McAfee False Positive part 2

According to the SANS Internet Storm Center diary, there was a false positive in McAfee defs on Friday. They asked a couple of questions that I thought were worth a blog entry.
How would you detect such a “bad pattern” in your environment, and, more importantly, how would you distinguish between “false positive” and “virus outbreak” ?
We use Symantec Antivirus in our environment. It sends an email alert to the antivirus administrator about each virus alert. The antivirus administrator should be able to make a decision based on his/her experience, the directory and filename of the reported file, and the number of reports.
Would you have the capability to roll back to the last “known good” pattern if help from the vendor were not forthcoming ? Where exactly do these patterns come from ? Is the previous pattern version available there as well ?
The ability to rollback virus definitions is built into the management platform for Symantec (Symantec System Center). Failing that backdating would have to be done by hand or through a script run on each client.
The antivirus companies have us addicted to updates. We need the fix. We’re Jonesing for the fix. Every once in a while the we get a bad fix that nearly takes us out. In the past month Kaspersky has killed Exchange servers running Sybari. Microsoft Antispyware has uninstalled Symantec antivirus. And now this. (I think I”m forgetting a smaller incident Sophos had). Something is rotten in the state of antivirus.