Security Response A False Positive Prevention Framework for Non-Heuristic Anti-Virus Signatures

False positives, the erroneous detection of clean files, have been referred to as the Achilles heel of the anti-virus industry. Some believe the problem false positives represent is growing. This belief is likely underpinned by the growth in anti-virus signatures, due to the exponential growth in malicious code over the past 2 years, and the corresponding impact this invariably has on false positives. False positives can have a serious impact on users (system downtime, data loss) and on the anti-virus vendor responsible (damage to brand). This research attempts to identify the root cause of false positives from non-heuristic anti-virus signatures. Nonheuristic signatures are characterised as being re-active and written in response to a known threat. These signatures are also referred to as fingerprints or pattern files. Non-heuristic technology itself is the most pervasive technology used by anti-virus vendors since the industry’s inception over 20 years ago. Using the available literature and root cause data from a secondary data source at Symantec, in tandem with qualitative data from interviews, the research looks at developing a framework for preventing false positives from non-heuristic signatures. A case study was used to investigate and collect data. The context of this study is specific to Symantec. To determine the root causes data will be leveraged from a key system in Symantec called the False Positive Logging System (FPLS). Other qualitative data will be solicited through semi-structured interviews with domain experts within Symantec’s Security Technology and Response (STAR) organisation. This study shows that legacy solutions to address false positives at Symantec were traditionally aimed at the ‘detection’ of false positives. However solutions based around the ‘prevention’ of false positives are more efficient. These solutions trigger far earlier in the signature generation lifecycle. Most importantly defect prevention directly targets the leading cause of false positives as identified by this study. A defect prevention approach is also supported by previous work and standards such as the Defect Prevention Process (DPP) and the Capability Maturity Model Integration (CMMI). In essence the research proposes structural change of signature generation processes at Symantec. A False Positive Prevention Framework for Non-Heuristic Anti-Virus Signatures Page 3 Security Response