Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If a mere name alone is enough to create a false positive and changing this is a living nightmare, why are you in the least bit surprised that customers and developers are livid at having to deal or workaround the closed and disparate world of AV?

Neither is it the least bit surprising that support personnel and developers consider the shear number and consistency of false positives as "fear-mongering".

It would only take a further small step to then consider, what is the point of having AV at all in the first place since the best it can do is fill an increasingly small hole in prevention for ordinary user behaviour and a static role for precursor forensics (actual forensics would not need the service).

TL;DR. AV industry has a LOT to answer for, to the point where it maybe should not exist in its current form.



I think it can be justified. It's not common, it's known as being one of the more crude methods of detecting malware -- but hey -- we use what works and what fixes peoples machines. That is why it is in use by some vendors today.

Here's an example:

Some companies block anything named 'svchost.exe' that isn't in system32. Create a txt doc and name it svchost.exe and drop it on your desktop and some antivirus software will detect and remove that item.

Why? Because there is no good reason for someone to have svchost.exe anywhere other than SYSTEM32 and also because svchost.exe is one of the top 10 most common names for malware. So, at risk of some FP's -- some companies have a rule that simply removes these if found anywhere else.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: