False positives occur when antivirus software incorrectly identifies safe software as malignant. This usually happens due to the complications that arise in determining the disparity between ‘good’ and ‘bad’ codes. False positives typically occurs when an antivirus program has been installed or after a major software update.
A well-known example of a false positive was when Microsoft Security Essentials tagged Google Chrome as malicious. The software removed Chrome from around 3,000 computers as a result and Google had to run a patched update of their chrome browser for users to download.
It can be difficult to determine whether these are false positives or legitimate threats, and this can result in programs being wrongly deleted, deactivated or blocked by the AV software – and sometimes, innocent websites can be blocked too.
Malicious or benign?
These false positives are one of the reasons that AV programs quarantine threats.
Applications provide as much information as possible about the identified threat – file location, associated program, and the kind of threat it believes is matching the file.
The problem is that the various methods deployed for identifying malware are not perfect, and this can result in false positive results. Safe programs can be wrongfully flagged as malicious as a result of an antivirus program’s signature detection algorithm having too broad a landing zone.
Antivirus software is at its most successful – for paid-for or free antivirus programs – when it is scanning for malware signatures and comparing against updated ‘directories’. These signature-based antivirus programs remain the best line of AV defence, and free versions are usually as up-to-date as paid-for iterations.
How antivirus can defeat false positives
Generally, detections are the most reliable because if a file matches a signature in the antivirus directory, then it’s highly likely to be malicious. This is why it is important to keep the antivirus signatures regularly updated. However, they don’t always get it right and sometimes double-checks are a good idea. Indeed, false positives can occur with behavioural analysis as well as signature-based scans.
With signature-based scanning, the AV looks for a specific pattern of bytes, previously listed as malicious, or at least suspicious. With behaviour analysis, actions are detected which may not be malicious but correspond to symptoms of malicious activity. Unfortunately, neither method is infallible.
Antivirus software looks for the signatures of viruses rather than whole of the virus program. These unearthed signatures may not necessarily be just virus codes. Modern, and especially the best paid-for antivirus software often incorporate behavioural methods of dealing with viruses, and it’s these methods that are most likely to create false positives.
Behavioural methods analyse program data, comparing it to a list of hazardous actions, at which point it may decide it’s dangerous and highlight that. This is because behaviour methods rely on probability and are therefore not certain that an infection actually exists. It’s then down to the user as to whether or not he or she eliminates the ‘virus’ or not.
When an antivirus identifies a suspicious a file, it provides a specific name for the type of malware it is. It is then possible to Google this name and find links to antivirus companies’ malware database websites, which should reveal why the file is blocked. Hopefully a false-positive warning displayed. If users trust the source, they can then bypass their AV software’s malware alert and run the file.
Other ways to prevent false positives
Community posts and forums – especially those hosted by AV providers – can also be helpful in determining whether or not the detected program is indeed a false positive.
Of course there’s a possibility that website may have been compromised, so user need to be sure they are on a genuine branded website and not a fake one designed to illicit downloads of malware!
As a result of this relative ease to which antivirus software can achieve high malware detection by effectively blocking unknown programs – whether malicious or benign –it is important to include tests for false positives.
In 2015 VirusTotal, the Google-owned online malware scanning service, created a list of products from large software manufacturers to help reduce antivirus programs false positives.
VirusTotal allows users to upload a suspicious file (or copy and paste the supposedly malicious URL) to a database of over 70 established antivirus scanners and URL -blacklisting services, to establish whether or not it is genuinely dangerous. Results are also shared with contributors, improving products and services.
If a program has already been installed and is causing problems with AV software, users can use shouldiremoveit.com (Should I Remove It), a free tool to scan installed programs in order to rank them in terms of whether or not they should be un-installed. Programs flagged as red are seen as a potential security risk and should be removed, while those flagged green are safe.
If AV software quarantines a downloaded program that the user thinks is safe, it is usually possible to unblock the firewall, but it’s safer to follow the software’s procedure for checking false positives – just in case.
Sometimes free programs include extras that AV software flags as dangerous. To avoid this, it’s a good idea to install using the ‘custom’ install option, rather than the regular method – then just deselect unwanted extras that could cause false positives. Another method is to use a free tool called Unchecky, which runs in the background monitoring all installations, rejecting any extras that are extraneous to the main program.
Finally, users can assist AV companies in reducing the number of false positives by reporting files that are incorrectly flagged as threats. AV companies usually provide ways of submitting files in order that they can ‘untick’ them as malicious.