The recent false detection and deletion of svchost.exe(XP sp3) by MCAffee shocked every one who use MCAffee Anti virus. This article will try to reveal the dark side of this incident. False positives problem is a big head ache for AV companies. Even Anti virus titans are having this problem. The number of unique malwares are doubling every year. Every day AV companies are getting thousands of samples from various sources. In reality a malware analyst can analyze only tens of malware every day.
To analyze thousands of samples every day employing malware analysts and paying them is not even an imaginable thing for AV companies. But on many AV tests giving more than 90% detection rate is not possible with very few analysts. so finally many of them start to use a heuristic tool(program) which will scan the sample with major anti virus tools and based on other AV's detection it will directly add detection pattern(eg:CRC) for that sample with out being checked by a malware analyst.
w32/wecorl is a file patching worm that patches svchost.exe(other versions infect iexplore.exe, winlogon.exe etc) and spreads to other machines by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability.
The thing to be considered here is that all the AV's are detecting wecorl as a worm. The patching logic of wecorl is not even on all the machines. It varies depending on the cavity(zero bytes) available in the file it is trying to patch. But the call to infected code lies near the entry point. So the detection pattern added by MCAfee for wecorl is too bad in this case.
To avoid this type of incidents every AV vendor should stop adding detection patterns for malware by considering other AV's detection. They should expand the strength of their research lab. Atleast analyzing every samples that they receive with sand-box would help them in avoiding this kind of incidents.
At last I want to refer the article by Magnus - "On the way to better testing" in viruslist.com is a good testing article . But this article has been criticized by most of the AV vendors.
