Symantec goes to great lengths to prevent false positives from occurring. Undoubtedly false positives (FPs) are a concern for all vendors across the antivirus industry. However with as large a user base as Symantec has, we need to set the bar very high. Symantec’s content is used on over 120 million devices around the world so any software defects like a false positive have a much higher chance of being exposed than with a smaller user base. Given the importance of false positives our quality assurance team is at the forefront of efforts to prevent them. With this in mind we’d like to make available recently completed research in this area. The research is entitled ‘A False Positive Prevention Framework for Non-Heuristic Anti-Virus Signatures’ and is in the form of a case study (based on Symantec). That sounds like a mouthful so let’s break it down! The goal of the research was to develop a high level conceptual structure to help us address the problem posed by false positives...so hopefully this provides a brief explanation for the ‘false positive prevention framework’ bit. The focus on ‘non-heuristic anti-virus signatures’ allowed us to hone in on a given technology that causes false positives. Non-heuristic technology is the source of more false positives than any other anti-virus technology. Also non-heuristic technology is the most common and the most standardised technology across the antivirus industry. Before addressing a problem it is important to know something about it. So the research began by assessing the root causes of false positives today and in the past. Next it was decided to look at whether all false positives are the same. For example, do all false positives have the same impact on customers? Do they cost the same to Symantec? The most relevant literature and prior research was then referred to. Finally, interviews were held with a number of domain experts at Symantec. So what were the key things we learnt about the problem? Here are a few of them: