The difference between false positives and FALSE POSITIVES presented at Virus Bulletin 2010

by Mark Kennedy (Amtso),

Tags: Security

URL : http://www.virusbtn.com/conference/vb2010/abstracts/R-Kennedy.xml

Summary : Many tests of security software (including all worthwhile ones) test for false positives. As security suites push more and
more for zero-day or proactive protection these are inevitable. However, the problem that arises is in how those false positives
are treated. Many tests will treat them all the same, offering only tallied counts. But does this best serve the customer?
Is an FP on an obscure utility used by perhaps 100 people the same as an FP on say, Excel? When looking at FPs we must
look at the impact of those FPs as well. If a security suite FPs in the forest, and no one is there to hear it, does it
make a sound?
This presentation will discuss the various ways FPs can be better measured to assess their customer impact. The issues
involved in determining the true impact (number of people affected, severity of cleanup, etc.) of FPs will also be covered.
For example, an FP that prevents a person from installing an application is different from one that breaks an existing
application, and is different again from one which prevents the OS from booting.
This presentation will be made under the auspices of the AMTSO.