We have a list to exclude files and folders from the AV scan. From my godawful experience with false positives on comodo, I think MANY of them could be avoided if we could customize WHICH types of malware to ignore. I would LOVE to be able to ignore any malware with “unknown” “suspicious” and “heur” in its name.
+1 :-TU
I support this. :-TU
This is very annoying to get multiple Heur.Packed.Unknown@-1 (when I increase heuristics level to medium/high) for programs which are not threats for sure, just AV does not have appropriate unpacker or exe is secured. So the found objects should be at least splited onto real threats (alert level) and suspicious objects (warning or even info level).
Turning heuristics off solved a lot of my FP probs. Still get a few though.
Yep, turning that off solved Heur. FP’s , would be nice to have that option for Unknown malware.
Only one item of my recent FP episode was due to heuristics. The others were unclassified.
@MetalShaun, pabrate:
Turning heuristics off is not a solution and this is even a silly idea, because it greatly reduces detection of suspicious code.
What do you mean ?
I’m an old school guy and I need from AV simple yes or no regarding malware, meaning if it’s really malware then label it as malware name (trojan, rootkit, whatever …) .
I don’t really care about 0day malware as there is no way I can catch that.
So I don’t need heuristics, besides, there are other layers of protection behind AV (sandbox, D+) so no big deal.
My only wish is that detections labeled ‘Unknown Malware’ be included in that Heuristics section so I can turn that off as well. If not in Heuristics then maybe in some other category (PUA perhaps , as Potentially Unwanted Applications)
I think you mean unclassified malware? Those are not heuristic based, those are malware that have been identified as malware but have not been given a name yet. At least that is what I have been told.
Yes, you’re right about that, just checked and it’s “unclassified malware”.
I don’t know how CAV identifies those as malware but beleive me, those are FP’s (the ones I got anyway)
Usually they are packed executables.
I can have any Windows System executable file (or anything else, I said Windows files just as an example of safe file), pack it with one of the executable packers and that file will be identified as unknown malware.
well technically it is not a FP then, because you are seeing packer detection, even kaspersky is starting packer detection. Real software does not use these underground packers.
Agreed, but Kaspersky (and other Vendors) have Packers as an option (turn detection off or on) in configuration.
And I said FP because it’s not malware, you can call it suspicious all right, but not malware.
well normally it is identified as heur.packded,.unknown or packed.**** only when you see unclassified malware it might be a packer detection becasue it has not been given a name yet.
Its really not an issue with the sandbox and defense+. The amount of FP’s out weigh the amount of extra viruses you would detect with heuristics turned on. And when I run scans i leave heuristics on, just not in real time. Also it must be about 3 years since I have actually found a virus on my computer.
Cheers
Shaun
Well, but heuristics are additional layer of protection. You have to know that they will sometimes show false positives, but thats how they work. Detecting malware is not a simple yes/no (unless comparing known sigs). And will never be. For regular use I keep heur on low mainly because of packed exes popups, however for manual scans I set it to high, because I want to know as much as possible.
Yes and no. Because SB and D+ are for a bit different things (layers of protection). They do not detect. They isolate (SB) and protect from already executed application (D+).
i never really experienced FPs with comodo heck i love hueristics for when i m board and throw malware at my pc its fun ;D
Well… I would never open such a security hole excluding classes of malware from scanning… never…
False positives are to be informed and corrected, not excluded from scanning.