How to Tell the Difference Between a Virus and a False Positive
By Timothy Tibbetts |
As a website that offers tested, safe downloads, it's not all that uncommon for someone to claim a file contains a virus. So, how do you know if a file contains a virus or if it's just a false positive? And, what is a false positive?
A false positive means that one or more antivirus programs have detected a virus, but the file is clean. How does this happen?
There are numerous ways for a file to be flagged as a false positive. Let's look at a few.
Heuristics
Heuristics is something we deal with frequently. Because we support many small developers, many of our programs aren't recognized by the antivirus companies. Let's first give you the official Wikipedia definition of Heuristics. "A heuristic technique, or a heuristic for short, is an approach to problem solving or self-discovery that employs a practical method that is not guaranteed to be optimal, perfect or rational, but which is nevertheless sufficient for reaching an immediate, short-term goal."
In other words, they don't recognize the program, so they guess. Often incorrectly. It's that simple.
Bundleware or Ad-Supported
While there are many free and Open Source apps available, there are more that are looking to sell you something. Some programs run ads. Some offer to install third-party applications, and some limit the features available.
Programs that run advertisements or offer third-party are often now tagged as PUPs or Potentially Unwanted Programs. They aren't a virus, but some large companies, particularly Malwarebytes, have made PUPs a target. That's not a bad thing, but it's not a virus.
Program Behavior
Many programs that access particular Windows settings can also be incorrectly flagged. For example, keyloggers, many networking applications, product key finders, and more. Ironically most third-party trusted and safe, antimalware apps will be flagged as a virus. If a program has the potential to access any part of Windows known to be vulnerable to viruses or malware, then it might be flagged as a false positive.
Most of the downloads in our Covert Ops category will flag as false positives. For example, we scanned Jalapeno Keyfinder, a program that's been on MajorGeeks for over ten years and is clean. You can almost smell the heuristics on the VirusToal results.
VirusTotal
Virustotal is the bomb. You can scan any file with over thirty antivirus apps in one place. We feel thirty antivirus apps are overkill, and the reason for so many false positives.
A little common sense is required to understand Virustotal results. For starters, do a Google search for the discovered virus name and read the comments.
How to Know If It's a Virus or a False Positive
The truth is that it's hard to tell, and nothing is 100%, but you can be careful.
When we test at MajorGeeks, we run everything in a virtual machine after we scan with Virustotal. This way, we can watch for suspicious behavior, including the program dialing out, monitoring, installing PUPs, and much, much more.
Sandboxie is a good, freeware alternative to test suspicious programs.
When in doubt, find another program and whenever possible, look for portable, freeware, and Open Source programs.
Similar:
What Is a Portable File and Why You Should Always Use Them
What's the Best Antivirus and Is Windows Defender Good Enough
comments powered by Disqus
A false positive means that one or more antivirus programs have detected a virus, but the file is clean. How does this happen?
There are numerous ways for a file to be flagged as a false positive. Let's look at a few.
Heuristics
Heuristics is something we deal with frequently. Because we support many small developers, many of our programs aren't recognized by the antivirus companies. Let's first give you the official Wikipedia definition of Heuristics. "A heuristic technique, or a heuristic for short, is an approach to problem solving or self-discovery that employs a practical method that is not guaranteed to be optimal, perfect or rational, but which is nevertheless sufficient for reaching an immediate, short-term goal."
In other words, they don't recognize the program, so they guess. Often incorrectly. It's that simple.
Bundleware or Ad-Supported
While there are many free and Open Source apps available, there are more that are looking to sell you something. Some programs run ads. Some offer to install third-party applications, and some limit the features available.
Programs that run advertisements or offer third-party are often now tagged as PUPs or Potentially Unwanted Programs. They aren't a virus, but some large companies, particularly Malwarebytes, have made PUPs a target. That's not a bad thing, but it's not a virus.
Program Behavior
Many programs that access particular Windows settings can also be incorrectly flagged. For example, keyloggers, many networking applications, product key finders, and more. Ironically most third-party trusted and safe, antimalware apps will be flagged as a virus. If a program has the potential to access any part of Windows known to be vulnerable to viruses or malware, then it might be flagged as a false positive.
Most of the downloads in our Covert Ops category will flag as false positives. For example, we scanned Jalapeno Keyfinder, a program that's been on MajorGeeks for over ten years and is clean. You can almost smell the heuristics on the VirusToal results.
VirusTotal
Virustotal is the bomb. You can scan any file with over thirty antivirus apps in one place. We feel thirty antivirus apps are overkill, and the reason for so many false positives.
A little common sense is required to understand Virustotal results. For starters, do a Google search for the discovered virus name and read the comments.
How to Know If It's a Virus or a False Positive
The truth is that it's hard to tell, and nothing is 100%, but you can be careful.
When we test at MajorGeeks, we run everything in a virtual machine after we scan with Virustotal. This way, we can watch for suspicious behavior, including the program dialing out, monitoring, installing PUPs, and much, much more.
Sandboxie is a good, freeware alternative to test suspicious programs.
When in doubt, find another program and whenever possible, look for portable, freeware, and Open Source programs.
Similar:
What Is a Portable File and Why You Should Always Use Them
What's the Best Antivirus and Is Windows Defender Good Enough
comments powered by Disqus