The difference between false positives and FALSE POSITIVES

Mark Kennedy AMTSO

Many tests of security software (including all worthwhile ones) test for false positives. As security suites push more and more for zero-day or proactive protection these are inevitable. However, the problem that arises is in how those false positives are treated. Many tests will treat them all the same, offering only tallied counts. But does this best serve the customer? Is an FP on an obscure utility used by perhaps 100 people the same as an FP on say, Excel? When looking at FPs we must look at the impact of those FPs as well. If a security suite FPs in the forest, and no one is there to hear it, does it make a sound?

This presentation will discuss the various ways FPs can be better measured to assess their customer impact. The issues involved in determining the true impact (number of people affected, severity of cleanup, etc.) of FPs will also be covered. For example, an FP that prevents a person from installing an application is different from one that breaks an existing application, and is different again from one which prevents the OS from booting.

This presentation will be made under the auspices of the AMTSO.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.