On FPs and behavior blocking; another Malware Analysis opening

False positives (FP) are a troublesome problem in the AV industry. Sometimes innocent products share enough behavioral characteristics with malware that we initially classify them as malware.

Mistakes like this affect your credibility and the credibility of your product, so fixing FPs is usually a very high priority. Therefore it was interesting to see that earlier this week one of the top 3 AV vendors was having some trouble with a good sized FP. It was something to do with ISP connection software. The detections were of course fixed quickly but the good will lost with customers may not easily be repaired.

The rate of FPs is also the reason why behavior blocking (or as it's known in the Homeland Security business , "profiling" ) has been so late in entering the market. Blocking someone's ISP software because it uses your modem to dial your ISP is forgivable if done by a human. After all, we all have deadlines and other pressures. If you are unable to connect to your ISP once every 2 weeks due to your computer security software, you are unlikely to be as forgiving.

Handling false positives usually requires human intervention. Speaking of which, There is an opening at McAfee :

Research Scientist
"Knowledge of various file formats and operating systems a plus, namely PE and ELF formats and Linux and MacOS operating systems."

ELF? ELF knowledge as a requirement for malware analysis seems to be getting more popular.

I'd think after PE, Mach-O knowledge would be more important given market share. Or even Symbian PE.