AV-Comparatives: False Alarm Test September 2023

[harlan4096]

Introduction

This report is an appendix to the Malware Protection Test September 2023 listing details about the discovered False Alarms.

In AV testing, it is important to measure not only detection capabilities but also reliability. One aspect of reliability is the ability to recognize clean files as such, and not to produce false alarms (false positives). No product is immune from false positives (FPs), but some produce more than others. False Positives Tests measure which programs do best in this respect, i.e. distinguish clean files from malicious files, despite their context. There is no complete collection of all legitimate files that exist, and so no “ultimate” test of FPs can be done. What can be done, and is reasonable, is to create and use a set of clean files which is independently collected. If, when using such a set, one product has e.g. 15 FPs and another only 2, it is likely that the first product is more prone to FPs than the other. It doesn’t mean the product with 2 FPs doesn’t have more than 2 FPs globally, but it is the relative number that is important.

Tested Products

• Avast Free Antivirus 23.8
  
• AVG Free AntiVirus 23.8
  
• Avira Prime 1.1
  
• Bitdefender Internet Security 27.0
  
• ESET Internet Security 16.2
  
• F-Secure Internet Security 19.1
  
• G Data Total Security 25.5
  
• K7 Total Security 17.0
  
• Kaspersky Standard 21.14
  
• McAfee Total Protection 1.11
  
• Microsoft Defender Antivirus 4.18
  
• Norton Antivirus Plus 22.23
  
• Panda Free Antivirus 22.0
  
• Total Defense Essential Antivirus 14.0
  
• TotalAV Antivirus Pro 5.23
  
• Trend Micro Internet Security 17.7
  

Test Procedure

In order to give more information to the user about the false alarms, we try to rate the prevalence of the false alarms. Files which were digitally signed are considered more important. Due to that, a file with the lowest prevalence level (Level 1) and a valid digital signature is upgraded to the next level (e.g. prevalence “Level 2”). Extinct files which according to several telemetry sources had zero prevalence have been provided to the vendors in order to fix them, but have also been removed from the set and were not counted as false alarms.
...

Full Report