ANTI-VIRUS VS ANTI-VIRUS: FALSE POSITIVES IN AV SOFTWARE

摘要

Anti-virus tools from one company often have problems co-existing with the tools from another, especially in the area of false positives. Some of these problems could easily be avoided- the developers would only need to store their virus signatures properly encrypted in all parts of the program, the engine and the virus definition files. Not only should the virus signatures be encrypted to avoid false positives, but also to provide a form of protection against virus writers (who, having access to the easily-visible signatures can create new variants using different patterns) as well as protecting the company's intellectual property. A simple runtime-compression or encryption of the whole executable file is not a viable option, because many anti-virus tools are able to uncompress or decrypt such programs easily. Therefore they would still find the signatures that caused the false positive. In addition, the detection routines of a number of anti-virus programs should be fine-tuned so that a single short signature found in a file does not result in a virus alert at all. Last but not least, it is important for anti-virus vendors to have a copy of all competitors' programs (including the most recent updates and special cleaning tools) in a false positive test set which should be scanned before releasing a new definition update.