SEARCH

How-To Geek

How To Tell If a Virus Is Actually a False Positive

antivirus-false-positive

“Your antivirus will complain that this download is a virus, but don’t worry — it’s a false positive.” You’ll occasionally see this assurance when downloading a file, but how can you tell for sure whether the download is actually safe?

A false positive is a mistake that happens occasionally — the antivirus thinks a download is harmful when it’s actually safe. But malicious people may try to trick you into downloading malware with this assurance.

Use VirusTotal to Get More Opinions

If you download a file and your antivirus jumps into action and informs you the file is harmful, it probably is. If you’ve run into a false positive and the file is actually safe, most other antivirus programs shouldn’t make the same mistake. In other words, if this is a false positive, only a few antivirus programs should flag the file as dangerous, while most should say it’s safe. That’s where VirusTotal comes in — it lets us scan a file with 45 antivirus programs so we can see what they all think of it.

Head to the VirusTotal website and upload the suspect file or enter an URL where it can be found online. They’ll automatically scan the file with a wide variety of different antivirus programs and tell you what each says about the file.

If most antivirus programs say there’s a problem, the file is probably malicious. If only a few antivirus programs have a problem with the file, it may well be a false positive — this doesn’t guarantee the file is actually safe, it’s just a piece of evidence to consider.

use-virusttotal-to-scan-file-for-malware

Evaluate the Download’s Source — Are They Trustworthy?

The most important thing you can do is evaluate the source of the download. If you’ve performed a Google search and downloaded a program from a company you don’t recognize, you probably shouldn’t trust them. If the file arrived via a peer-to-peer network or email, it’s probably malware.

On the other hand, you may have downloaded the file from a company you trust. For example, you might one day download the latest version of software from a reputable company and see a message on the download page saying “Note: Norton Antivirus currently says this file is malicious, but that’s a false positive. We’re working on fixing it.” If you trust the company, you can feel fairly good bypassing Norton’s malware alert and running the file — but you have to be sure you really trust the company and that you’re on their real website.

RELATED ARTICLE
10 Important Computer Security Practices You Should Follow
Antivirus programs aren’t perfect — especially Microsoft Security Essentials. If you’re relying on your antivirus alone to protect you, you’re... [Read Article]

There’s still no guarantee, of course. The company’s website may have been compromised. It’s a good sign if you see a false-positive warning before downloading a file. On the other hand, if you download a file and see an error without seeing a warning first, that’s a bad sign — you may have stumbled onto a malicious download. Are you sure you’re on the company’s real website and not a fake website set up to trick you into downloading malware?

Try to ensure that the file is actually from the organization you trust — your bank won’t send you programs attached to emails, for example.

Check a Malware Database

When an antivirus flags a file, it will give you a specific name for the type of malware it is. Plug this name into a search engine like Google and you should find links to malware database websites written by antivirus companies. They’ll tell you exactly what the file does and why it’s blocked.

In some cases, files that have legitimate uses may be flagged as malware and blocked because they can be used for malicious purposes. For example, some antivirus programs will block VNC server software. VNC server software may be installed by someone malicious so they can remotely access your computer, but it’s safe if you know what you’re doing and intend on installing a VNC server yourself.

malware-database-false-positive

Be Very Careful

There’s no foolproof way to know for sure whether a file is actually a false positive. All we can do is gather evidence — what other antivirus programs say, whether the file is from a trustworthy source, and exactly what type of malware the file is flagged as — before making our best guess.

If you’re not too sure whether a file is actually a false positive, you shouldn’t run it. Better safe than sorry.


If you think the file is actually a false positive, your antivirus software may have a way to submit it to the antivirus company. Check your antivirus’s documentation for information on submitting false positives so they can improve their detection and fix problems.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.

  • Published 01/20/14

Enter Your Email Here to Get Access for Free:

Go check your email!