What Is A False Positive Antivirus Detection?

toggle-button

 

 
 
Virus Alert ImageAlmost every day, comments appear under various articles on our site stating “my xxx antivirus says this program is not safe”. To know why this happens it is important to understand how antivirus software detects possible threats. They do in fact use a variety of methods but we can simplify these into signature based and heuristic detections. Signature detections are the most reliable because if a file on your computer matches a signature in the antivirus definitions, then the file in question is 99% likely to be malicious. This is why it is important to keep the antivirus signatures regularly updated.
 
Heuristics on the other hand is a very different ball game and this is how most false positives are generated. In the early days of heuristics, these detections were triggered because something was exhibiting behavior similar to that of known malware, or not typical of the file type it was supposed to be. Unfortunately, in order to wring the last drop of nonsense out of claims by vendors to protect against everything, heuristic detection rules have been expanded to include such bizarre incidences as the host website not having much traffic. Quite obviously, most software from new developers will fall into this category and so be automatically flagged as dangerous.

 

It's worth expanding just a little on the worst offending method of false positive generation which is “reputation” scoring. This is basically a cop out by the various antivirus companies that promise to protect users from everything, which as we all know is garbage. Some of the criteria they use for reputation scoring are:

 

  • The website doesn't have much traffic. (Fantastic if you've just launched a new service because many of your potential visitors have just been excluded for no reason).
  • Our crawler bot hasn't scanned your site yet.
  • This program is not in our database. (So a lot of exciting, new and safe software is immediately excluded).

 

This isn't to suggest you should routinely ignore these warnings, but accepting the majority will be false positives, it is better to form your own judgment by using services such as Virus Total, URLVoid and Zulu.

 
To see which rules are applied (and how) by your own antivirus, it is important to consult their userguide.
 
Virus illustration imageSo, with all this uncertainty, is there anything you can do to obtain better clarity?
 
At Gizmo's Freeware our editors consult the free VirusTotal service which uses multiple antivirus scanners. 
 
Most of the comments referred to above arrive under our Hot Finds articles which is why you will see a line similar to these included in the text:
 
  • “It's free of malware, according to VirusTotal”.
  • “It's a tiny 0.1 MB download, needs no installation, and VirusTotal says it's clean of all malware”. 
 
You can of course consult with the product vendor's website which may contain a notice about false positives, or depending on your antivirus, submit the file for analysis.
 
 
Nothing though can be guaranteed 100% so it is important to take some extra precautions when downloading and installing new software. These resources contain some other options.
 
 
... or as a last resort: 
PC virus comic image
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Please rate this article: 

Your rating: None
4.285715
Average: 4.3 (7 votes)
toggle-button

Comments

I like VirusTotal, but still at times left with no more "clarity" than when I began with. Just recently downloaded software from a reputable site written by the site themselves only to have VirusTotal to have 3 out of the 35 or 45 claim viruses or trojans present. How am I suppose to feel about that? So I mentioned it on their forum and they assured me the program does not have a virus/trojan and recommended also trying Jotti's malware scan which they also pointed out gave a single false positive. My antivirus software BitDefender and Malwarebytes found no problem with their software, along with some other online scanners. I've had situations where VirusTotal found problems, including their BitDefender software, when my BitDefender antivirus didn't on the same sample. What if 3 of the 45 VirusTotal virus programs say there is a virus, trojan, and/or malware present? Does that mean "safe to install"? How much "charity" or "comfort" does that give us? Ten of the 45? Still "safe"? Where is that dividing line on to "trust" it and install it or not? Majority rules? If 23 of the 45 VirusTotal anti-virus programs say it's OK we can find "comfort" in that? We have "clarity"? It all seems to be pretty much a crap shoot these days and just last night I was on a reputable security forum. I didn't notice the post, i.e. "thread" was old, but the moderator recommended Old Timer download to run with a link. Without thinking I clicked it and downloaded. Further without thinking, because I was on a reputable security forum, I installed it. THEN I thought let's run this through VirusTotal, duh after the fact, and found over a half dozen alleged trojans. So far my 4 or five scans from various downloaded programs, along with my own programs, have detected nothing after VirusTotal having scared the daylights out of me and who knows they may be right and my programs are just not catching it. I've come to where I can't trust any of it with any degree of credibility. You don't know when the false positives are false positives or when they are for real. I think I'm going to change my entire strategy. I think I'm going to do more than tinker with VMware Player, VirtualBox, and/or Virtual PC. I think I'm going to reinstall my "virgin" image of Windows 7 Pro back on my computer, and besides security software, including firewall and anti-virus, and the virtual software that's about it. Then operate solely out of the virtual box for just about everything else. Live out of (or rather in) the box and pretty much immunize my Windows 7 from the outside world as much as I can.

This is explained in the VT FAQ: "A given antivirus in VirusTotal detects a file and its equivalent commercial version does not" "VirusTotal antivirus solutions sometimes are not exactly the same as the public commercial versions. Very often, antivirus companies parametrize their engines specifically for VirusTotal (stronger heuristics, cloud interaction, inclusion of beta signatures, etc.). Therefore, sometimes the antivirus solution in VirusTotal will not behave exactly the same as the equivalent public commercial version of the given product". That said, none of these services are perfect and nothing for Windows can be regarded as 100% safe. IMO if there's any doubt, don't install it. I've been adopting this policy for years and I've never missed not having something that was flagged like this or came from a site with a poor WOT (Web Of Trust) rating.
A great article MC. Lol, the last image made me laugh my heart out. Even I had moments like those, when I play multi-player games online and get killed by others. :D
Thanks. I produced this as much as anything to help out the likes of Robert who would be constantly replying to "this is not safe" comments under his Hot Find articles. Now we have something in detail to link to which is a lot more efficient. I've looked everywhere I can think of for a copyright on that last image and can't find anything. No doubt if it is covered somewhere we'll hear about it soon enough. :)