The Register® — Biting the hand that feeds IT

Feeds

False positives run amok in Vista anti-virus tests

Generic faults

By John Leyden, 3rd August 2007
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

The first independent tests of anti-malware products on 64-bit Windows Vista revealed a rash of false positives.

Of the 20 products submitted for testing to independent security certification body Virus Bulletin, six generated false positives when scanning a set of known clean files.

As a result, the product failed to earn VB100 certification, a prized accolade in the anti-virus industry. The tests were the first carried out by Virus Bulletin on 64-bit Windows Vista anti-virus and anti-spyware packages.

Trend Micro submitted three of its anti-virus products, all of which falsely identified a Microsoft development tool as spyware. Other products to generate false positives were Fortinet's FortiClient, Ikarus Utilities, and VirusBuster, from the Hungarian firm of the same name.

John Hawes, technical consultant at Virus Bulletin, said: "The items added to our set of known clean files this month mostly consisted of common items taken from the 'most-popular' lists of free download sites, so it is a concern that the additions have caused such an upsurge in false detections.

"A false positive can cause as much disruption as a virus infection. False warnings often lead end-users to delete valid files in the belief that they are some form of attack and the resultant damage can be significant," he added.

Hawes blamed increased reliance on heuristic (generic) detection techniques for the rash of false alarms. "Anti-malware vendors must work hard to minimise false detections."

Other factors might also be in play.

Some anti-virus vendors complained of lack of access to the PatchGuard kernel protection system, as well as other security measures, included in the 64-bit version of Vista prior to its release. Opinions over the issue - even within the anti-virus industry - were sharply split.

Virus Bulletin reckons poor results of tests from anti-malware products on 64-bit versions of Vista suggest Microsoft's efforts at locking down the operating system have made life tougher for security firms.

Microsoft's enterprise anti-malware technology Forefront put in a strong performance and was awarded VB100 status for Vista x64 in the latest tests. By contrast, OneCare, its consumer anti-virus product, received a good shoeing after flunking Virus Bulletin's tests on 32-bit Vista products earlier this year.

Testing times

Virus Bulletin's VB100 test pit submitted anti-virus products against a test set of viruses from the WildList, a publicly available list of viruses known to be in circulation. To earn VB100 certification, products must be able to detect 100 per cent of the malware samples contained in the WildList test set while avoiding any false alarms in scanning a set of clean files.

Unlike other certification schemes, Virus Bulletin tests all products free of charge and does not allow re-testing. Virus Bulletin's comparative reviews also cover other performance aspects including detection rates against a selection of viruses never seen outside the lab of anti-virus vendors as well as looking at scanning speeds and performance overheads for anti-malware products.

The results of the VB100 certification of products for Windows Vista x64 Business Edition can be found here (free registration required). Detailed results tables are available to Virus Bulletin subscribers. ®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (16)
Latest Comments
Anonymous Coward
Anonymous Coward

"In the end" alright

Er.. "...far fewer compatibility issues"? Hell yes. Vista is far less likely to be compatible with anything. Hardware or software.

Use it, and you will feel like you've had something run into your end alright.

I am still trying to get my supplier to get a XP disk to me to replace the crap that came preinstalled on the laptop. Which, consequently, is barely compatible with the hardware it was installed on.

While I wait, I'll play with this linux thingy. I hear good stuff about it, and have so far enjoyed many crash free, malware free, problem free hours of productivity. If Vista was as good as XP, I never would've considered installing Linux on this machine. But I was desperate for a WORKING machine, so on went the Linux.

0
0
Jonathan

Vista and NOD32

Firstly, NOD32 is fantastic. I've used it for years. It's unobtrusive, small, uses far far fewer CPU cycles than anything else and what's more, it really, really works.

As for Vista--I remember exactly the same arguments when XP came out. To be fair, there have been far fewer compatibility issues this time around. And as with XP, you'll all be running Vista in the end...

0
0
James

NOD32 and other notes

Did NOD32 get the VB100 ranking with the 64-bit version of Vista? I know it's good, but the article was only speaking to the 64-bit tests.

I also like NOD32, AVG Free and Clam AV ... on XP (when I have to run it). Our Vista users can't complain enough about it.

Re: Paranoid delusions (@Mr. Moyle)

You're only paranoid if they're NOT out to get you. Your comments reflect generational MS practices where they maliciously insert code (or fail to document it) in attempts to cause competitors' products to shine less than brightly than their own. Netscape comes to mind (Did anyone really believe that MSIE3-4 functioned better than Netscape on an even playing field?)(and yes, I can cite the Finding of Fact in that big ol' case).

It does bear repeating that of the 20 products submitted for testing, only 6 produced the false positives. And it's not at all surprising that MS 64-bit anti-malware product did so well ... even if its consumer-level (32-bit) product continues to be crap.

I strongly agree with those who recommend AGAINST "upgrading" to or purchasing a new system with any current version of Vista on it. Wait until the first service pack, at the very earliest, or just stick with what's working for you and ignore Vista completely. It's easy to do ...

0
0

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
133
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
59
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
breaking news
Yahoo! joins! rivals! in! PRISM! data! request! admission!
Keep calm and carry on using American tech firms, folks
41
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15