The antivirus industry has been trying to deal with false positive detection issues for a long, long time -and it’s not going to be fixed anytime soon. To better understand why, the physicist in me draws an analogy with Heisenberg’s Uncertainty Principle – where, in its simplest distillation, the better you know where an atom is, the less likely you’ll know it’s momentum (and vice versa) – aka the “observer effect“. In the malware detection world, the more positive you are that something is malware, the less likely you’ll catch other malware. And the reverse of that, the better you are at detecting a spectrum of malware, the less positive you will be that it is malware.
In physics there’s a variable, ℏ the reduced Planck constant
– that acts a bit like the fulcrum of a teeter-totter (“seesaw” for the
non-American rest-of-the-world); it’s also a fundamental constant of
our universe – like the speed of light. In the antivirus world of
Uncertainty Principles the fulcrum isn’t a universal constant, instead
you could probably argue that it’s a function of cash. The more money
you throw at the uncertainty problem, the more gravity-defying the
teeter-totter would appear to become.
That may all sound a little discomforting. Yes, the more capable your
antivirus detection technologies are in detecting malware, the more
frequently false positives will crop up. But you should also bear in
mind that, in general, the overall percentage of false positives tends
to go down (if everyone is doing things properly). What does that mean
in reality? If you’re rarely encountering false positives with your
existing antivirus defenses, you’re almost certainly missing a whole lot
of maliciousness. It would be nice to say that if you’re getting a
whole lot of false positives you must, by corollary, be detecting (and
stopping) a shed-load of malware — but I don’t think that’s always the
case; it may be because you’re just doing it wrong. Or, as the French
would say – C’est la vie.