False Positives (invalid detection of clean files) seems to have increased in the whole malware sector over the past months. Worse, there are more and more cases where files of competing products are detected. I have only numbers for our own software being misinterpreted as malware, but those are bad enough: two years ago, it started with Pest Patrol detecting our files cd_clint.dll and zipdll.dll. NetCop did detect our Spybots.sbi, Trend Micro PC-Cillin our SDHelper.dll, PandaSoft about our immunization (very eager to solve the problem immediately), and McAfee AntiSpyware our English.sbl.

The newest occasion is LavaSoft, whose AdAware detected our main application file, SpybotSD.exe, as malware belonging to 180solutions. Our detectives confirmed to me that there should be no mistaking possible as from file names, sizes etc. 180solutions up to their newest versions is fundamentally different.

Usually, we try to solve these FPs within a day, because they're harming our customers and are creating a bad reputation about both the offending and the harmed product, and usually it's easy to get into contact with someone responsible. With Lavasoft though, that was impossible - they did neither react at all to our contact attempts, nor even to those of an attorney (update: not even within a week).

From what we've found out later, they have fixed this by now (according to the LavaSoft forums, in update SE1R32 10.03.2005, though their update announcement does not confirm this). Still, to those who deleted Spybot-S&D because AdAware misinterpreted it as malware, we can assure you we are associated in no way at all with 180solutions, and you can re-install Spybot-S&D again.

Many users have asked if we use such sophisticated methods as AdAware does - CSI (Code Sequence Identification) they name it. Obviously, TLAs (Three Letter Acronyms) never fail to impress users. We could invent a dozen similar TLAs to impress you, but prefer to not boast around with marketing terms (of course, if users would prefer, we could label each Advanced check library update with similar brands). Anyway, the best detection techniques won't do any good if the detectives feeding the database feed the wrong stuff.

Which leads me to a second point: we think that all these false positives about good products confirm our strategy of a four-way-testing of updates. Each of our updates is first tested by the detective adding it, later by our internal testing team, followed by an internal test by Team Spybot and in a fourth stage by a public beta test. This may result in longer delays between updates, but at least our updates don't confuse our users by misinterpreting other software that is designed to protect them as malware - and the customer should still be king, served with quality.