Home / Blogs

The Antivirus Uncertainty Principle

Gunter Ollmann

The antivirus industry has been trying to deal with false positive detection issues for a long, long time — and it's not going to be fixed anytime soon. To better understand why, the physicist in me draws an analogy with Heisenberg's Uncertainty Principle — where, in its simplest distillation, the better you know where an atom is, the less likely you'll know it's momentum (and vice versa) — aka the "observer effect”. In the malware detection world, the more positive you are that something is malware, the less likely you'll catch other malware. And the reverse of that, the better you are at detecting a spectrum of malware, the less positive you will be that it is malware.

If that particular geek-flash doesn't make sense to you, let me offer you this alternative insight then. The highest fidelity malware detection system is going to be signature based. The more exacting the signature (which optimally would be a unique hash value for a particular file), the greater the precision in detecting a particular malicious file — however, the precision of the signature means that other malicious files that don't meet the exacting rule of the signature will slip by. On the other hand, a set of behaviors that together could label a binary file as malicious is less exacting, but able to detect a broader spectrum of malware. The price for that flexibility and increased capability of detecting bad stuff comes at the cost of an increased probability of false positive detections.

In physics there's a variable — ?, the reduced Planck constant — that acts a bit like the fulcrum of a teeter-totter ("seesaw" for the non-American rest-of-the-world); it's also a fundamental constant of our universe — like the speed of light. In the antivirus world of Uncertainty Principles the fulcrum isn't a universal constant, instead you could probably argue that it's a function of cash. The more money you throw at the uncertainty problem, the more gravity-defying the teeter-totter would appear to become.

That may all sound a little discomforting. Yes, the more capable your antivirus detection technologies are in detecting malware, the more frequently false positives will crop up. But you should also bear in mind that, in general, the overall percentage of false positives tends to go down (if everyone is doing things properly). What does that mean in reality? If you're rarely encountering false positives with your existing antivirus defenses, you're almost certainly missing a whole lot of maliciousness. It would be nice to say that if you're getting a whole lot of false positives you must, by corollary, be detecting (and stopping) a shed-load of malware — but I don't think that's always the case; it may be because you're just doing it wrong. Or, as the French would say — C'est la vie.

By Gunter Ollmann, Chief Security Officer at Vectra

Related topics: Malware, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Industry Updates – Sponsored Posts

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

i2Coalition to Host First Ever Smarter Internet Forum

Encrypting Inbound and Outbound Email Connections with PowerMTA

Resilient Cybersecurity: Dealing with On-Premise, Cloud-Based and Hybrid Security Complexities

Verisign Releases Q4 2015 DDoS Trends - DDoS Attack Activity Increasing by 85% Year Over Year

Best Practices from Verizon - Proactively Mitigating Emerging Fraudulent Activities

Neustar Data Identifies Most Popular Times of Year for DDoS Attacks in 2015

The Framework for Resilient Cybersecurity (Webinar)

2015 Trends: Multi-channel, Streaming Media and the Growth of Fraud

Data Volumes and Network Stress to Be Top IoT Concerns

Sponsored Topics

Afilias - Mobile & Web Services


Sponsored by
Afilias - Mobile & Web Services


Sponsored by

DNS Security

Sponsored by


Sponsored by