09-29-2011 05:55 AM - edited 09-29-2011 05:56 AM
Symantec signature-sets have an advantage against false-positives. When the file-hash is malicious then it's malicious. Symantec can't detect non-malicious files using malicious file-hash because hash is unique because it represents only one unique malicious file. The false-positive can only appear while the submission to SSR is processed by the robot, but not the human.
09-29-2011 06:53 AM - edited 09-29-2011 06:53 AM
Because it's a static scan test. Bitdefender, Avira and Kaspersky have better definitions than Norton. They cover more malware and they add definitions for new malware much faster than Norton.
Norton has other modules that offers more layers of defence, like SONAR and File Insight. These come into play in dynamic tests, and that is where Norton usually is at or near the top of the results.
09-29-2011 08:01 AM
Conversely, anyone can write a program that marks all domains and files as malware and achieves 100% detection. Not very useful. How about the possibility of a user removing a critical system file which was incorrectly marked as malware?
Do you consider that trivial?
Do tell me where I used the word trivial ....
09-29-2011 08:20 AM
There seem to be at least three different concepts of malware defense.
Recognize everything by signature and when it comes into the machine, get it out or stop it from running. This is heavy on the machine, because there are so many millions of definitions out there and increasing daily that the definitions files are bigger than the O/S. It is fairly fast, accurate, but has to be updated constantly. There is no protection without the signature.
2. Everything is in the cloud
This is light on the system, fast, can have as many definitions as you want and heuristic detection is on the machine. It isn't much good if you can't reach the cloud, as mentioned by AV-comparatives.
This reduces the amount of definitions required, and relies partially on the cloud, which is the way Symantec chose to go. There is reduced protection without the cloud, but if infected there is still some utility in the program. With the cloud, there is file recognition, heuristics, and a zillion signatures.
All antivirus programs work, to a large degree. All have strengths and weaknesses. We are suffering a crisis of faith over a difference between 95% effectiveness and 99% on a limited test. One thing to consider, is that it was the false positives that lowered Symantec's rating on this test. No user is going to have all 57 items that threw FP's on the same machine so the actual detection rate is higher. Avast free looks very, very good, but there are still Avast users on the malware removal forums getting assistance. Nothing is perfect.
09-29-2011 12:48 PM - edited 09-29-2011 12:49 PM
'Nothing is perfect' you said.
Exactly. And the others aren't perfect either...
09-29-2011 12:48 PM
There are still issues:
1. Regardless if an item will soon be added to the whitelist, it is still a false positive when it occurs.
2. How are other vendors able to have very few FPs?
3. Why is Norton having issues with FPs when for many years they had very few FPs?
09-29-2011 01:18 PM
Those FPs were reported to the vendor and should have been fixed by now.
However, there's another report regarding those FPs:
In here you can clearly see that Symantecs FPs are almost 99 percent cloud detection values...
09-29-2011 01:35 PM - edited 09-29-2011 01:36 PM
For what it's worth, I've only had about 4 False Positives from Norton over the past 5 years. This on a pc that has been used for more than "General use."
I was rather taken aback in that the FP's have gone up so much. But I agree that I would rather have the protection :) Honestly though, I seem to have the protection without the FP's?
You cannot expect Symantec to perform miracles though - just like you can't expect it from any other AV company. 59 FP's over what? thousands of simulated samples and domains? I don't recall the figures, but I'm sure its significantly more than any user would manage in "General use"
and that's the point - most users use their pc's for "General" things - those of us who go beyond that know how to deal with FP's, and quite frankly should expect them :) Don't get me wrong, I would love nothing more than for Norton to be absolutely perfect, and I have no problem with constructive criticism. Also, I am not "siding" with anyone.
Just my 2 cents :)
09-29-2011 01:42 PM - edited 09-29-2011 01:52 PM
There are cloud based AVs that have little to no FPs.
FPs are based on a "clean set" of files. This a different set of files than the malware set.