How To Confirm False Positive Antivirus Detection

Modern antivirus applications often do a good job at protecting your machine on its day-to-day operations. However, security applications are not perfect and there are occasional false positive detection. It is typically tricky to determine whether it is a false positive or a legitimate threat.

What Are False Positive Antivirus Detection

False positives are instances when your security application identifies a file or a program to be malicious and you believe it isn’t. It typically happens when you’ve just installed the antivirus program or after a major update. Security programs follow the signature of known threats and it will flag anything that resembles those. However, some trusted programs may resemble those threats.

False positives are one of the primary reasons why security programs quarantine threats.

Security applications, such as MalwareFox, will provide as much information as it can about the identified threat. For instance, detection results will show the file location, associated program, and what type of threat it thinks matches the file. Some antivirus programs may even provide a quick way to research the threat without leaving the security interface.

How False Positive Detection Happens

There are several instances when false detection happens. Knowing them is half the battle.

First, it is possible that security developers may roll out bad virus definition. For example, in 2011, a faulty Microsoft Essentials update caused it to identify Google Chrome as Trojan and subsequently remove it. This rarely happens, but it is possible. Thus, it is important to check the news and updates sections of your antivirus’ websites before deleting any false positive results.

Also, newly installed security programs may also identify several false positives. Most antivirus software “learn” the behavioral patterns of the programs and files in your machine over time.

However, it will follow known threat signatures during its first scan which may identify legitimate files as malicious. As such, you can identify “exceptions” to teach the program which files applications and files are harmless.

Lastly, some programs may fall under a “gray area”. You may trust a freeware with a bunch of advertisements with it but the security programs don’t know that. Programs that employ file compression and protection techniques will also catch the attention of your security program as they may resemble certain types of malware. Utility programs will also fall under the gray area. Moreover, questionable toolkits such as those for cracking software will fall under threats.

For example, MalwareFox and AVG typically detect Incredimail on its first scan as a potential threat. However, the email application is preferred by many and not really harmful to the system. Another example is Malwarebytes tagging Advanced SystemCare as potentially unwanted program (PUP). The Advanced SystemCare Performance Monitor will not work properly when the flagged files are deleted.

How to Confirm False Positives Detection

It is highly likely that a file or an application is harmful when an updated security program tags it as one. However, there are a couple of steps that you can take when you want to determine if a scan result is a false positive.

Solution 1: A quick Google search will often show you what the file or program does. Moreover, it is an easy way to confirm if the file detected is indeed a threat or otherwise. You further confirm details by reading community posts and forums especially those hosted by your security application provider.

Only a few antivirus programs will identify a file as a threat if it is a false positive. At this point, you can use your secondary security application (those that work alongside security suites) to check if it will result in a similar report. If it does, then the file or program is indeed harmful.

Solution 2: A better way is to use VirusTotal to survey the results of most security engines. VirusTotal is online virus scanner which aggregates over 70 antivirus products and online scan engines to show a comprehensive analysis. Locate the file on your quarantine, then upload it to the website. The results are also shared with the contributors which then improve their own products and services.

Assess the validity of the detection according to the results of further scans. It is highly likely that a file or a program is a threat if most security programs report it as one.

Final Thoughts

False positive detection do not happen quite often. Make sure that you consider the results of the steps above before declaring a file or a program as safe. Also, schedule a regular scan of your computer using the latest security programs, like MalwareFox, to allow it to learn your machine. Moreover, keep all your programs in the computer updated including drivers as these can also cause false positives.