virus program. Does one really know for sure that one's computer is free of evil software, just because the anti-virus program says so?

In 30 years we've never used AV programs and we've never had a problem. We compute responsibly, we never use free stuff, and we use a reputable ISP that we happily pay money to.

Oh! and one more thing. The AV industry is big business and very profitable. I wonder where those viruses keep coming from?

[skywalk]

Same here. No anti-virus or free shtuff.
I have been burned by the occasional Yahoo password spam. But that is not on my local machine.

[Little John]

Same here. No anti-virus or free shtuff.

Not using an anti-virus program (at least on Windows) is risky and generally not recommendable.
There may be an infection (virus, trojan, etc.) on your system, and you just didn't realize it.
There may be no infection on your system, but the situation can change anytime.

Using a PC without using an anti-virus program (at least on Windows) is like driving a car without using a seat belt.
I never had a traffic accident up to now (knock on wood), still I'll use the seat belt next time I'm sitting in a car.

[Liqu]

Latest Kaspersky Pure detect Purebasic as trojan generic.
Anti virus become a double edge sword now.

[skywalk]

Not using an anti-virus program (at least on Windows) is risky and generally not recommendable.
There may be an infection (virus, trojan, etc.) on your system, and you just didn't realize it.
There may be no infection on your system, but the situation can change anytime.
Using a PC without using an antivirus program (at least on Windows) is like driving a car without using a seat belt.
I never had a traffic accident up to now (knock on wood), still I'll use the seat belt next time I'm sitting in a car.

One would think so, but it is simply not the case. And in reality, modern antivirus schemes are sapping your computing power for prevention of yesterday's threats. White-listing and virtual machines are approaches I would consider for mission critical systems. But, while I work and play, I care not of anti-virus and instead choose wisely what applications are installed.
Wearing seat belts does not reward the reckless driver.
I think the better antivirus analogy is condoms for reckless computing.

[Little John]

And in reality, modern antivirus schemes are sapping your computing power for prevention of yesterday's threats.

That's an oversimplification, and I don't encounter any sapping of computer power at all.

Wearing seat belts does not reward the reckless driver.

And nobody said something like that ... It's possible to do one thing, without omitting the other one. I never said people should use an anti-virus program, and then not be careful in what they are doing. But it's naive to believe that being careful generally is sufficient. Both points are important, of course.

[skywalk]

And in reality, modern antivirus schemes are sapping your computing power for prevention of yesterday's threats.

That's an oversimplification, and I don't encounter any sapping of computer power at all.

How can it not? Are you sure you are using antivirus? I've run simple speed tests on large math simulations that were real-time scanned at execution and then every page swap was scanned again. Disabling real-time scanning shaved minutes off a 15min run. This is why I mentioned white-listing.
Tell me how an antivirus app can detect new viruses not in their database without heuristics that ultimately create false positives and chew up clock cycles? How often do you scan with a stale database? Forget this behavior and only allow apps that you trust.

[Little John]

Are you sure you are using antivirus?

Yes, I am.

[SFSxOI]

{snip}If this is a "study" and you are a malware analysis person and its your daily business you would have known from the very beginning you can't analyze a 'false positive' (or even an actual malware positive) for a study while specifically excluding the conditional environment yet you specifically excluded such by using and then indirectly declairing 'Virus Total' as correct when you have no empirical proof that it is and you would have known that depending on the cosmetic results of if something is reported as or not reported as a false positive does not tell you if the cause still exists or not when in reality the cause still exists.{snip}

I'm not trying to be mean here, but come on man are you freaking shitting me?
That's not even a sentence!
Your first post in this thread was gobbledygooked enough, but come on man!

It was actually intended for him, as was, mostly, my first post in the thread, so it wasn't really intended for the overall audience exactly. Any person whose "daily business is malware analysis" should understand it, he implies the expertise. It wasn't intended to be a sentence.

We're not analysing false positives, we're analysing and trying to detect what leads to such in terms of Purebasic. It's the classical trial and error concept and the approach of finding some specific clues that lead to further ideas and impressions - as I said, the black box approach.

My daily business is malware analysis, reverse engineering and computer forensics .....

Despite later claims, despite the first post we made being a glaring sign that any novice "daily business is malware analysis" person would have seen, despite basically giving him the answer indirectly which he should have already known if he was a knowledgeable "malware analysis" person and would have already told you about, he defends a flawed and false time wasting methodology by defending on line AV scanning packages as definitive when it is impossible for them to be definitive for analysis to determine "trying to detect what leads to such in terms of Purebasic." The only conclusion which can be reached by such is what everyone already knows overall in this thread and that is some AV packages will detect a PureBasic executable as a 'false positive' and some won't. Its the same scenario played out thousands of times daily across all sectors of software/computer usage, has been for years, and the conclusion is always the same overall - some AV packages will detect certain executables as a 'false positive' and some won't. Yet, no one, not even him, is exploring the question as to why some will report it and some will not, and not that some do report it and some do not, despite there being an actual reason why that happens that any novice "daily business is malware analysis" person, any knowledgable insighful person with an understanding of how AV detection really works, would ask in any 'study'. The exploration of that question is one path that will lead to the answer for "such in terms of Purebasic." Exploring that question would have been the first stop on the path for any person whose "daily business is malware analysis" for any study they were conducting into "trying to detect what leads to such in terms of PureBasic."

If he does this as a professional expert (he implies such which is highly doubtful and suspect), based upon his "computer forensics" I shudder to think how many would have been convicted of crimes they did not commit.

The only person who has come close to hinting at detecting "what leads to such in terms of Purebasic." , not that his specific example was the cause its self (its more of a symptom) but instead it hints at "what leads to such in terms of Purebasic." , the only person was doctorized in the 15th post in this thread.

[Little John]

Stop being offending, now, and please start to contribute to this topic or let it be.