WinPatrol, recently introduced a new product into the security arena called WinPrivacy. Having worked in the antivirus industry in the past, I knew we’d have some false positives to deal with, but didn’t think it would be that bad. I was wrong! Dead wrong!
We throttled the release of our beta software in an effort to control feedback and keep it at a level we could manage. Because things were going so well, we made the software publicly available to anyone who wanted to purchase for a great discount. All continued went well for about a month and I thought we’d dodged the false positive bullet. However, shortly after that is when the nightmarish precession of false positives from vendor after vendor after vendor began and has only now started to abate, more than one agonizing month later. Each time a false positive went out in an AV company’s definitions, we were inundated with emails from the customers of those products. All of whom stating WinPrivacy was broken. It took us a while to get a handle on the true problem. That problem being the combination of false positives and antivirus products that confuse and intimidate customers.
Virtually none of our customers knew the problem was due to their antivirus product falsely removing a file from their computer. Mind you, I’ve worked at an antivirus company in the past and I know they do everything they can to avoid false positives and to alert customers when they quarantine something. Just in case. However, those efforts are failing miserably. Overwhelmingly, customers didn’t know their AV product had quarantined something. In addition, they didn’t know how to look at their AV product’s quarantine and were somewhat intimidated at even trying for fear they might break their computer. These are security conscious customers with more computer knowledge than the average computer user. Yet, for the most part their antivirus software is unusable for them. This unfortunate reality made the process of identifying the false positives all the more challenging.
We used VirusTotal in helping us identify the AV vendor in question and the file(s) they were incorrectly classifying as malware. Regrettably, some vendors do not provide VirusTotal with the same engine as they use in their products, thus more than once the results at VT didn’t match what was found in the actual product. That unfortunate reality made the discovery process even more time consuming. Once we had identified the product and file, we needed to report that false positive. I found over 100 different AV companies, each of which has its own unique process for reporting FP’s. Some of which have several products all requiring unique FP submissions because they use different definition files for each product. Worse yet, some AV vendors seemed to deliberately make it extremely difficult to report FP’s them. I won’t even go into how long it took some companies to respond to FP reports. The worst case was over a month. I’ve learned a lot since this saga began and have become pretty proficient at reporting FP’s to the various vendors now. One tip I can give is to follow-up with a phone call (if you can find a phone number).
I wish this process had been easier and less time consuming. This is where I hope the AV industry gets behind the “Trusted Source” project initiated by Google and Microsoft. It is time the AV industry work together to create a common consortium where a legitimate software vendor can take their product and have it white listed in every participating vendor’s product based on one submission. Working together would save the AV industry time and money, it would save software vendors time and money and ultimately it would lead to happier customers who get a better product. It’s time the AV industry to stop deluding themselves, realize they can’t go it alone, step up to the plate and take responsibility for their actions. “Sorry” doesn’t cut it anymore when it comes to false positives.