Hello, welcome to the Thursday, December 8th, 2016 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida.

False positives in antivirus systems is sort of an ongoing issue that doesn't seem to be going away.

Now, some software vendors are taking the

step of publishing antivirus exclusion lists where they essentially tell you how to configure

your antivirus in order to minimize the risk of false positive disrupting their software.

This usually includes that you should exclude from your antivirus certain directories,

certain file types, and the like.

And apparently the bad guys are listening as well, and they're reading these exclusion lists,

and in some cases in particular, in targeted attacks attacks are tailoring their malware to match patterns that this particular software vendor, and there's more than one doing it, recommended to exclude.

The sad part, of course, is that there isn't a simple rule that you could follow how to apply these exclusion lists securely

or whether or not to apply them at all. If you do not follow the software vendor's advice

and you leave your antivirus wide open, then of course you are at risk of running into a false

positive which may disrupt and even render unusable that

particular piece of software. And then, of course, if you do follow that vendor's advice,

then, well, you leave the door open for malicious software. Now, of course, it doesn't always have

to be all that terribly targeted. One of the

examples list in the article is Citrix, which publishes a quite extensive exclusion list. Well,

most large enterprises use Citrix in some capacity, so it would be a pretty safe bet to assume

that that particular guidance is implemented.

And Google released the monthly update for Android.

...