Being both an ex-security researcher and member of current security matters (since I author PECompact, and must work with security vendors to ensure interoperability), last year I founded a site dedicated to
False Positive Reporting and Resolution. I was grateful to see many vendors willingly monitor it, as they have the best of intentions. Many of their automated submission forms and such aren't always so responsible.
The goal of the site is simple transparency. Who has the biggest problems with false positives - something that can now quickly turn into a whole web site being rated 'BAD'? Who has the fewest problems? Who has the fastest resolution? Etc... It is at
http://falsepositivereport.org and I encourage participation if this site is to 'take off'.
Some security vendors did dub it the 'shame and name' project, and I must admit - I kind of like that idea. After all, being a software publisher, you can imagine when the unthinkable happens and your software is called a virus or other malware by error. When it keeps happening (there are lots of vendors, after all), or when there is a delay in fixing the false positive, then it starts to become more than just an annoyance.
NONE of us envy the jobs of the security vendors, and that site is NOT about crucifying them. Keeping up with malware that is regenerated daily is near impossible. Whitelists would work, except they tend to become exclusionary programs that you must pay for. Thus, we're left where we are now. Again, user education is the best defense, as most 0-day malware will slip through most security products (else we wouldn't have much of an issue). Once malware gets installed on your PC, it is often not detectable or removable while the OS is booted. Microsoft issues patches to clean some of it up from time to time. For whatever reason, only a handful of security vendors offer 'offline scans' (not off the network, an unbooted PC). I hope more offer such in the future.