Antivirus False Positives

AlertWe should all be taking security seriously. As we’ve mentioned before staying on top of security updates is critical as is maintaining an antivirus product. While you should always take the reports of the AV product seriously, sometimes they do miss the mark. They may mark files or processes as malicious when in fact they’re perfectly legitimate.

Heuristic scans can help provide protection against so called “zero day” viruses; threats released before the antivirus vendors can get a sample, prepare definitions files and deploy them to customers. It works by taking a look at a file’s code and noticing certain patterns that differentiate it from normal programs. However, because the detection methods rely on a set generic behavior rules to determine something is malicious, false positives are higher than explicit antivirus definitions; rules that are engineered to detect specific threats or otherwise well-known behaviors.

This is frequently the case with IT toolkits used to perform certain tasks. These applications may access or modify system files, establish remote connections, send data to/from the machine or otherwise do things that are very virus-like. Like with all tools whether or not it’s necessarily malicious depends on what it’s made for and after that how it’s used.

If you have a threat detected it pays to get a second opinion after the threat is quarantined. Services such as VirusTotal can scan files against 40+ scanning engines and current definitions files at once; if it’s only one engine/definition set that detects the file it may be a false positive or that vendor’s definitions are ahead of the others with a specific threat. You may try to send the file again after a day or two and see if anyone else detects it as malicious.

Once you’re sure a file is/is not malicious, you can best evaluate current practices to see if you’re doing all that needs to be done to secure yourself against threats.

Like this post? Follow us online by liking us on Facebook, following us on Twitter (@thechipmerchant), or circling us on Google+.