False Positive
What is a false positive?
A false positive, also known as a false detection or false alarm, occurs when an antivirus program detects a known virus string in an uninfected file. The file, while not infected with an actual virus, does contain a string of characters that matches a string from an actual virus.
A false positive can also occur when a program performs an action, which appears to the antivirus program to be a virus-like activity. Examples of such an activity can include, but are not limited to, writing to the master boot record of the hard disk, making changes to a system file, or running a custom macro in a program such as Microsoft Word.
How much could false positives cost you?
More than you can afford! Indeed, false positives in any security software can be more than just annoying. One popular argument is that users beset with false positives may become so anesthetized to the alerting that they disregard a valid warning. In other cases, false positives - or the way in which they are handled - can lead to an even worse problem: a false sense of security. Even worse, if you have 100% confidence of your AV product and let it handle all the security issues for you (i.e: you enable the AV product to automatically clean and delete infected files), you risk having ANY of your clean and valuable files deleted once your AV product gives a false positive. In professional AV testing, giving a false positive is a much more serious fault than missing a virus.
How likely will you be affected?
In December 1999, a number of AV products began false-alarming on the MacromediaR Flash Player and files created by Flash?. At the time, MacromediaR participated in an effort to confirm that these were indeed false positives. Subsequently, a support statement was released declaring, in essence, that MacromediaR had confirmed there were no viruses in Flash, or in the files created by Flash. This press release still survives, and can be found on Macromedia's site. Lest you think it's buried deep, the release can be found by doing a quick search for the word "virus" on the MacromediaR website. Why would someone search on the MacromediaR website for the term "virus"? To see what their response was regarding the newly discovered (March 6, 2001) Naked Wife virus. While not actually a Flash file, for all intents and purposes nakedwife.exe looks like a Flash file - right down to its icon and splash screen. Thus, to many average users, nakedwife.exe would be considered a Flash file.
What about someone who hears about a new "Flash" virus, visits Macromdia's site, and does a search on the word "virus". They'll be presented with a disclaimer that some AV products are generating a false positive, that "the" warning is erroneous and that all Flash files are safe for use. For a user who has previously experienced the problems of false positives, such a disclaimer might be enough to cause them to believe nakedwife.exe is safe to launch.
What can you do about false positive?
You would probably ask: How, in the face of such conflicting information, can you determine whether a warning is justified or is a false positive? If the alert says the file is suspicious, or that it cannot be disinfected and should be deleted, you might want to do some research before relying on program developer support statements. First, check sources over the internet or your antivirus vendor sites to see if the virus name provided is listed there. If you can't find the virus listed there, take a look at the virus name the alert is providing. Does it end in .gen, or identify it simply as being suspicious? Depending on the scanner used, any of these indicates either an unknown virus or a false positive. Update your scan engine and signature definition files, then scan again. Does the alert still occur? If so, submit the file to your antivirus vendor for analysis.
Most importantly, always double check information found via web searches to determine whether the information is still applicable. For example, the MacromediaR support document mentioned above clearly has dates specifying the false-positives occurred in December 1999. If some time has passed since the document was released, follow the steps outlined above before declaring a file is safe, or not safe, to use.
A false positive, also known as a false detection or false alarm, occurs when an antivirus program detects a known virus string in an uninfected file. The file, while not infected with an actual virus, does contain a string of characters that matches a string from an actual virus.
A false positive can also occur when a program performs an action, which appears to the antivirus program to be a virus-like activity. Examples of such an activity can include, but are not limited to, writing to the master boot record of the hard disk, making changes to a system file, or running a custom macro in a program such as Microsoft Word.
How much could false positives cost you?
More than you can afford! Indeed, false positives in any security software can be more than just annoying. One popular argument is that users beset with false positives may become so anesthetized to the alerting that they disregard a valid warning. In other cases, false positives - or the way in which they are handled - can lead to an even worse problem: a false sense of security. Even worse, if you have 100% confidence of your AV product and let it handle all the security issues for you (i.e: you enable the AV product to automatically clean and delete infected files), you risk having ANY of your clean and valuable files deleted once your AV product gives a false positive. In professional AV testing, giving a false positive is a much more serious fault than missing a virus.
How likely will you be affected?
In December 1999, a number of AV products began false-alarming on the MacromediaR Flash Player and files created by Flash?. At the time, MacromediaR participated in an effort to confirm that these were indeed false positives. Subsequently, a support statement was released declaring, in essence, that MacromediaR had confirmed there were no viruses in Flash, or in the files created by Flash. This press release still survives, and can be found on Macromedia's site. Lest you think it's buried deep, the release can be found by doing a quick search for the word "virus" on the MacromediaR website. Why would someone search on the MacromediaR website for the term "virus"? To see what their response was regarding the newly discovered (March 6, 2001) Naked Wife virus. While not actually a Flash file, for all intents and purposes nakedwife.exe looks like a Flash file - right down to its icon and splash screen. Thus, to many average users, nakedwife.exe would be considered a Flash file.
What about someone who hears about a new "Flash" virus, visits Macromdia's site, and does a search on the word "virus". They'll be presented with a disclaimer that some AV products are generating a false positive, that "the" warning is erroneous and that all Flash files are safe for use. For a user who has previously experienced the problems of false positives, such a disclaimer might be enough to cause them to believe nakedwife.exe is safe to launch.
What can you do about false positive?
You would probably ask: How, in the face of such conflicting information, can you determine whether a warning is justified or is a false positive? If the alert says the file is suspicious, or that it cannot be disinfected and should be deleted, you might want to do some research before relying on program developer support statements. First, check sources over the internet or your antivirus vendor sites to see if the virus name provided is listed there. If you can't find the virus listed there, take a look at the virus name the alert is providing. Does it end in .gen, or identify it simply as being suspicious? Depending on the scanner used, any of these indicates either an unknown virus or a false positive. Update your scan engine and signature definition files, then scan again. Does the alert still occur? If so, submit the file to your antivirus vendor for analysis.
Most importantly, always double check information found via web searches to determine whether the information is still applicable. For example, the MacromediaR support document mentioned above clearly has dates specifying the false-positives occurred in December 1999. If some time has passed since the document was released, follow the steps outlined above before declaring a file is safe, or not safe, to use.
