A false positive is simply a diagnosis mistake. In the context of malware, it refers to the occasional case where anti-malware applications flag benign files as dangerous.
Today I want to show you two things:
- How to tell if your antivirus software made a mistake
- Reporting the false positives to the vendors
Let’s get right to it.
Where did the file come from?
We need to start with the obvious stuff first:
Where did the file come from?
If it came from your imperturbable boss who is constantly paranoid about viruses then the file is probably safe.
Conversely, if it came from the turbid waters of BitTorrent then the software pirates sailing those seas probably attached a few nasty Trojans for you.
It really boils down to trust.
If the file source seems the least bit nebulous or unsavory then stop and think about why.
Did it come from your skittish aunt who blithely opens every attachment she receives? Or maybe it came from your ex-wife moments before the divorce? Or maybe you downloaded it from a reputable website but something about the file makes you feel weird.
Was the installer replete with annoying offers? Are you sure that website was really official and not masquerading as the real thing?
Also be wary of those annoying download bars rampant on freeware sites. We often have to weave our way through the labyrinth of advertisements and “fake” download buttons just to get to the software we want.
Some sites such as snapfiles.com don’t have the duplicity to trick you with silly “look-alike” buttons but everyone isn’t so nice.
Majorgeeks.com, for example, requires your full attention.
You need to carefully navigate the ad maze to find the real download button.
Hint: It’s not the big green Download Now button, the real button is actually further down under DOWNLOAD LOCATIONS.
Watch out for stuff like that.
See what the other guys say
Let’s say the check engine light on your car suddenly lights up one morning.
The way I see it – there are two possibilities here – either:
- The warning light is broken and your engine is actually fine or
- The engine really has a problem
So how would you figure this out?
You could take it to the unscrupulous mechanic down the street and give credence to his opinion that you need a new transmission.
But you wouldn’t trust this mechanic on his word alone. After all, your trusty Dad had nothing but pejorative things to say about that dump hole.
So what do you do?
You drive up the road to Sal’s Spiffy Lube. He has a five star reputation in town and is known for being both competent and cordial.
When you pull up to the station, the mechanic inspects your car and immediately realizes the root problem is a short in your electrical system.
You then take your car to a third mechanic for a final opinion and he corroborates Sal’s diagnosis.
This is a similar procedure to follow when figuring out if a file is actually infected.
Don’t speculate; get the facts.
I suggest scanning the file with 53 concurrent antivirus engines at VirusTotal.
You can either download the VirusTotal uploader and install the application or upload your file directly through the browser (just make sure it’s less than 64MB)
I wrote about VirusTotal a few days ago and listed it as one of my top two programs to get this summer. It’s a great resource and is not only perfect for discerning false positives but also for making sure suspicious file are truly aseptic.
My VirusTotal rationale is if the file infection is dubious then only a few virus vendors will flag the alarm. For example, AVG might report the file as infected; however, the other 52 antivirus engines might show that you’re in the clear.
Anubis is also a good service for analyzing freaky files but it isn’t as robust as VirusTotal.
Now here’s the thing: after using VirusTotal and Anubis the file still could be infected but at least you’ll have a good reason to believe that AVG is responsible for the false positive.
In that case, we can report the false positive so the antivirus makers can augment their databases.
You can ZIP up the potential virus and email all the big guys at once or take a more focused approach by sending it directly to the relevant vendors:
Here’s how to report false positives to a few of the big guys:
- Symantec Erroneous Detection
- AVG False Detection Form
- McAfee False positive dispute
- Avast Report False Alert
- Bitdefender False Positive
To be extra sure I would throw the alleged virus name into Google to read what other people have said about it. If it’s been around for a while and is actually a false positive then you’ll get corroboration online.
You can also try hunting down the developer contact to ask them if the file is legit.
The Bottom Line
No computer user is impervious to computer viruses. Your experience and software protection stack is irrelevant: everyone is susceptible to being infected.
The real question is whether or not the alleged infection is valid.
The best way to ascertain the legitimacy of a file is to think about its source. Pay attention to the files origin.
Also, using tools such as VirusTotal and Anubis can either corrobrate or contradict your suspicion.
So what do you guys think? Have you had any false positives recently? Please share in the comments section below!