Have you ever been annoyed by your antivirus software telling you that a perfectly harmless file is infected with malware? That's what we call a false positive, and it can be a real pain in the ASCII. False Positives are not only annoying but can be downright destructive - Personally, while testing a known AV product once - it detected my NTUser.dat as a virus rendering the system unbootable. Seriously? WTF? Anyway......

We deal with this issue a LOT here at MajorGeeks, given that we have looked for the newest, latest, and most excellent (#BillAndTed) software every day for 22 years. Often this software comes from smaller or hobbyist authors.

What are false positives?

A false positive is a mistake when an antivirus software labels a legitimate file as malware. False positives can be annoying and frustrating, especially if the AV product locks the file down and you trust the file is safe.

There are several reasons why false positives occur, but the main factor is how antivirus software works. Antivirus software uses different methods to detect malware, such as:

Signature-based scanning: Works using a signature database containing specific patterns or characteristics of known malware.
Heuristic analysis: Focuses on identifying suspicious behaviors, characteristics, or patterns that indicate the presence of malicious intent.
Behavioral monitoring: Observing and analyzing the behavior of programs, processes, or files in real-time to identify potentially malicious activities or behaviors
Code signing: Antivirus products may look for Digital Certification or Code Signing Certificate on software to verify their authenticity.
PUP Blocking: PUP stands for "Potentially Unwanted Program," and some software is flagged due to some considered inappropriate advertising/installation techniques. PUP's are a whole topic unto themselves. If you would like to know more, read: What is a PUP?

These methods have pros and cons; each can misidentify harmless files as malicious.

A good example of a false positive from signature scanning is in this video when Malwarebytes Anti-Malware decided my photography was so bad it needed to be classified as a virus. My ego took a hit that day.



Why are false positive detections so prevalent with new files or files from small/new authors?

One of the situations where false positives are more likely to happen is when you download new files or files from small authors. Why? Because antivirus and anti-malware software rely on databases of known malware signatures and heuristics to identify threats. Heuristics is a fancy word for suspicious behavior. New files or files from small authors may not have enough reputation or popularity among antivirus vendors, so they may not be included in these databases or trigger some suspicious characteristics - like modifying your registry..

Also, code signing is not free. Software companies typically pay a few hundred dollars per year per title to a certification company to verify your identity. Sort of like a Twitter Blue Check Mark, only more expensive. At the time of publishing this, Sectigo, one of the top code signing companies is charging $429+ per year for the privilege of them saying an author is a real person. The average author on Git Hub will never pay that price for Open source freeware, and some antivirus products will flag non-signed code immediately.

So let's say you download a new file with an executable format (.exe) and modify some registry entries. If the program is from Microsoft or Adobe, no problem, the big boys will never be detected. But, if it is from NirSoft (one of our favorites), your antivirus software may flag it as a potential threat, even if it is a harmless program. His programs are small, relatively unknown, and because of their functions, will throw a behavioral or heuristic scan into a tizzy. For example, MailPassView will display passwords for mail accounts on your system. That's gonna get a flag for sure.

Similarly, you download a file from a small author with low installs. Your antivirus software may consider it risky, even if it is a legitimate file, simply because it is not 'known' yet.

How can you deal with false positives?

False positives can be annoying and create a horrible user experience for the customer, the Authors, and even sites like MajorGeeks. They are, however, a sign that your antivirus software is doing its job and trying to protect you from malware. Malware constantly evolves and can be nasty to remove, so you would rather be TOO safe, right?

That said, if you encounter too many false positives, here are some tips to help you deal with them.

- Use reliable antivirus software. Not all antivirus software is created equal. Some have better detection rates and fewer false positives than others. Choose antivirus software with a good reputation and performance.

- Choose appropriately based on your surfing habits. Programs like ESET Smart Security have a reputation for being more intolerant, leading to more false positives. That may be a good choice if you are one to dive into the deep crevices of the Interweb. In contrast, Windows Defender is more general and fantastic for average daily use.

- Update your antivirus software regularly. Updating your antivirus software can help reduce false positives by adding new signatures and heuristics to its database.

- Check the source of the file. (#MajorGeeksFTW) Before downloading a file, you should always check its source and make sure it is trustworthy. You can do this by looking at the website address, reading user reviews, or verifying digital signatures if available.

- Report false positives to your antivirus vendor. If you are sure a file is safe, and your antivirus software still flags it as malware, you can report it as a false positive to your antivirus vendor. Reporting helps improve detection methods and prevents future false positives for other users. Each company has its way of reporting. Some are in the program, online, or by email. However, it's a massive help if you go through the effort.

- Use VirusTotal to scan the file. VirusTotal is a free online service that allows you to check files with multiple antivirus engines and see their results. Looking at multiple engines can help you determine if a file is malicious or just a false positive from one or two. Pro Tip: If you see something with the letters GEN (generic) or PUP (Potential Unwanted Program) like trojan.susgen. somename.pup -- It is likely a false positive. You can also add VirusTotal Context Menu to your system so you can scan any file right from your Context Menu.



There you have it, Geeks. More information on false positives that you never knew you needed to know. I hope this helps clear up some questions and will help you make informed decisions when downloading software. If you have any other tips, drop them in the comments below.
comments powered by Disqus