Will the number of false positives be reduced when Family signatures arrive.

Hi Guys. I am a wondering once more!. Will the number of false positives being reported on the forums reduce when family signatures are included within Cavs?.

I say this because i understand that the number of signatures currently around 5.5 million will be reduced dramatically as say, 1 signature will be able to detect lots of variants of a malware.

This then leads me to think there will be much less margin for error and Fps within Cavs. Am i right on this or am i going off on a tangent!.

Just off to do some more wondering…

Regards
Dave1234.

what caused FPs were few fold

1)some file extensions that got added
2)hueristic

we fixed the issue with the file extensions…(eg: some extensions that doesn’t need to be scanned but got scanned that produced fp afaik.) this was an issue in the 3.9 launch but later fixed immediately.

heuristic… we improved the heuristic in the latest version.

Basically the point is our signatures is not the ones generating FPs in general it was the above two items. So we continue to improve them both. CIS latest version has less FPs than previous versions and will continue to improve. We do have some sort of family/generic sigs currently but the new infrastructure we setup will totally extend this and add a layer of detection that wasn’t available till now (thanks to our AV Labs and AI dept :slight_smile: )

thanks

Melih

Now that’s a post that I like to see more often. Professional and objective :-TU

well some of the unclassified malware is actually false positive. And melih that class ( unclassified malware ) will stay? or the analysts will finally give names for the malware ?

majority of that unclassified malware signatures is created by CIMA/CAMAS. So its an automated on the Cloud Huieristic Engine that we feed baddies to and it churns out signatures for us. It can’t name them :frowning: With the next version of CIS (out sometime in end of june or july) the size (HD size) of the sigs will be reduced and new technology will enable us to name more of these unclassified malware into groups and reduce FPs even further.

cheers

Melih

:-TU Thanks Melih. Thats what i hoped for. The new technology and reduction in sigs in the new version in June/July will allow more unclassified malware to be named into groups and reduce the number of Fps further. Great!!!.

Another happy Camper!!.

Regards
Dave1234.

I’ve seen CIMA defining malware as “variant of Virut” or similar. So maybe it would be a good thing to start naming them like:

CIMA.Generic.Beagle
CIMA.Generic.Virut
CIMA.Unclassified.Malware (this one would be when characteristics don’t fall under specific malware family)
etc

Depending on characteristics found out by CIMA. So we know that they are machine generated and also what type of malware it is.

Another way it would be to mark them based on what they do.

For example:
CIMA.File.Infector
CIMA.Bot
CIMA.Irc.Backdoor
CIMA.System.Eraser
etc

Good idea. IMO there are too many unclassified signatures.

very good idea

That’s good news. Always good to know what is cooking…

+1 :-TU

+1

the problem is not all malware can be named (actually majority can’t at this stage) by CIMA…

lets see how we can improve in the next version of CIS…

thanks
Melih

I actually don’t find this a problem, but I guess newbies do 88)

Xan

Melih, from my studies of antivirus engines i know that is possible and some were already doing this.
Norman Sandbox is one, BitDefender HiVE another, Kaspersky was also classifying malware based on behavior etc.

If something is sending stuff through SMTP, it’s most probably a spam bot, if it’s contacting IRC servers, it’s probably IRC bot or some other form of bot, if it’s monitoring for key inputs, it’s probably keylogger etc.
CIMA is already detecting all this, you just have to assign rules on what will trigger what name.

Don’t troll please… It’s actually useful to know what kind of malware is detected, especially for ‘experts’.

I guess CIMA/CAMAS provides a great deal of useful info.

If it would be possible to crank up some of these info in the detected names along with an unique ID it would be an appreciable improvement.

CAMAS provide information about severity level, highlight different types of malicious behaviors (even in cases an executable exhibit more than one) and thus it could be technically possible to create an HEX-text behavior flag which could be decoded by means of a separate utility.

In alternative it would be also possible to provide the current names along with a feature to lookup the related CAMAS/CIMA page/s (eg on the quarantine dialog and additionally in Threatcast dialogs when applicable)

+1