484 Chapter 10 · Antimalware Evaluation and Testing today. Bear in mind that both heuristic and virus-specific detection patterns will be added over that period. A more valid approach might be to test the capabilities at different points, or to test with a specific virus to determine the first point at which detection occurs. Clearly it's worth noting if a scanner was capable of detecting malware before it was known to exist. Both AV-Test and AV-Comparatives have performed some type of retrospective frozen update testing, with interesting results. It is worth bearing in mind though, that statistical significance is an issue. If testing purely with WildList viruses, the sample set may be com- paratively small, and could give biased results. It's a decent enough indication of good heuristic capabilities, though, if all that is taken into consideration. A Few Words on False Positives False positive (FP) testing is a valuable indicator of a product's suitability for use in a production environment. A product that produces false alarms on common files can cause as many problems for network administrators as real malware might. A good FP test set includes a large set of clean files (i.e. files that do not contain viruses or any other type of malicious code).These are usually files that are found on a normal system, and as far as possible, they should be un-archived and in their native state.There may also be some files that are known to cause problems for scanners, giving rise to FP detec- tions, and these too may be included in such sets. FP test sets require a degree of mainte- nance also, as it is arguable whether a FP against an esoteric file from 10 years ago is as