Friendly fire: how security software messes up

By Julie Matviyuk

Elevator Pitch

Have you ever wondered why, in the era of Deep Learning and hover-boards*, security software can still mess up? Why is it so challenging to distinguish clean files from malware? Here are 10 simple tips to make sure your software won’t be blasted off customers’ machines. *(they don’t really hover)


For the past 10 years, I have been hunting down, analyzing and preventing False Positives from Symantec’s Security Stack. In this presentation I would like to demonstrate caveats of typical AV techniques. These techniques struggle with: legitimate packed/obfuscated files (for protecting intellectual property), ambiguous behavior (secure lockers for mobile devices, network proxies), unreasonable deployment techniques, and bad reputation caused by bundled applications.

Through examples and analogies with offline security concepts, I will explain why security software can still mess up.

I will make recommendations as to how a startup or software company can reduce the risk of having their product treated as suspicious by security software.


This talk is aimed at the software industry, not the security industry. It involves an informal pop quiz: going through notable FPs from the past and asking the audience in each case whether they should “block” or “allow” the behavior. E.g:

  • Always-on process that monitors disk IO and sends written data to a remote server (spyware / cloud backup solution). Compare with team of movers or robbers loading your house contents onto a truck!
  • Android app that tracks the location of the mobile device, remotely locks it, and prevents a factory reset unless a passcode is provided (ransomware / theft protection).
  • Process that redirects all your network traffic through a 3rd party server (spyware / proxy).
  • Process that has the ability to kill and delete any installed software without UI or confirmation (anti-AV component / buggy uninstaller).
  • Process that maps the network, recovers license keys, etc. (Hacktools, Remote access tools). Compare with gun permits and driving license: you need to be allowed to use this capability.

The takeaway of the talk is that False Positive-proneness in legitimate software can be mitigated by the following preventative measures:

  1. Digitally sign the binaries.
  2. Avoid polymorphic packers.
  3. Have a clear EULA and clear front-end with no ambiguous wording.
  4. Be conservative in requesting Android permissions and using stealth or persistence techniques. Have a visible presence on the endpoint.
  5. Proactively submit to available whitelisting programs such as IEEE’s Clean Metadata Exchange.
  6. For commercial software, make your software available publicly on trustworthy sites, such as official app stores. Avoid dubious affiliate programs.
  7. Follow best practices
  8. Get certified.
  9. Write secure code.
  10. Monitor multiscanning platforms like Virus Total and Herdprotect, and react to false positives through dedicated programs.