Studies against AV false positives

[idle]

SFSxOI, wouldn't it just be easier to say why it should be obvious instead of the ...., It's getting a little close to being a diatribe
and it isn't really being constructive.

The most obvious reason could simply be that all our exes contain PB_ symbols
if it looks like a duck and it quacks like a duck, it must be a duck.

[sec]

I think best method for avoid false positives (FP) is submit your clean files to AV company. They (AV company) sure will remove that FP.

[MachineCode]

I think best method for avoid false positives (FP) is submit your clean files to AV company.

To which ones, though? There's over 30 of them out there. To each one? That's so tedious. And then someone will still get a false positive from a virus company that you've never heard of, and will think your app is infected.

[Little John]

The most obvious reason could simply be that all our exes contain PB_ symbols
if it looks like a duck and it quacks like a duck, it must be a duck.

Sorry, I don't understand what you mean.
Fortunately not all executables created with PB are erroneously flagged as a virus, and on the other hand several programs that have been created with other programming languages are also erroneously flagged as a virus. So what are the characteristics of a program which increase the risk that it is reported as a false positive by a virus scanner?

[c4s]

[...]So what are the characteristics of a program which increase the risk that it is reported as a false positive by a virus scanner?

I guess getting a better understanding of the reasons is the goal of this thread?!
Could be the "PB_" symbols that idle mentioned, plus exe size smaller than 64kb, plus no provided information... Unfortunately only the antivirus developers themself really know it.

[Little John]

[...]So what are the characteristics of a program which increase the risk that it is reported as a false positive by a virus scanner?

I guess getting a better understanding of the reasons is the goal of this thread?!

I guess you are right. However, as I wrote, I didn't/don't understand what Idle's messages actually means in this context.

Could be the "PB_" symbols that idle mentioned, plus exe size smaller than 64kb, plus no provided information...

IMHO this is not a sufficient explanation, because not all those executables are erroneously flagged as a virus. And why should the "PB_" symbol increase the risk for an executable to be flagged as a virus??
On the other hand several programs that have been created with other programming languages are also erroneously flagged as a virus.
Is the percentage of PB programs that are erroneously flaged as viruses higher than the percentage of C, C++, Java etc. programs that are erroneously flaged as viruses?

[idle]

The most obvious reason could simply be that all our exes contain PB_ symbols
if it looks like a duck and it quacks like a duck, it must be a duck.

Sorry, I don't understand what you mean.
Fortunately not all executables created with PB are erroneously flagged as a virus, and on the other hand several programs that have been created with other programming languages are also erroneously flagged as a virus. So what are the characteristics of a program which increase the risk that it is reported as a false positive by a virus scanner?

In a static analysis an AV will likely look at all the symbols in an exe and rank them as well as scanning the code for signatures
while the symbols aren't a problem in themselves they will likely contribute to the results.

Do false positive reports indicate if the result is from a static or dynamic analysis?

[Didelphodon]

The most obvious reason could simply be that all our exes contain PB_ symbols
if it looks like a duck and it quacks like a duck, it must be a duck.

Sorry, I don't understand what you mean.
Fortunately not all executables created with PB are erroneously flagged as a virus, and on the other hand several programs that have been created with other programming languages are also erroneously flagged as a virus. So what are the characteristics of a program which increase the risk that it is reported as a false positive by a virus scanner?

In a static analysis an AV will likely look at all the symbols in an exe and rank them as well as scanning the code for signatures
while the symbols aren't a problem in themselves they will likely contribute to the results.

Do false positive reports indicate if the result is from a static or dynamic analysis?

If you mean symbols in terms of debugging information I would rather doubt that the PB compiler (by default) leaves them in the executable when making a build. But that can be easily verified - will follow up on this later as Im currently on my way to work.

[Didelphodon]

Actually there are a few more things that might act as an aspect. To name just some of them:

- Do PB PE-files have an unusual entrypoint address?
- Do PB PE-files use unusual names for the sections or have any other specific differences according to their sections compared with the "average" executable?
- Do PB PE-files have any specific differences according the values in their PE header compared with the "average" executable?
- Do PB PE-files have overlays?
- Do PB PE-files have any special specifics according their imports?
- etc.

All of this questions are kinda easy to answer (statically) - again, I will follow up on this when I have time. Maybe one of you having time at the moment can begin to verify?

[BorisTheOld]

Could be the "PB_" symbols that idle mentioned, plus exe size smaller than 64kb, plus no provided information...

IMHO this is not a sufficient explanation, because not all those executables are erroneously flagged as a virus. And why should the "PB_" symbol increase the risk for an executable to be flagged as a virus??
On the other hand several programs that have been created with other programming languages are also erroneously flagged as a virus.

It's a waste of time fretting about what it is in PB programs that causes false positives. The same thing happens with PowerBasic programs, and for the same reason. It's the AV programs that are at fault.

Back in the 1980s, AV programs were used against specific viruses. But then the AV developers decided there was money to be made by protecting against unknown and future viruses.

Unfortunately, the AV programs are based on assuptions. And as every competent programmer knows, one should never make assumptions about the data that one's program processes. So by their very nature, AV programs are buggy - they give false positives and false negatives.

All that can be done is to submit one's program to the author of the offending AV program, and hope that in the fulness of time the AV program will be fixed. Assuming, of course, that one's program really is free of viruses.

All this excitement about false positives makes me smile. No one ever seems concerned about false negatives. The assumption seems to be that if an AV program says there is no virus, then it must be so.

[MachineCode]

Virus apps are just a false sense of security anyway. I could release an app that is marked as "clean" by all virus scanners, but has encrypted dormant code inside just waiting for January 1 next year, whereupon it will delete the C: drive of everyone who runs it. So, do you think they still do a good job of protecting your PC?

[Didelphodon]

Virus apps are just a false sense of security anyway. I could release an app that is marked as "clean" by all virus scanners, but has encrypted dormant code inside just waiting for January 1 next year, whereupon it will delete the C: drive of everyone who runs it. So, do you think they still do a good job of protecting your PC?

I totally agree with you and it's even common opinion in the community that signature based AV is actually dead. Imho thats why Kaspersky (and others) frequently try to catch customers way more aggressively with media hypes regarding espionage software and the like.
However, though I would never even give a damn about if AV spots my software as potentially unwanted software or the like - in other words most obviously a false positive - but if customers contact me telling me that they are actually not allowed to use software that triggers (and they always mention results at virus total) I have to deal with this issue, even though its surely a PITA.
Another issue webactually had with Sophos was that customers using Sophos were actively kept away from our website which is massively contraproductive in terms of what we are and what we are doing. The only reason for that mis-behavior of Sophos was that someone has once thrown in one of our downloadable PB built applications that - tataaa - triggered an alert. Again I had to deal with this though its even more a PITA than the scenario I mentioned bedore.

[sec]

I think best method for av false positives (FP) is submit your clean files to AV company.

To which ones, though? There's over 30 of them out there. To each one? That's so tedious. And then someone will still get a false positive from a virus company that you've never heard of, and will think your app is infected.

That is one the way.

I found two other way:
- submit your app to independent AV tester (VB100, AVTest). Almost AVs will join that testing for cert! They will failed the cert if false positive.
- Make your app become popular more more user (as firefox, chrome), so AV company will whitelist your app automaticaly