Not a Virus: How to Verify a False Positive Detection

false positive detection

You’ve just downloaded a file that you’re pretty sure is from a reputable website. Just when you’re about to open the file, your antivirus intervenes and warns you that the file is malware. Doubt starts to form in your head: why is the file considered malicious when it’s from a legit source? Is it possible that your antivirus is reporting a false positive?

What Is a False Positive?

Sometimes, an overly strict antivirus may flag a file as malicious and report it, and yet you’re certain that the file is clean. This is a case of a false positive, or the erroneous identification of legitimate software as malicious or infected.

What Are Some Files That Antivirus Typically Mistake for Viruses?

Programs whose behavior closely resembles that of malicious software are often the victim of false positive detections. Also prone to false positives are software programs that use file compression and protection techniques that are often employed by malware.

For instance, AutoHotKey is a legitimate software that lets you create custom scripts to automate repetitive tasks. Antivirus products may deem it malicious for its capability to monitor keystrokes and mouse movements, which is how some types of Trojans steal user passwords.

Highly questionable software utilities, such as tools for cracking and generating product keys, are also likely to be flagged as malicious.

Why Does an Antivirus Have False Positive Detections?

A number of reasons may cause an antivirus to mark a safe, legit file as malicious. For one, security developers may roll out bad virus definition updates for their AV products that increase the likelihood of reporting false positives. In 2010, McAfee products incorrectly quarantined a critical system file in Windows XP SP3 due to a bad update, and affected computers suffered an infinite reboot loop. In October 2011, a faulty definition for Microsoft Security Essentials mistook the Google Chrome web browser for a Trojan. Bad updates, in some cases, may even cause AV products to mark their own files as malicious.

An antivirus software that makes use of heuristic analysis—a method to detect unknown viruses by examining source codes and behavioral patterns—also has a tendency to flag harmless files. Heuristic detection must be fine-tuned such that it provides excellent proactive protection for the user without affecting legitimate files.

Some antivirus vendor also would rather configure their AV products stringently instead of playing down the risk of malware. Doing so causes these products to cry wolf more often with false positives.

So Your Antivirus Found a Virus. How Do You Confirm if It’s a False Positive?

No antivirus is perfect; all of them will report a false positive at some point. A March 2015 study by AV-Comparatives showed Baidu, Avast, Vipre and Avira antivirus products to have the highest incidence of false positives.

If your antivirus thinks it has found a virus, and you’re somehow not convinced, get a second opinion from another malware scanner. Better yet, upload the file in question to Virus Total. It’s an online scanning service that uses multiple engines from more than 40 antivirus companies.

Go to virustotal.com, click Choose File, browse the file in your computer, click Open, and click Scan It. Wait for the upload to finish, and view the report. If someone else submitted the same file before for analysis, you can either view the last analysis report or have the file be analyzed again.

So you can easily check other files for suspicious content, we recommend installing the Virus Total’s desktop application.

You can help improve the effectiveness of your antivirus by submitting sample files to the software developer. With your sample files, the software developer can make the necessary adjustments to the antivirus so it won’t misidentify similar files as malicious in the future. Here are some links to different antivirus vendors for submitting samples:

What Else Can You Do?

It’s ultimately up to you to listen to your antivirus whenever it reports a malware detection. You can let it delete and quarantine the suspected file for your protection. Or, you can ignore your antivirus and open the file, because you’re certain of the file’s validity and origin.

Getting false positives or false alarms all the time may encourage you to ignore reports from your antivirus, including important and legitimate ones. It may also dissuade you from using an antivirus altogether. And as mentioned above, loss of data, service interruption or system breakdown is possible when an antivirus falsely quarantines and deletes important files. If your antivirus has a high chance of reporting false positives, perhaps it’s best you switch to another security solution.