Although robust and ever-improving, security products routinely misclassify secure files as insecure. These false positives can be costly and frustrating to both security vendors and their customers, which may be blocked or otherwise impeded from accessing their misclassified files. In many cases, security vendors rely on file-indexed customer reports to identify false positives. For example, a customer may send a report to a security vendor with the binary of a specific file that the security product has incorrectly classified as insecure. Upon receiving and verifying the false positive report, the security vendor may attempt to prevent the file from being misclassified in the future by calculating and whitelisting a hash of the file.
Unfortunately, file-indexed whitelists often fail to prevent whitelisted files from being misclassified if any modification is made to a whitelisted file (e.g., if a new version of the file is created or if the file is changed to a different language) since such modifications change the file's hash. This may in turn cause the security product to classify the modified file as malicious, resulting in what may be perceived by the customer as a recurrence of the false positive that the customer previously identified. The perceived recurrence of false positives may lead to frustration on the part of the customer and/or vendor, and may necessitate another round of false positive reporting, damaging the security vendor's reputation. Accordingly, the instant disclosure identifies a need for improved systems and methods for detecting false positives.