Virus False Positives: How Can You Be Sure?

Almost every time I write an article about some web site or perhaps about a Windows program that can be downloaded and installed on your computer, I will receive at least one email message or other report from someone saying something like, “I downloaded it but my anti-virus program says it has a virus or a trojan”

My response usually is, “Well, maybe…”

In many cases, the claim of a virus or trojan or other malware (malevolent software) is a so-called “false positive.” That is, the anti-virus program reported a problem that isn’t really there. In fact, there is no virus or other problem at all, but the anti-virus program thinks there is. All anti-virus programs will occasionally report “false positives.”

How do you determine the truth? Actually, there are several ways.

Of course, the conservative approach is to not take a chance and to not view web sites that are are reported to have a possible problem or to delete any newly-downloaded programs. That always works, but you do miss out on numerous things that have no viruses or other problems.

I’d suggest you first check to make sure your anti-virus program’s definitions have been updated within the last day or so. If not, manually update them now, and then check again. In many cases, an anti-virus program will add new definitions, only to find that some program will trip the alerts improperly. When the programmers of the anti-virus program are notified, they normally fix the false positives and issue brand-new definitions within hours that correct the problem. If you are running last week’s definitions, you may be dealing with a false positive report that has already been fixed by an update that you don’t yet have.

Web Sites

You can find numerous tools for checking web sites for potential problems.

My favorite tool for scanning web sites is VirusTotal, a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners. At the same time, it may be used as a means to detect false positives, i.e. innocuous resources detected as malicious by one or more scanners. VirusTotal has been around for years and has earned a good reputation.

VirusTotal is very easy to use: simply copy-and-paste a URL (web address) into VirusTotal’s menus and let the online service check the web site for you.

You can find VirusTotal at https://www.virustotal.com.

You also might want to read the article A first shot at false positives in the VirusTotal Blog at http://blog.virustotal.com/2015/02/a-first-shot-at-false-positives.html. The article describes one effort to get rid of false positive reports. It states, “We have been working on this for just one week and with just one company, Microsoft, yet results look very promising: over 6000 false positives have been fixed. ”

Again, VirusTotal is a tool for checking web sites, not programs that you have downloaded.

Programs

For checking files or programs downloaded to a Windows computer, you can find a number of available tools to provide a “second opinion.”

If your anti-virus program’s definitions are up to date, you might want to see if one of those definitions may be in error. To do this, go to Google or some other search engine and type in the name of your anti-virus program followed by the term “false positive” in quotes. For instance, if you want to check on a file downloaded to your computer, enter this:

SonicWALL Gateway Anti-Virus “false positive”

Enter the name of your anti-virus program in place of “SonicWALL Gateway Anti-Virus” in the above example. This will show you reports from other users of your anti-virus program so that you can tell if your program is prone to false positives or not.

Again, ALL anti-virus programs will occasionally report false positives. Don’t be concerned if you see a handful of such reports; but, you might want to re-consider your choice of program if you see lots of people have the same problem.

You can also go to Google or some other search engine and see if other people have reported a virus in the program you just downloaded. For instance, if you just downloaded a nifty program called XYZ.EXE, you might go to Google and enter:

XYZ.EXE virus

or

XYZ.EXE download virus

Whatever other measures you choose, it’s a good idea to get a “second opinion” from an expert. You can upload the questionable file to any of several online virus testing programs. While these online tests should show any real infections in the file they’re examining, they are not designed to remove those infections; for that task you need to use an antivirus program that is installed on your computer.

As to which testing service to use, I’d suggest Jotti’s Malware Scan, a free virus scanner that lets you upload and thoroughly check files for viruses and trojans online. Jotti’s Malware Scan checks the file you upload with 22 well-known virus databases (including A-Squared, AntiVir, ArcaVir, Avast, AVG Antivirus, BitDefender, ClamAV, CPsecure, Dr.Web, F-Prot Antivirus, F-Secure Anti-Virus, Fortinet, Ikarus, Kaspersky Anti-Virus, NOD32, Norman Virus Control, Panda Antivirus, Sophos Antivirus, VirusBuster, VBA32, etc.). It then gives you a summary report from each of them. By checking the new file with multiple well-known anti-virus programs, you receive a good picture of the truth.

You can find Jotti’s Malware Scan at http://virusscan.jotti.org/en.

Which would you rather believe: the one anti-virus program installed in your computer or more than twenty of today’s leading anti-virus programs?

Occasionally you will see one of the programs produce a “false positive” report while the others will report “no virus.” I prefer to go with the majority vote. In most cases, if you return a few days later and perform the same test again on the same file, all tests will report “no virus.” That’s because the one program has recently had its anti-virus definitions updated.

VirSCAN at http://virscan.org is a another anti-virus scanner that uses many different anti-virus programs to look for potential problems.

Again, both Jotti’s Malware Scan and VirSCAN are designed to check programs that have been downloaded. They do not analyze web sites.

You can find still more free online virus scanners if you search for them. The above are simply the ones I have used and that I trust.

Summation

Your computer’s healthcare has this much in common with your own: there is no guarantee that either will be forever free of viruses and other nasties, but the measures you take can go a long way toward their protection. The next time your computer reports that some file is virus-infected, tell yourself, “I want a second opinion!”

4 Comments

When searching out new small programs on the internet and getting malware warnings, the website providing the download may be the problem and not the program you seek. I like a small program called Prish Image Resizer but it is hard to find. Depending on what website I download the program from it may be wrapped with offers to install other software programs or include random junk in addition to the actual program. Cnet is one example of a download website that is filled with ads and extra installation offers. If your virus scanner is warning you about malware there may be a better website to download the program from. If possible always download programs from the owner or author and not an aggregate website offering multiple programs for download.

Like

Some false positives may be deliberate to lead you to upgrade or pay for special “care” on your computer. It would be a great way to make money!

Like

You don’t actually answer the question of how can you be sure. The only way is to run the file and observe the potentially infected programs behavior along with dissecting the executable code with a tool such as a decomplier and observing what it does in assembly directly. Still I get that your article is targeted toward average consumers, but I’d appreciate it if you were more accurate.

Like

    —> You don’t actually answer the question of how can you be sure.

    Actually, I believe I provided several methods of verifying if you have or do not have a virus, including VirusTotal, Jotti’s Malware Scan, and VirSCAN. All of them are tools to help you make sure. I also suggested searching online to find reports from other people of virus claims similar to what appeared on your computer.

    Admittedly, I did not describe how to AVOID a virus in the first place which I consider to be the best solution of all. I have written about that in other articles but the title of this article was “Virus False Positives: How Can You Be Sure?” so I stuck to that subject alone: how to verify a claimed message that appears in your computer. In my mind, and I believe you can find dozens of online and printed articles that will agree with me, the most effective way to avoid viruses and other malevolent software is with a two-step approach: (1.) avoid suspicious web sites and (2.) get rid of Windows.

    The best solution is to only use a Linux computer or a Chromebook computer. They never get viruses.

    Switching to a Macintosh is a major improvement in virus avoidance but not perfect. Macintosh viruses are still rare but a few of them have appeared in the recent past so a Macintosh is not a perfect solution. Still, a Macintosh is far more virus-resistant than a Windows computer, even one that has a current anti-virus program installed.

    I use a Macintosh most of the time but I also have a dual-boot computer which will run either Windows or Linux. When I use that second computer I normally boot up in Linux.

    For traveling, I normally use a Chromebook laptop.

    I have never had a virus in my Linux, Chromebook, or Macintosh systems. In years past, when I was still using Windows regularly, my Windows computers did get infected with viruses several times. Luckily, I was always able to remove the viruses.

    Like

Leave a Reply

Name and email address are required. Your email address will not be published.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

You may use these HTML tags and attributes:

<a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <pre> <q cite=""> <s> <strike> <strong> 

%d bloggers like this: