How to Tell the Difference Between a Virus and a False Positive
By Timothy Tibbetts |
Hey there, Geeks! Have you ever downloaded a program only to have your antivirus scream "MALWARE!" at you? Yeah, we all have. As a website that offers tested, safe downloads, it's not uncommon for us to run into -- given how many new files we look at.
Sometimes, these warnings are false positives, and your antivirus is just a little overprotective. In fact, Security Magazine reports that nearly one-fifth of all reported infections from antivirus and antimalware apps are, in fact, false positives. That's insane. A recent survey From Mergebase with cybersecurity professionals revealed that the majority view false positives as more harmful than missing true positives, with many noting that false positives take longer to resolve, affect team moral and undermine productivity.
So, if your shiny new software gets flagged, remember it is better to Geek out than freak out - investigate before deleting it.
So, how can you determine if a program is a threat or just a misunderstood piece of code? Let's look at it.
What is a False Positive?
First, we need to understand what a false positive is. Antivirus companies have a tough job; there are billions of files out there, new ones every day, and you pay them to keep you safe. They employ several direct tactics to detect a virus before it because of a problem - but the system could be better.
A false positive occurs when a test or system incorrectly identifies a benign or safe item as malicious or problematic, potentially leading to unnecessary concern or even the deletion or quarantine of the safe file. It's like your overly paranoid friend who insists your grandma's cookie recipe is actually a secret hacker code and tries to burn it. Well, intentions, but a sanity check says you should bake the cookies.
There are numerous ways for a file to be flagged as a false positive. Let's look at a few.
Heuristics
Let's first give you the official Wikipedia definition of Heuristics. "A heuristic technique, or a heuristic for short, is an approach to problem-solving or self-discovery that employs a practical method that is not guaranteed to be optimal, perfect or rational, but which is nevertheless sufficient for reaching an immediate, short-term goal." Antimalware companies use heuristics instead of the actual virus signatures to catch something that could theoretically be a virus. Heuristics is something we deal with frequently. Because we support many small developers, antivirus companies don't recognize many of our programs. An example of a heuristic false positive is downloading a custom script or macro for Excel that automates some tedious tasks. Your antivirus may see this script doing things it doesn't fully understand, like automating file modifications or accessing certain system functions, and decide it's a threat. So, it raises the alarm and quarantines your helpful little script sounding.
Bundleware or Ad-Supported
While many free and Open Source apps are available, more are looking to sell you something. Some programs run ads in lieu of payment. Some offer to install third-party applications, and some limit the features available. Programs that run advertisements or offer third-party are often now tagged as PUPs or Potentially Unwanted Programs. They aren't a virus but have made PUPs a target. That's not a bad thing, but it's not a virus.
Program Behavior
Many programs that access particular Windows settings can also be incorrectly flagged; for example, keyloggers, many networking applications, product key finders, and more. Ironically, most third-party trusted and safe antimalware apps will be flagged as viruses. If a program has the potential to access any part of Windows known to be vulnerable to viruses or malware, then it might be flagged as a false positive. The reasoning here, from the security company standpoint, is that the file "could" be used maliciously - so it is malicious.
Most of the downloads in our Covert Ops category will be flagged as false positives. For example, we scanned Jalapeno Keyfinder, a program that's been on MajorGeeks for over ten years and is clean. You can almost smell the heuristics on the VirusTotal results.
We have written more extensively on the type of detentions here: Why Small Developer Tools Get Flagged as Malware.
There is also a difference in the type of detection. Not all detections are equal, and security companies tend to walk a tightrope between securing your system and allowing anything on your system. Here's a handy table for quick reference:
How to Know If It's a Virus or a False Positive?
The truth is that it's hard to tell sometimes. You often need some experience and to use your brain, but here are some guidelines.
Check Multiple Sources: VirusTotal is simply the best way to check a file across multiple antivirus engines. If only a few out of many antivirus engines flag it, it's likely a false positive. When we test at MajorGeeks, we run everything in a virtual machine, and before and after, we scan with VirusTotal. This way, we can watch for suspicious behavior, including the program dialing out, monitoring, installing PUPs, and much, much more. A little common sense is required to understand VirusTotal results. Several companies seem to detect nearly everything as a virus - you learn to ignore them. Also, if you see something weird, do a Google search for the name of the virus discovered and read the comments.
Sandbox Testing: Run the program in a sandbox or virtual machine to observe its behavior. No malicious actions? Probably safe. Sandboxie is a good freeware alternative to test suspicious programs. We use VMware, which is also now free for personal use.
System Monitoring: Tools like Process Explorer can help you monitor what the program is doing. You're likely in the clear if it's not doing anything sketchy.
Community and Expert Feedback: Check reputable forums the MajorGeeks Support Forums for user feedback. If other users vouch for it, that's a good sign.
Developer Response: Contact the developer. Flaso positives are the bain of the existence of small developers. Reputable developers often address false positives quickly and can provide more info or updates.
Digital Signatures: Check if the file is digitally signed by a reputable CA. A valid signature means it's less likely to be tampered with. That said, due to the cost, Open Source and freeware often will not be signed.
Official Source: Always download from the official website or a trusted source like MajorGeeks.
Previous Versions: Compare with older versions that weren't flagged. If there are no significant changes, it might be a false positive.
When you are certain you are OK with the fill, and it is a false positive, you will need to whitelist the program in your anti-virus package to avoid future detection. If you are still in doubt, it may be time to find another program.
While heuristic analysis and advanced detection methods in antivirus software are important tools for identifying new and unknown threats, they also come with the risk of false positives. These false alarms can be disruptive, causing unnecessary panic and potential loss of valuable, safe files. The delicate balance between vigilance and practicality in digital security is real. However, antivirus companies need to do better with their detection algorithms to reduce the occurrence of false positives. The amount of false positives lately will only result in users not trusting the anti-virus programs, opening up more security threats.
Similar:
What Is a Portable File and Why You Should Always Use Them
What's the Best Antivirus and Is Windows Defender Good Enough
Why Small Developer Tools Get Flagged as Malware and How to Safely Use Their Software
Sometimes, these warnings are false positives, and your antivirus is just a little overprotective. In fact, Security Magazine reports that nearly one-fifth of all reported infections from antivirus and antimalware apps are, in fact, false positives. That's insane. A recent survey From Mergebase with cybersecurity professionals revealed that the majority view false positives as more harmful than missing true positives, with many noting that false positives take longer to resolve, affect team moral and undermine productivity.
So, if your shiny new software gets flagged, remember it is better to Geek out than freak out - investigate before deleting it.
So, how can you determine if a program is a threat or just a misunderstood piece of code? Let's look at it.
What is a False Positive?
First, we need to understand what a false positive is. Antivirus companies have a tough job; there are billions of files out there, new ones every day, and you pay them to keep you safe. They employ several direct tactics to detect a virus before it because of a problem - but the system could be better.
A false positive occurs when a test or system incorrectly identifies a benign or safe item as malicious or problematic, potentially leading to unnecessary concern or even the deletion or quarantine of the safe file. It's like your overly paranoid friend who insists your grandma's cookie recipe is actually a secret hacker code and tries to burn it. Well, intentions, but a sanity check says you should bake the cookies.
There are numerous ways for a file to be flagged as a false positive. Let's look at a few.
Heuristics
Let's first give you the official Wikipedia definition of Heuristics. "A heuristic technique, or a heuristic for short, is an approach to problem-solving or self-discovery that employs a practical method that is not guaranteed to be optimal, perfect or rational, but which is nevertheless sufficient for reaching an immediate, short-term goal." Antimalware companies use heuristics instead of the actual virus signatures to catch something that could theoretically be a virus. Heuristics is something we deal with frequently. Because we support many small developers, antivirus companies don't recognize many of our programs. An example of a heuristic false positive is downloading a custom script or macro for Excel that automates some tedious tasks. Your antivirus may see this script doing things it doesn't fully understand, like automating file modifications or accessing certain system functions, and decide it's a threat. So, it raises the alarm and quarantines your helpful little script sounding.
Bundleware or Ad-Supported
While many free and Open Source apps are available, more are looking to sell you something. Some programs run ads in lieu of payment. Some offer to install third-party applications, and some limit the features available. Programs that run advertisements or offer third-party are often now tagged as PUPs or Potentially Unwanted Programs. They aren't a virus but have made PUPs a target. That's not a bad thing, but it's not a virus.
Program Behavior
Many programs that access particular Windows settings can also be incorrectly flagged; for example, keyloggers, many networking applications, product key finders, and more. Ironically, most third-party trusted and safe antimalware apps will be flagged as viruses. If a program has the potential to access any part of Windows known to be vulnerable to viruses or malware, then it might be flagged as a false positive. The reasoning here, from the security company standpoint, is that the file "could" be used maliciously - so it is malicious.
Most of the downloads in our Covert Ops category will be flagged as false positives. For example, we scanned Jalapeno Keyfinder, a program that's been on MajorGeeks for over ten years and is clean. You can almost smell the heuristics on the VirusTotal results.
We have written more extensively on the type of detentions here: Why Small Developer Tools Get Flagged as Malware.
There is also a difference in the type of detection. Not all detections are equal, and security companies tend to walk a tightrope between securing your system and allowing anything on your system. Here's a handy table for quick reference:
| Detection Type | Description | Risk Level |
|---|---|---|
| Virus | Attaches to legit programs and spreads | High |
| Trojan | Disguised as useful software to gain access | High |
| Worm | Replicates and spreads across networks | High |
| Ransomware | Encrypts files and demands ransom | Very High |
| Rootkit | Gains unauthorized administrative access | Very High |
| Keylogger | Records keystrokes to capture sensitive info | High |
| Backdoor | Provides remote access to a system | High |
| Spyware | Monitors and collects user information secretly | Medium to High |
| Adware | Displays advertising material | Low to Medium |
| Potentially Unwanted Program (PUP) | Generally unwanted, can include toolbars and adware | Low to Medium |
| Generic Detection (Gen) | Identifies typical malware patterns, non-specific "best guess" | Variable |
| Riskware | Legit software that can be exploited | Medium |
How to Know If It's a Virus or a False Positive?
The truth is that it's hard to tell sometimes. You often need some experience and to use your brain, but here are some guidelines.
Check Multiple Sources: VirusTotal is simply the best way to check a file across multiple antivirus engines. If only a few out of many antivirus engines flag it, it's likely a false positive. When we test at MajorGeeks, we run everything in a virtual machine, and before and after, we scan with VirusTotal. This way, we can watch for suspicious behavior, including the program dialing out, monitoring, installing PUPs, and much, much more. A little common sense is required to understand VirusTotal results. Several companies seem to detect nearly everything as a virus - you learn to ignore them. Also, if you see something weird, do a Google search for the name of the virus discovered and read the comments.
Sandbox Testing: Run the program in a sandbox or virtual machine to observe its behavior. No malicious actions? Probably safe. Sandboxie is a good freeware alternative to test suspicious programs. We use VMware, which is also now free for personal use.
System Monitoring: Tools like Process Explorer can help you monitor what the program is doing. You're likely in the clear if it's not doing anything sketchy.
Community and Expert Feedback: Check reputable forums the MajorGeeks Support Forums for user feedback. If other users vouch for it, that's a good sign.
Developer Response: Contact the developer. Flaso positives are the bain of the existence of small developers. Reputable developers often address false positives quickly and can provide more info or updates.
Digital Signatures: Check if the file is digitally signed by a reputable CA. A valid signature means it's less likely to be tampered with. That said, due to the cost, Open Source and freeware often will not be signed.
Official Source: Always download from the official website or a trusted source like MajorGeeks.
Previous Versions: Compare with older versions that weren't flagged. If there are no significant changes, it might be a false positive.
When you are certain you are OK with the fill, and it is a false positive, you will need to whitelist the program in your anti-virus package to avoid future detection. If you are still in doubt, it may be time to find another program.
While heuristic analysis and advanced detection methods in antivirus software are important tools for identifying new and unknown threats, they also come with the risk of false positives. These false alarms can be disruptive, causing unnecessary panic and potential loss of valuable, safe files. The delicate balance between vigilance and practicality in digital security is real. However, antivirus companies need to do better with their detection algorithms to reduce the occurrence of false positives. The amount of false positives lately will only result in users not trusting the anti-virus programs, opening up more security threats.
Similar:
What Is a Portable File and Why You Should Always Use Them
What's the Best Antivirus and Is Windows Defender Good Enough
Why Small Developer Tools Get Flagged as Malware and How to Safely Use Their Software
