There are plenty of great antivirusproducts out there, but sometimes they miss the mark. Seeing how much malware a security program catches is one way to evaluate it, but so is recording its number of false positives. A false positive is when antivirus mistakenly reports a safe and legitimate program as dangerous malware. That’s annoying for users trying to access trusted programs but even worse for the creators of the unfairly demonized software. The Institute of Electrical and Electronics Engineers (IEEE) wants to put a stop to this, and PCMag’s resident security ascetic Neil Rubenking has brought us the details of its plans.
False positives are often the result of antivirus software encountering a safe program too new to recognize. IEEE’s solution hinges on the Clean File Metadata Exchange (CMX) service. With CMX, software authors can submit metadata for new files such as new programs or updates to existing programs before they are even released. Security vendors could then access this data in real-time to stay current with the latest legitimate files and prevent their programs from flagging them as malware. CMX is not a database, though. It holds onto data for a week or two as it validates and delivers it to subscribers. Anyone checking in less frequently and looking for older data will have to pull an archive.
“The system from our side is more geared toward big software houses,” said Professor Igor Muttik, Senior Principal Research Architect at McAfee, in an interview with Rubenking. Vendors can submit if they have a Class 3 Digital Signature. “If they wish to build reputation, now they have a way of doing it.” Initially, Microsoft was the only big company committed to CMX. But as the service continues to court partners it now contains millions of EXE records from groups like major security companies, PC OEMs, and even Steam.
That doesn’t mean smaller third parties are out of luck. Mark Kennedy, Distinguished Engineer of Security Technology and Response at Symantec, explained how a company like Symantec could endorse software it thinks is clean. Consumers then see that opinion and choose to trust it or not. CMX also uses Software Identification (SWID) tags to add more information to the service. The US government requires any software it uses to feature SWID tags, giving CMX even more data to draw from as a bonus.
CMX is part of the larger Anti-Malware Support Service (AMSS) initiative. Another component, the malware packer-identifying Taggant System, was proposed by Kennedy and Muttik five years ago at the Black Hat conference. Some criticize these collaborations as anticompetitive, but James Wendorf, Director of Cross-Industry and Multiple-Stakeholder Collaborations at the IEEE, sees it a different way.
“Standards are about bringing together interested parties, often competitors, to combat problems. The bad guys collaborate and share, so we need a way for the good guys to collaborate as they can,” said Wendorf. “Without being anticompetitive, we don’t want those problems. It matches IEEE’s overall goals and purpose, which is to advance technology for the benefit of humanity.”
This article on PCMag.com.