“False positives” occur whenever a file is flagged as being dangerous or malicious when it is in fact quite safe. Anyone who’s ever dealt with antivirus software has come across false positives at some time or another. To this day, I still receive numerous comments from users wanting to know if a file (usually an executable) that has been flagged by one or more antivirus engines through VirusTotal is malicious or not.
Now, VirusTotal scans files through multiple antivirus engines, generally between 60 to 70 different antivirus engines, and if just one or two flags the file as malicious but all the others give the file a clean bill of health, my advice is always that it is most likely a false positive, and especially if those antivirus engines flagging the file as malicious are of the lesser known variety.
How Do False Positives Occur
Antivirus solutions inherently err on the side of caution, which is a good thing. Better to be safe than sorry. However, this can often lead to false positives simply based on an executable’s behavioral pattern plus the antivirus’s inability to judge whether that behavior is with malicious intent.
A typical example is any password recovery software, such as NirSoft’s MailPassView. Because this type of software has the ability to reveal hidden passwords, it can obviously be used for malicious purposes when in the wrong hands. This is how antivirus solutions view the situation and consequently flag the software as malicious. However, many users utilize MailPassView to retrieve their own forgotten email passwords which is not malicious at all, quite the opposite.
Antivirus solutions do not include the ability to distinguish between possible malicious use and when a user is simply trying to recover their own passwords so, as I mentioned, they err on the side of caution and will always flag this type of software as malicious.
All modern antivirus solutions include a component that flags items based on behavioral traits, known as heuristic detection. This type of protection is very effective against zero-day (previously unknown) threats but it is also prone to making the occasional mistake. These occasional mistakes are known as false positives.
How Can You Be Sure?
If ever you’re unsure, VirusTotal is a terrific resource to obtain a clear indication of whether a file (executable) is malicious or not. Regardless, if you’re installing a program for the first time, and particularly if the software is relatively unknown, you should always scan the setup file through VirusTotal prior to installation.
Whenever I test software here at DCT with a review in mind, I always scan the executable (setup file) through VirusTotal first to make sure it is safe to recommend.