Antivirus component is not suitable for inexperienced users

BigMike · June 19, 2009, 9:18pm

Hi,
I’m sorry to have to say this, but I think the false positive rate is far too high to recommend inexperienced users to use Comodo Antivirus.

You should consider, that it’s impossible for inexperienced users, to decide, if a file is probably a false positive. And removing a false positive may also harm the systems security, but for sure it will result in an application, which isn’t working as it should.

On the one hand, it’s nice to know, that CAV has over 5,000,000 signatures in its database, but on the other hand, that’s no benefit at all, if all alerts I get are related to false positives (I’m talking really about false positive virus alerts, I’ve disabled heuristics completely).

I’m very impressed about the fast feedback you get, if you report false positives at the forums, but remember, we’re talking about inexperienced users - from my experience I can say, they probably don’t even know about false positives - most see an alert, click delete and are happy, if there are no more alerts…

Also many alerts about false positives make you less sensitive about real threats. So, if you had 10 alerts, asked 10 times an experienced friend, he said 10 times “don’t worry, you’re scanner was wrong, this file belongs to application xy and isn’t a virus, look here are the results from other scanners…” What would you do the 11th time? Right… At least you would ask yourself, why using an Antivirus software, that always alerts you about safe files…

So, please consider your strategy in adding malware signatures to the database. I don’t know, how you test them at the moment against false positives, but I think, that this procedure needs to be improved urgently in order to get a higher quality at the signatures.

Kind regards, BigMike

PhyxionNL · June 20, 2009, 6:18am

When Comodo started it did have a lot of FP’s, but since a month or 2-3 I hardly get any FP at all.

axl · June 20, 2009, 6:32am

Don’t worry about it Mike.
The false positive rate is also far too high to recommend experienced users to use Comodo Antivirus.

Whitelisting is different from blacklisting; they still need some time to work on their database.

Petit · June 20, 2009, 7:52am

I’m using Comodo IS for just 2-3 months And I’ve seen Antivirus detect a FP by heuristic more than a signature.

Now I set heuristic mode to medium for on demand scanning and turn heuristics off for realtime scanner,
I think it should decrease a number of FP.

BigMike · June 20, 2009, 11:00am

You’re right in this point - but for an experienced user, it’s only disturbing, because he can do researches on the internet, to decide, if it’s a false alert or not. The danger of deleting important files is not as high as for inexperienced users.
I gave only reasons from an inexperienced user’s point of view, because I understand the antivirus component as an additional layer of security especially designed for inexperienced users, to spare them the details of Defense+ alerts. And I see no benefit in it, if you can’t rely on the alerts.

The heuristics are even worse. It seems any packed executable triggers an alert. First I did was disabling the heuristics completely. But since a new heuristics engine was promised from beginning and it’s in the nature of heuristics to produce false positives, I don’t complain about it.
I’m just referring to the false positives coming from “bad” signatures of a malware. If there’s a signature for a malware, it should fit to this and only to this malware.

I’d like to point out, that it’s not only important to detect many threats - but also (and in my opinion even more) that you can rely on the detection.
This is a point that I miss in many antivirus comparisons: They are all talking about detection rates - false negatives, but the false positive rate is almost never mentioned.

Regards

lostcause · June 21, 2009, 10:27am

Quiet an interesting thought BigMike. I’ve never used the antivirus that comes with Comodo so I can’t say much except that when I use Avast in the event it picks up a virus that I suspect may be a false positive I normally submit it to Avast for further analysis right from the quarantined area. Does Comodo’s antivirus have a similar feature? Because in my view that would probably help both experienced and inexperienced users alike.

BigMike · June 21, 2009, 12:38pm

Comodo also offers the possibility to quarantine files and to submit them for further analysis. I don’t know how this is solved with Avast, but for Comodo, the file is simply submitted and there’s no possibility to get feedback, if it was still analyzed and if it’s dangerous or not. If you like to get feedback, you’ll have to report suspicious files via mail or the forums. This works really well - and if you know about the possibilities, you can decide yourself, which way you prefer.
I’d like to see the possibility to rescan the quarantined files after signature updates - or even better - doing this automatically and report to the user, if the status of a suspicious file changed - maybe I’ll post this in the wishlist…

In my opinion, false positive handling itself is solved in an exemplary manner. But my first thought, if I get an alert from the antivirus component is “another false positive” - where it should be “oh, #!!# - my system is infected”. For inexperienced users this must be horrible!
And doing research about suspicious files isn’t so much fun, too…

Regards

SilentMusic7 · June 24, 2009, 11:20pm

I got so many FPs with CIS’ AV (v3.9) on low heuristics that I turned off heuristics. Even so, I got more FPs with CIS in a few days than with Avira over 6 months (same files on my PC for the comparison), and this is with Avira’s heuristics set to medium.

CIS’ FPs are especially a problem for me because I am trying to set up CIS with Parental Control enabled and automatic quarantine since I share my PC with an inexperienced user. I don’t look forward to frantic calls to me when CIS blocks the user from doing safe things.

panic · June 25, 2009, 1:20am

If you add the proven FPs to the exclusion list, enable auto quarantine, disable balloon tips and enable parental controls, CIS should be almost transparent to your inexperienced co-user. This method could work on this proviso that there isn’t a high rate of install/uninstall of new applications. This is the method we are testing it under at work, but we have the luxury of a stable environment with a known range of installed applications.

Cheers,
Ewen

P.S. Before I get accused of being a fanboy - yes, the FP rate is still too high, but it is getting better. It’s not there yet, but it’s not that far off, IMHO. Under controlled circumstances (as described above) CIS is working as well, if not better than, our previous AV solution, which was installed under the same controlled environment.

edit : minor typos

OmeletGuy · June 25, 2009, 1:26am

You guys mind posting the FP in the False Positive board?
All you have to do is post the detected name, and if its Heur.Pck. just post a link to download the product.

And yes the av still has too many FP and needs work on that aspect and a cuple more.

smage · June 25, 2009, 11:53am

Hi,

I am worried that the FP will increase even more when generic signatures are included as it attempts to catch lots of malware with 1 signature.

And I do not understand why they are bugging the AV with the current heuristics when they should have implemented CIMA instead.