What is a false positive in an antivirus
As its name suggests, the false positive appears when an antivirus has considered that a legitimate and reliable file is a threat. And thus you have blocked, quarantined or deleted it.
All antiviruses are prone to generating more or less false positives, although it depends largely on the quality of its programming and on the heuristic-based scan engines. Some antivirus, such as Windows Defender, Avira or Kaspersky usually offer users very few false positives by having less strict heuristics, while Avast, AVG, Trend Micro or Panda generate a worrying number of false positives, according to the latest AV-Comparatives tests, for being much stricter.
It is not bad that an antivirus detects a false positive, just as it is not good that it does not detect them. The security company should adjust the heuristics of its security programs so that it is strict enough to keep hidden threats out, but not so strict as to bore the user with fake threat alerts.
Causes that generate them
There’s a lot causes of false positives. The most commons are:
- The use of compilers, compressors and packers commonly used by hackers. These packagers are used by developers to protect their software, but they are also used by hackers. For this reason, it is common for antivirus to detect executables that have used this type of tool as possible threats.
- Installers with advertising or sponsored programs can also be detected by security programs as fake adware or PUPs.
- Programs that make changes to the system. As viruses usually modify system files (especially DLL libraries), if a program tries to modify them, even if it is reliable, it will be detected by heuristic systems for having a suspicious behavior and, therefore, reported as a false positive.
- The use of very strict heuristics. Antiviruses usually have several levels of heuristics. The more permissive, the less likely it is to detect a threat that is trying to sneak into the PC, although the stricter we configure it, the more false positives we will get.
- The hacking tools They tend to always set off antivirus alarms, even if they are reliable programs that we are running. The reason is simple: the security program does not know if we are executing them, or if they are part of a computer attack. And, when in doubt, better to block.
- Activators, key generators and pirated software usually. This type of content very often has hidden threats. And either because it makes changes to system files, because it has been packaged using tools common to hackers, or because it actually hides malware, it almost always sets off security software alarms.
What are the dangers of a false positive?
Although normally a false positive protects us against a possible threat when the antivirus is not sure that it is something really reliable. However, sometimes these false positives can also be a problem for our computer.
The first thing to keep in mind is that, if an antivirus detects a possible threat in a file, we should not unlock it unless we are 100% sure that it is a reliable file. It may happen that we have downloaded a game or program from the Internet, illegally, and that our software has detected it as a threat. As much as they advise us to allow it, it is better not to do so, since we do not know if the pirate is trying to deceive us.
In addition to that, what can happen is that our security program detects programs that are trustworthy as possible threats, either because of their inner workings or because there is some conflict with digital signature of the program that sets off the alarms of the heuristic systems. It has already happened in some cases with programs such as Ccleaner, IObit or uTorrent, which have been marked by some antivirus as threats.
Even in the worst case, it may happen that a fault in the engine is detected DLL files or executable programs or Windows itself as suspicious. This has already happened on occasion, and the consequences are catastrophic, having, in the worst case, even reinstalling Windows from scratch. Fortunately, this type of problem is not very common.
How to deal with them
If our security program has blocked a file that we have downloaded from the Internet, an executable or a DLL library, the first thing we must do is ask ourselves, is it really reliable? If we’ve downloaded it from the developers’ website, or from their official GitHub repository, probably yes. Even so, before unlocking it, we must make sure 100% that it is indeed legit.
We can also resort to the use of second antivirus to have a second opinion about the security of the file. For example, we can send the file to be analyzed to VirusTotal to check, with more than 50 antivirus at the same time, if a file is really reliable. If several antiviruses detect the threat, it is that something is hidden.
How to avoid false positives
There are only two ways to avoid these false alert messages. The first of these is by making sure that we always download known and trustworthy software and files. The most common programs are usually always included in a white list by the antivirus so that the alarms do not go off with them.
And the second way is to reduce the sensitivity of heuristic analyzes. In the configuration of some of these programs (not all) we can find the possibility of reducing this sensitivity. The lower the sensitivity, the less false positives we will have, although, in return, we may be missing possible unknown threats. This setting must be used with great caution.