FHteam
Admin
|
# Posted: 14 Sep 2009 17:22
Reply
The number of "False Positive" alerts from security programs is rising & user ability to recognize them for what they are is limited. This forum topic is intended to provide some basic information that applies to ALL security programs & how they work.
Simply put, your security program looks into the programming code of a file to see if it can find:
A: specific pieces of code that are KNOWN to be used by a specific infection.
If it finds anything you will get a report that names the infection precisely. It WILL NOT SAY 'generic' or 'family'. You will be able to do a Google search on the name & find numerous references & details for the infection. There will be an entry for it in your security program's virus/trojan database.
B: anything there that CAN perform a malicious action.
You may be told what the 'infection' can do (e.g. password stealer); you may get a basic 'name' for the infection; the words 'generic' or 'family' are likely to be used; a Google search might find nothing or a confusing array of widely different types of infection. If your program finds something that is simply suspicious IT DOES NOT KNOW if the action is malicious!
The 'acid test' is "did YOU choose to run a program to perform this action?!
You need to be aware of what you expect the program to do. The code for a good password recovery program that YOU CHOOSE to run is the same as the code for a bad password stealer program that is bundled with something entirely different.
Reporting infections:
Type A infections should always be reported. Include what version of Windows you have; what security program reported the infection; the EXACT name of the infection.
Type B 'infections' should be researched carefully before reporting them. Reporting a false positive is the equivalent of crying wolf! It is also time wasting if the information is already on the author's website or, worse still, in our description!
|
