False alarm testing is interesting too, detailed breakdown at:
False Alarm Test March 2020 | AV-Comparatives
Personally, I think almost every product here did well against false alarms. It is not stated how many total samples there were so we don't know what the rate is. But that aside, here's some things I noticed:
- Almost no false alarms are on digitally signed packages (highlighted as orange in their table above), and honestly most legitimate software in circulation these days are digitally signed. Windows already makes you jump through so many hoops when installing digitally signed software
- Some of the false positives are in other AV engine installation packages -- this seems more excusable that seeing another AV engine or signature DB might trigger a false positive
- Some of the false positive samples are controversial at best -- for example WildTangent is frequently considered ad-ware/PUA over its lifespan. Maybe it's better now, but I honestly would not be mad if my AV flagged WildTangent... Also, NortonLifeLock flagged TeamViewer as a trojan. TeamViewer does seem to be used as a RAT backdoor quite often, so perhaps this is an intentional choice on the vendor side
- The vast vast majority of the detections are on unsigned packages/installers, which tend to exhibit suspicious behaviors -- they unpack files, they install things to various places on the system, etc etc etc.
- Some of the prevalences seem questionable at best. For example, "Microsoft Encarta Package" had the 2nd highest prevalence, which means "probably several tens of thousands of users". The last version of Microsoft Encarta was 2008. Maybe tens of thousands of users is correct, but I find it hard to believe that this is common.
Overall I dislike this test. When the bulk of the hits are unsigned installer packages, this isn't the kind of false alarm that keeps me up at night. My worst nightmare is that one day my AV updates its hourly signatures and then suddenly decides a Windows system file or a Microsoft Office library is malware, automatically removes it, and renders my machine unbootable. Is this test saying "that won't happen"? Or simply that they didn't include that in their testing library?
I'd encourage going through that whole list of false positives and seeing how many of those pieces of software you've heard of, or know of someone who uses it. It's not a ton....