What are Antivirus False Positives and How to Deal with Them
When an antivirus software mistakes a legitimate file for malware, it is called a false positive. Firewalls can detect false positive at a network level and anti-phishing at the browser level, respectively.
Although it is frustrating to find your antivirus detecting false positives, it is still a better alternative to the software missing out on files. So if you are irritated with your antivirus detecting false positives and are looking for a way to find out if the flagged files are legitimate or malicious, then this guide is for you.
False positives are a side-effect of having an antivirus installed on your PC. Nevertheless, if your antivirus detects a large number of false positives, you can change specific settings in the software or consider downloading another antivirus.
What are False Positives
False-positive is a phenomenon that occurs when the antivirus flags a safe file as malware. Every antivirus is bound to make the mistake of detecting false positives. While some antivirus software do it seldom, others tend to make this error quite regularly.
Antivirus software is programmed to work a certain way and have a wide range of criteria for deciding the legitimacy of a file. Some antivirus software, for instance, may flag password managers as malware because they generate executable files and write registry entries, which is similar to how rootkits and cryptojackers work.
Some antivirus also flag VPNs as malware because they filter web traffic to make browsing faster and easier. False-positive may occur for different reasons, depending on the type of antivirus software you are using.
Here are a few of the tools that antivirus and malware scanner software use, along with the reasons they could return a false positive on scan:
Signature-based: Signature-based antivirus software use a database of known malware to cross-check the files on your computer and flag the files that match the signature of the known malware. These signatures are a string of codes and can be included in legitimate programs as well as malicious files.
Heuristics: Heuristic-based antivirus software find our suspicious characteristics in malicious files or modified versions of existing threats. The antivirus vendor has a heuristics database that it uses to cross-reference any program’s code. If a percentage of the program’s code matches the labelled threat in the existing database, it will be flagged as a threat. Unfortunately, although this premise allows antivirus software to spot modified malware variants, it can also result in false positives.
Behaviour analysis: Some antivirus come with machine learning enabled. They use this feature to identify malware based on the behaviour of a program instead of reading their signature. This feature allows antivirus software to spot new malware that have not been added to the database yet. Nevertheless, this type of antivirus software also flag legitimate behaviour.
PUP blockers: A lot of adware and spyware blockers flag ad-supported software and bundleware. If you are downloading software that offers to install other third-party programs or tries to install a toolbar in your browser, it will most likely be flagged as a potentially unwanted program (PUP) by your blocker.
How to figure out the difference between a false positive and a virus?
More often, when an antivirus software flags a file or program as malware, it will put the said file or program in quarantine. You can access these files by clicking the “Quarantine” button in your antivirus software. You can gain access to the location of the file as well as its name and use this information to figure out whether your antivirus has made the right decision or has quarantined a useful file.
Do a Google search: A quick Google search will tell you whether the quarantined file or program is malware. If you find negative reviews, community posts, forums, etc., about the program it could indeed be a virus or malware. However, if you don’t find any such evidence on the internet, it is most likely a false positive.
Update your antivirus: Sometimes, antivirus software detect false positives because of not being updated in a while. Check your software for updates and if an update is pending, make sure to install it. Once you have updated your antivirus, do a complete scan again.
Do a cross-check on VirusTotal: VirusTotal is a free resource with 70+ virus engines in its database. It uses this database to scan suspicious files. You can upload the flagged file/program to the VirusTotal website to cross-examine it for malware properties. If VirusTotal does not flag your uploaded file/program, it is most likely a false positive.
Remove PUPs: If you find yourself overly annoyed by the number of times your antivirus software detects false positive, you can use your antivirus’s disk cleanup tool or go to shouldiremoveit.com and download the free tool. This tool will scan the programs on your PC and tell you if they need to be uninstalled. It will also highlight each program by colour, with red meaning potentially harmful and green meaning safe.
Use antivirus customer support: You can visit your antivirus’s official website and community forums to see if other users are facing the same issue. If you are lucky, you can find IT, professionals or developers, to help you out with your issue. You can also talk to customer support (e.g McAfee Customer Support) through email, call, or live chat and record your complaint with them.
Review the flagged file: Antivirus software provides detailed information about the flagged file, including its type of malware. You also get notified when your antivirus detects malware. Nevertheless, in case you don’t get notified, you can locate the file manually by following these steps on your PC:
- Open File Explorer
- Select “This PC”
- Locate the file using the search bar or look through Program Files or Program Files (x86)
- Right-click on the flagged file and select Properties>Digital Signature to check its publisher. If the file’s digital signatures from renowned brands such as Microsoft, Google, etc., it is most likely safe. However, if the digital signature is from unknown entities, it could be a potentially harmful file.
Read More: How to install McAfee Antivirus Software
What to do if the problem persists?
If you have performed all the above-mentioned steps and still are not able to stop your antivirus software from detecting false positives, you can choose to whitelist the file/program so that it is not flagged in the next scan. While every antivirus system has its own steps of whitelisting files, the process should go something like this:
- Find the “Whitelist” option on your antivirus app. Note that different antivirus software may have different terminologies for the Whitelist. You can usually find this option in the quarantine folder or the settings menu.
- You can add the file that is detected as false positive to a list of whitelisted file.
- Save the Whitelist and restart the antivirus program
- Run a scan to ensure the file is whitelisted
Additionally, you should also notify your antivirus vendor that the software is detecting false positives. Alternatively, you can also notify the file/program’s publisher that your antivirus is flagging them as malware.